NVM. Just tried again and it was flawless. I think Vanguard updated the system since I last tried.mggray17 wrote: ↑Tue Nov 07, 2017 10:35 amWhere did you find instructions for this? I bought the Yubikey FIDO U2F key a while ago and when trying to set up with Vanguard, I couldn't get it to respond. I assumed at the time I needed to upgrade to Yubikey 4 or equivalent.Brian 2016 wrote: ↑Mon Oct 02, 2017 4:21 pm Thanks to the folks who posted this information about Vanguard's new security key, I went ahead and ordered the Yubico USB Security Key (FIDO U2F) and now have it working with my Vanguard accounts. Thanks again for the tip!!!
Brian
Vanguard's new security key option
Re: Vanguard's new security key option
Re: Vanguard's new security key option
My phone is protected by fingerprint login.siamond wrote: ↑Tue Nov 07, 2017 10:37 amThis seems very clever. Plus one can use a Yubikey to protect their Google Account (which I do, including gmail).Vulcan wrote: ↑Sun Nov 05, 2017 1:17 pmThat is what I do for all SMS-based 2FA setups. I get message in hangouts and email copy to my Gogole account. Since the Google account is protected by 2FA as well, this makes the entire setup very secure.TravelGeek wrote: ↑Sun Nov 05, 2017 12:47 pm I have been thinking of switching my SMS backup (when I get my Yubico key) to my Google Voice number, which I don’t really use for anything else.
In fact, since I consider my Google account to be both very secure and the key to my kingdom, I am perfectly fine with email-based second factor as well.
Ah wait a minute...
- this implies to NOT redirect voice calls and text messages from Google Voice to your primary cell phone though. Otherwise, if your cell phone is compromised, you're back to square 1, right?
- but... I also have access to my e-mail on my cell phone (and I am not going to give up such convenience). So we should NOT auto-forward ANYTHING from Google Voice with that logic. Hm, this is getting clunky. Am I missing something.
Besides, it's not enough to steal my phone and get the second factor compromised - you still have to know the password, which is the first factor, and it's not on the phone (well, not in plain text anyway;).
If you torture the data long enough, it will confess to anything. ~Ronald Coase
-
- Posts: 4902
- Joined: Sat Oct 25, 2014 3:23 pm
Re: Vanguard's new security key option
I thought the concern with Vanguard using SMS wasn't so much that the phone could be stolen (that's true for other 2FA devices as well), but rather that the SMS system itself is inherently insecure (social engineering and other attack vectors). E.g.,siamond wrote: ↑Tue Nov 07, 2017 10:37 am Ah wait a minute...
- this implies to NOT redirect voice calls and text messages from Google Voice to your primary cell phone though. Otherwise, if your cell phone is compromised, you're back to square 1, right?
- but... I also have access to my e-mail on my cell phone (and I am not going to give up such convenience). So we should NOT auto-forward ANYTHING from Google Voice with that logic. Hm, this is getting clunky. Am I missing something.
https://www.wired.com/2016/06/hey-stop- ... ntication/
A lot of people know my mobile number. You could probably google it if you knew my name.
My Google Voice number is not printed on any business card or otherwise used. I signed up for it a long time ago, but never really found a use case. So it's basically a private number only Google and I know. Which means it should provide a bit more protection for SMS-specific attacks. (I know, security through obscurity... definitely not perfect)
Re: Vanguard's new security key option
Sorry if I'm slow, but I don't understand why you want to use Google Voice then? What makes this choice more secure than the regular 2FA with your phone?
(to answer TravelGeek's post as well, the issue some people have with Vanguard is that a regular 2FA system is kind of weak, notably if a smartphone is compromised, and the addition of the Yubikey as a separate stronger factor can be somewhat defeated by the procedure used when such key is -claimed to be- lost, i.e. back to the regular 2FA. Also most 2FA systems do NOT ask you for a phone number, they send the message to a preconfigured number).
-
- Posts: 4902
- Joined: Sat Oct 25, 2014 3:23 pm
Re: Vanguard's new security key option
Are there 2FA systems that ask you where to send the code? (and if so, hopefully they don't just accept any random number...)
Most I have seen will send to a preconfigured number (on your account) and perhaps show the last couple of digits so you know where the text will go.
So as a hacker you need to get ahold of the message, either by stealing the phone and breaking the lock protection (which even the FBI has problems with) or by making the SMS network send it to YOUR phone instead of mine. Social engineering or other mechanisms exist.
https://www.wired.com/2017/05/fix-ss7-t ... -accounts/
So I don't want to have the Vanguard 2FA code sent to my real cell number (that is widely known), but rather to a number that is "obscure". Not perfect, but adds some protection. And as Vulcan said, the hacker also needs my password.
Nevertheless, we should all send complaints to Vanguard that they are violating NIST recommendations with their 2FA implementation.
Re: Vanguard's new security key option
This
SO HEY YOU SHOULD STOP USING TEXTS FOR TWO-FACTOR AUTHENTICATION
https://www.wired.com/2016/06/hey-stop- ... ntication/
If you torture the data long enough, it will confess to anything. ~Ronald Coase
Re: Vanguard's new security key option
I've seen 2FA systems asking you for the full phone number, and THEN check that it is indeed a preconfigured number. I thought this was what you were alluding to with the attempt to 'obscure' the knowledge of the phone number. But I misunderstood, the issue is the hacking of the SMS system itself, as Vulcan's pointer explained. Ok, now I understand where you guys are coming from, thanks for the explanation.TravelGeek wrote: ↑Tue Nov 07, 2017 6:41 pmAre there 2FA systems that ask you where to send the code? (and if so, hopefully they don't just accept any random number...)
Still, this Google Voice approach is much less convincing than I thought at the first glance. If your phone is compromised, you're toast, Google Voice or not. Maybe that is the key reason to get an iPhone X, if this face recognition system proves itself better than previous systems (I read multiple times that the fingerprint technique isn't terribly difficult to defeat). Time will tell.
-
- Posts: 34
- Joined: Fri Mar 17, 2017 9:47 pm
Re: Vanguard's new security key option
For SMS-based 2FA, the weakness is not your phone, but the carrier. Attackers can (and have) foiled SMS based 2FA by doing the following:
- Calling up the wireless carrier and pretending to be the account holder
- Claiming need to replace SIM / device
- Deactivating current (your) device
- Replacing with new (their) device
- Now the SMS goes to them not you
This weakness is well known. Here's a reference: http://www.securityweek.com/nist-denoun ... ternatives
Bottom line is that SMS-based 2FA is better than no 2FA. But, it's not strong enough. Google Auth or Yubikey-based 2FA is much better. Yubikey unfortunately is a desktop only approach, so I personally use Google Auth whenever it's an option. You don't actually have to use the Google Authenticator app, I use 1Password and it supports the Google Auth standard very well and conveniently.
- Calling up the wireless carrier and pretending to be the account holder
- Claiming need to replace SIM / device
- Deactivating current (your) device
- Replacing with new (their) device
- Now the SMS goes to them not you
This weakness is well known. Here's a reference: http://www.securityweek.com/nist-denoun ... ternatives
Bottom line is that SMS-based 2FA is better than no 2FA. But, it's not strong enough. Google Auth or Yubikey-based 2FA is much better. Yubikey unfortunately is a desktop only approach, so I personally use Google Auth whenever it's an option. You don't actually have to use the Google Authenticator app, I use 1Password and it supports the Google Auth standard very well and conveniently.
Re: Vanguard's new security key option
How so? The problem with SMS is it can be relatively easy to steal your number by porting out. It is harder to do with google voice number.siamond wrote: ↑Tue Nov 07, 2017 9:39 pmI've seen 2FA systems asking you for the full phone number, and THEN check that it is indeed a preconfigured number. I thought this was what you were alluding to with the attempt to 'obscure' the knowledge of the phone number. But I misunderstood, the issue is the hacking of the SMS system itself, as Vulcan's pointer explained. Ok, now I understand where you guys are coming from, thanks for the explanation.TravelGeek wrote: ↑Tue Nov 07, 2017 6:41 pmAre there 2FA systems that ask you where to send the code? (and if so, hopefully they don't just accept any random number...)
Still, this Google Voice approach is much less convincing than I thought at the first glance. If your phone is compromised, you're toast, Google Voice or not.
Realistically though for most people 2FA with SMS is still way better than 1FA, and really is safe enough.
If you torture the data long enough, it will confess to anything. ~Ronald Coase
- abuss368
- Posts: 27850
- Joined: Mon Aug 03, 2009 2:33 pm
- Location: Where the water is warm, the drinks are cold, and I don't know the names of the players!
- Contact:
Re: Vanguard's new security key option
This is interesting.
John C. Bogle: “Simplicity is the master key to financial success."
Re: Vanguard's new security key option
Sharing passwords voids the reimbursement pledge, since one of your responsibilities is:
https://personal.vanguard.com/us/help/S ... ontent.jspNever share your user name, password, or other account-related information with anyone.
But perhaps sharing with your spouse would only void it if the the sharing was a factor in the fraud. One can only hope.
-
- Posts: 4902
- Joined: Sat Oct 25, 2014 3:23 pm
Re: Vanguard's new security key option
I won't admit here to ever sharing my credentials with my spouse, but once I learned from this forum that you can grant access to certain features of your account to other users, this is what I did. Much easier to keep an eye on my wife's accounts by having them simply appear within mine than having to log in twice.
Re: Vanguard's new security key option
The above is commonly referred to as "social engineering". In order to foil such attempts, I changed all of my security question answers on all accounts to gibberish, enacted personal pins and identity codes, and locked down my dedicated financial accounts gmail (which financial accounts including phone carrier use for recovery) through use of a yubikey. The financial accounts gmail has no phone number attached, only password authenticator and printed out security codes as backup.Fintechnick wrote: ↑Tue Nov 07, 2017 9:52 pm For SMS-based 2FA, the weakness is not your phone, but the carrier. Attackers can (and have) foiled SMS based 2FA by doing the following:
- Calling up the wireless carrier and pretending to be the account holder
- Claiming need to replace SIM / device
- Deactivating current (your) device
- Replacing with new (their) device
- Now the SMS goes to them not you
This weakness is well known. Here's a reference: http://www.securityweek.com/nist-denoun ... ternatives
Bottom line is that SMS-based 2FA is better than no 2FA. But, it's not strong enough. Google Auth or Yubikey-based 2FA is much better. Yubikey unfortunately is a desktop only approach, so I personally use Google Auth whenever it's an option. You don't actually have to use the Google Authenticator app, I use 1Password and it supports the Google Auth standard very well and conveniently.
Re: Vanguard's new security key option
Ah cool. Didn't know that. Just enabled it. Very convenient. Doesn't work for a 403b, though.TravelGeek wrote: ↑Wed Nov 08, 2017 10:52 am I won't admit here to ever sharing my credentials with my spouse, but once I learned from this forum that you can grant access to certain features of your account to other users, this is what I did. Much easier to keep an eye on my wife's accounts by having them simply appear within mine than having to log in twice.
-
- Posts: 904
- Joined: Sat Apr 06, 2013 7:11 pm
- Location: Springfield
Re: Vanguard's new security key option
Yubico does have a device for mobile devices, yubikey neo.Fintechnick wrote: ↑Tue Nov 07, 2017 9:52 pm Yubikey unfortunately is a desktop only approach, so I personally use Google Auth whenever it's an option.
https://www.yubico.com/solutions/yubikey-for-mobile/
Re: Vanguard's new security key option
Bookmarked.
Re: Vanguard's new security key option
Is using a Yubikey the only other alternative to having Vanguard send a code to your phone via SMS? Is it also possible to use Authy or Google Authenticator?
Re: Vanguard's new security key option
Update: I also bought one, and it works fine, even on Linux. It's a NEO, haven't yet tried it with my mobile devices.Brian 2016 wrote: ↑Mon Oct 02, 2017 4:21 pm Thanks to the folks who posted this information about Vanguard's new security key, I went ahead and ordered the Yubico USB Security Key (FIDO U2F) and now have it working with my Vanguard accounts. Thanks again for the tip!!!
Brian
Re: Vanguard's new security key option
The security key sounds like something that might be worth buying and using for security on the VG account. Along this same thread, I have recently read where it may be prudent to invest in a computer that would be used solely for investment and banking purposes. The article has convinced me that it certainly may be a wise decision if it is not too expensive. This computer would remain unused and off-line except for these particular purposes. The most cost efficient approach would seem to be a chrome OS (chromebook) solution. The only issue I have found so far is that it is difficult to print directly from the chromebook and it necessitates printing from the Google cloud which may pose a separate set of risks.
Has anyone taken the separate computer approach? Is the security key function in addition to the sms text? Thanks
Has anyone taken the separate computer approach? Is the security key function in addition to the sms text? Thanks
Re: Vanguard's new security key option
New member scoroi has a post which I've moved into the on-going discussion. See: Re: Vanguard - You'll need to sign up for security codes soon
This discussion has been superseded by Vanguard - You'll need to sign up for security codes soon.
(Thread locked to redirect the discussion.)
This discussion has been superseded by Vanguard - You'll need to sign up for security codes soon.
(Thread locked to redirect the discussion.)