Vanguard - You'll need to sign up for security codes soon

Discuss all general (i.e. non-personal) investing questions and issues, investing news, and theory.
User avatar
HueyLD
Posts: 6214
Joined: Mon Jan 14, 2008 10:30 am

Re: Vanguard - You'll need to sign up for security codes soon

Post by HueyLD » Thu Sep 27, 2018 7:39 pm

On the same page about security code (after you log in), you will see an option for a security key.

I watched a VG webinar about a month ago and the webinar presenter said that one can purchase such a key for IIRC under $20 and have it activated. This hardware will allow you secured access without codes and without regard to national borders.

jclear
Posts: 106
Joined: Mon Aug 20, 2018 12:47 am

Re: Vanguard - You'll need to sign up for security codes soon

Post by jclear » Thu Sep 27, 2018 7:45 pm

Faith20879 wrote:
Thu Sep 27, 2018 12:31 pm
You are the second person (poster gamboolman above being the other) ever mentioned such maneuver. However the rep I talked with was adamant about "no such thing, not even temporarily". He won't even allow it just this time so I can log in to set to recognize my device.

Anyway, I gave my work # in order to finish what I needed to do today. I'll get on learning the Google Voice thing ASAP.
You make it sound like legitimate customers with no phone are locked out of their accounts. Meanwhile, anyone with a phone can access anyone's locked account if they can smooth talk customer service. Impressive security system, considering both my security inquiries to Vanguard customer serviced returned boilerplate replies that had nothing to do with my inquiries.

mptfan
Posts: 4714
Joined: Mon Mar 05, 2007 9:58 am

Re: Vanguard - You'll need to sign up for security codes soon

Post by mptfan » Thu Sep 27, 2018 8:03 pm

HueyLD wrote:
Thu Sep 27, 2018 7:39 pm
On the same page about security code (after you log in), you will see an option for a security key.

I watched a VG webinar about a month ago and the webinar presenter said that one can purchase such a key for IIRC under $20 and have it activated. This hardware will allow you secured access without codes and without regard to national borders.
This is a good option and a step in the right direction for Vanguard for making accounts more secure, but even if this is setup, someone can still access the account using the security code by text option by simply clicking "I don't have my key" and using the security codes. It would be better if they gave us the option of allowing access by using the security key only with no backup options.

Faith20879
Posts: 578
Joined: Fri Mar 02, 2007 10:16 am

Re: Vanguard - You'll need to sign up for security codes soon

Post by Faith20879 » Fri Sep 28, 2018 8:39 am

jclear wrote:
Thu Sep 27, 2018 7:45 pm
...You make it sound like legitimate customers with no phone are locked out of their accounts.
Sorry I gave you that impression. Let me explain it further. The rep insisted that I need to give a phone# to send the security code. I explained to him that neither home or work number will suffice since I may be logging in from other places. I asked if an email can be used and that's when he said "no phone, no login."

Hope this clears things up a bit. I meant no harm to VG's reputation. I only wished they'd told me when they were rolling this out so I could've started learning about the Google Voice sooner.

Faith20879
Posts: 578
Joined: Fri Mar 02, 2007 10:16 am

Re: Vanguard - You'll need to sign up for security codes soon

Post by Faith20879 » Fri Sep 28, 2018 8:56 am

Church Lady wrote:
Thu Sep 27, 2018 7:08 pm

Hi Faith,
This is from the TOS for security codes:
...

So, you can call your rep and read this to him. Sorry they are giving you such a hassle. If I were told by a rep to take my business elsewhere, I'd be sorely tempted to complain about that rep. Just saying!
Hi Church Lady,

Thanks for the info and encouragement. I actually don't mind the extra layer of security. But, as a tech challenged person, this has been quite a wild ride.

Faith

User avatar
SSSS
Posts: 1890
Joined: Fri Jun 18, 2010 11:50 am

Re: Vanguard - You'll need to sign up for security codes soon

Post by SSSS » Sat Sep 29, 2018 10:32 am

Does anybody else use Mint, and if so, any recent reports of how well it's handling the Vanguard security code situation? When I tried activating Vanguard security codes last year, it seemed to work with Mint... in theory you only have to give Mint one of the security codes and then it should be good going forward. In practice, I started getting Vanguard security codes texted to me at random times including in the middle of the night. Consequently I turned off Vanguard's security code feature, but now they seem to be making it mandatory so I'm a little concerned about what's going to happen when I turn it back on.

User avatar
Doc
Posts: 8663
Joined: Sat Feb 24, 2007 1:10 pm
Location: Two left turns from Larry

Re: Vanguard - You'll need to sign up for security codes soon

Post by Doc » Sat Sep 29, 2018 10:37 am

SSSS wrote:
Sat Sep 29, 2018 10:32 am
Does anybody else use Mint, and if so, any recent reports of how well it's handling the Vanguard security code situation? When I tried activating Vanguard security codes last year, it seemed to work with Mint... in theory you only have to give Mint one of the security codes and then it should be good going forward. In practice, I started getting Vanguard security codes texted to me at random times including in the middle of the night. Consequently I turned off Vanguard's security code feature, but now they seem to be making it mandatory so I'm a little concerned about what's going to happen when I turn it back on.
I don't use mint but ...
Mint wrote:Login Issue with Vanguard Group Brokerage
Having trouble connecting your account in Mint? Please try to re-enter your login credentials and one-time passcode.

If the same issue persists even after that, we recommend you contact our Customer Support Team via email or chat so we can take a closer look at your accounts.
https://help.mint.com/Known-Issues/9072 ... kerage.htm
A scientist looks for THE answer to a problem, an engineer looks for AN answer and lawyers ONLY have opinions. Investing is not a science.

User avatar
LadyGeek
Site Admin
Posts: 48546
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia
Contact:

Re: Vanguard - You'll need to sign up for security codes soon

Post by LadyGeek » Thu Oct 04, 2018 9:59 pm

Hot off the press:

The 2018 Bogleheads Conference includes a visit to the Vanguard main campus. Vanguard appreciates this forum and values our opinions.

Before the presentation, senior level employees were available for the express purpose of obtaining our opinions. I was pleasantly surprised to have the department head for the Customer Experience team and 2 colleagues present. This is the group which designs / builds /tests the website.

I strongly :!: expressed my opinion on the lack of email as part of multifactor authentication. Everyone else is doing it, and they are losing customers because of this missing feature.

Someone else expressed a wish for them to turn off phone authentication when they have physical presence of a security key (device).

=======================
I also requested that the Customer Experience team incorporate the ability to rebalance your portfolio. See my post here: Re: 2018 Bogleheads Conference Notes
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.

Faith20879
Posts: 578
Joined: Fri Mar 02, 2007 10:16 am

Re: Vanguard - You'll need to sign up for security codes soon

Post by Faith20879 » Fri Oct 05, 2018 9:35 am

LadyGeek wrote:
Thu Oct 04, 2018 9:59 pm
Hot off the press:
'''
I strongly :!: expressed my opinion on the lack of email as part of multifactor authentication.
...
Thanks for speaking out, LadyGeek. I know you are tech advanced and hearing you say that means a lot to me.

The rep I talked with said the email is high risk and that VG will not consider adding as an option. Knowing that I lack knowledge in this area I didn't pursuit further.

Gadget
Posts: 164
Joined: Fri Mar 17, 2017 1:38 pm

Re: Vanguard - You'll need to sign up for security codes soon

Post by Gadget » Fri Oct 05, 2018 12:40 pm

SSSS wrote:
Sat Sep 29, 2018 10:32 am
Does anybody else use Mint, and if so, any recent reports of how well it's handling the Vanguard security code situation? When I tried activating Vanguard security codes last year, it seemed to work with Mint... in theory you only have to give Mint one of the security codes and then it should be good going forward. In practice, I started getting Vanguard security codes texted to me at random times including in the middle of the night. Consequently I turned off Vanguard's security code feature, but now they seem to be making it mandatory so I'm a little concerned about what's going to happen when I turn it back on.
I signed up for 2 factor at Vanguard about a month ago. Both mint and personal capital have worked for me after getting the very first security code. I haven't had to get another code since. Knocks on wood...

User avatar
LadyGeek
Site Admin
Posts: 48546
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia
Contact:

Re: Vanguard - You'll need to sign up for security codes soon

Post by LadyGeek » Fri Oct 05, 2018 2:46 pm

Faith20879 wrote:
Fri Oct 05, 2018 9:35 am
LadyGeek wrote:
Thu Oct 04, 2018 9:59 pm
Hot off the press:
'''
I strongly :!: expressed my opinion on the lack of email as part of multifactor authentication.
...
Thanks for speaking out, LadyGeek. I know you are tech advanced and hearing you say that means a lot to me.

The rep I talked with said the email is high risk and that VG will not consider adding as an option. Knowing that I lack knowledge in this area I didn't pursuit further.
You need to draw a line between "security" and "convenience" - the two are mutually exclusive. The rep is not considering the "big picture" in that any login account you have - banks, forums :) , shopping, etc. will always have an "I forgot my password" option that goes back to an email address. Vanguard is missing on this perspective - they are excluding how the competition is handling this.

As long as you protect your email account with a strong password, you'll be fine. IOW, your email account should be the one that no one can hack.

The customer team took my opinions seriously. I just hope they follow through. I should also mention that another forum member was with me for moral support (feel free to post here if you want to provide another perspective).
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.

BoxOfUpticks
Posts: 65
Joined: Sun Nov 24, 2013 12:19 pm

Re: Vanguard - You'll need to sign up for security codes soon

Post by BoxOfUpticks » Fri Oct 05, 2018 5:15 pm

Thanks for strongly expressing your opinion, LadyGeek!! I certainly hope they act upon it.

I also submitted feedback via the app expressing my very strong opinion on phone-only mfa. I also strongly recommended TOTP (time based one time password) that is built into some password managers. It certainly can't be the only mfa, but it should be allowed.


Does anyone else find it rather amusing that vanguard keeps pushing voice authentication that has been mimicked?
There are 10 kinds of people in the world: those that understand binary, and those that don't.

User avatar
triceratop
Moderator
Posts: 5720
Joined: Tue Aug 04, 2015 8:20 pm
Location: la la land

Re: Vanguard - You'll need to sign up for security codes soon

Post by triceratop » Fri Oct 05, 2018 5:28 pm

I expect FIDO2 U2F-based security codes to be a brand new feature sometime next century? ;)

I trust my phone less than almost anything else.
"To play the stock market is to play musical chairs under the chord progression of a bid-ask spread."

User avatar
LadyGeek
Site Admin
Posts: 48546
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia
Contact:

Re: Vanguard - You'll need to sign up for security codes soon

Post by LadyGeek » Fri Oct 05, 2018 7:00 pm

^^^ That's an important point. The risk of losing your phone (or someone hijacking your number through SIM Hijacking) should be much higher than a compromised email account.
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.

User avatar
GerryL
Posts: 1888
Joined: Fri Sep 20, 2013 11:40 pm

Re: Vanguard - You'll need to sign up for security codes soon

Post by GerryL » Fri Oct 05, 2018 8:20 pm

A note about lack of email support for authentication:
I spent Spetember in France and while there realized I was unable to check some transactions in my Vanguard account because I swap out the SIM in my phone with a SIM that gives me a local number while I'm there. Email authentication would have worked.

rkhusky
Posts: 5702
Joined: Thu Aug 18, 2011 8:09 pm

Re: Vanguard - You'll need to sign up for security codes soon

Post by rkhusky » Fri Oct 05, 2018 9:04 pm

Faith20879 wrote:
Fri Sep 28, 2018 8:39 am
I only wished they'd told me when they were rolling this out so I could've started learning about the Google Voice sooner.
Before you go to a lot of effort with Google Voice, know that sites can detect and block the use of Google Voice. I recently encountered a site that required a cell phone - a landline was not even acceptable. The site also blocked the use of Google Voice. I took my business elsewhere.

In short, have you received confirmation that Vanguard's system is compatible with Google Voice?

One thing I appreciate about Vanguard's system is that they are using something other than cookies to recognize my computer, since I delete all cookies when I quit my browser. I've only had to get the code from Vanguard once. They are probably using some sort of browser fingerprinting algorithm, which has even been robust to upgrades to some changes in my browser. Perhaps they are using a canvas fingerprint, but I haven't installed the block for that to check.

User avatar
Kevin M
Posts: 10189
Joined: Mon Jun 29, 2009 3:24 pm
Contact:

Re: Vanguard - You'll need to sign up for security codes soon

Post by Kevin M » Sat Oct 06, 2018 2:00 pm

I also recall Google Voice not receiving text confirmation codes sometimes, while my cell phone did.

Kevin
Wiki ||.......|| Suggested format for Asking Portfolio Questions (edit original post)

evestor
Posts: 114
Joined: Sat Feb 21, 2015 5:37 pm

Re: Vanguard - You'll need to sign up for security codes soon

Post by evestor » Sat Oct 06, 2018 4:14 pm

In bullet point form and consolidated as much as I can, here is what I would do if I were in charge of Vanguard customer support / website, in the name of security. This is in priority order:
1) Allow user to go Yubikey *only* required across all internet-facing surface areas. Period full stop. As part of doing this, they will want to require 2 keys minimum on their account (just as Google does). They will also need to either support Yubikey on mobile or have a nice error msg on mobile saying sorry you can't use mobile because you are YK required (the latter is perfectly acceptable for those that opt in to it). Or there could be a web-assisted mobile app device trust step, where i log in to mobile and the web in parallel with my YK to signal mobile trust via shared code that I enter on mobile which I obtained via web. Finally, will need to think about how to do account recovery for these users. It should be a massively manual, slow and painful process. If it took order-weeks that would be fine. Hell I'd even take it requires flying to PA. Very high bar, very slow process. Again, this is for those that want it.
2) Attack the phone line problem. It is quite silly that anyone can call in to 1800-Vanguard and pretend to be me. I don't use this service. Turn it off. Literally if someone calls the 800 number and says they are me while trying to do a financial transaction, just loop the FBI digital crimes team in to the call. It's not me. It's never me.
3) We need a strong auth mechanism for when I talk to named reps @ Vanguard (ie my flagship rep or his delegate) via appointment. The current mechanism is quite weak. I would advise something stronger, like getting a key generated on the web when you use YK or (if mobile can be securely bootstrapped per idea above) something in the mobile app.
4) Contact info lockdown. I don't change it. Don't allow changing it on the web without a seriously large hurdle. Don't let employees change it. A 30 day cool-off period is a great step. Having my rep call me to second verify it with all of the bootstrapping I reference above is a great step too. Right now it sends notification on change but allows immediate change. This is not enough.
5) Outbound $ transfers need a much stronger protection. Adding a transfer target (ie new outbound transfer financial institution/account) should take an act of a higher power and have the same 30 day cooling off period with tons of notifications. Transfers out should be disable-able entirely (I literally never do this) and should have massive protection for the rare instance in the future when I do it (ie when in burn mode vs. current accumulation mode). This is the most scary financial transaction that a bad guy can do to me. Let me lock it down.
6) Strong bootstrapped notifications for everything. Every. Single. Thing. I want a notification via email and to my mobile device that has been bootstrapped per above for all of the things. No matter the thing, no matter the channel. All of the things.
7) I would give all of the above a fancy name to make people feel great about it. Like Vanguard Advanced Protection Program (ref: https://landing.google.com/advancedprotection/). A fancy name goes a long way.

I probably can come up with a better list with more time and a good brainstorming session w/Vanguard. But this is my off the cuff.
Feel free to share my direct contact info with Vanguard. I am happy to talk with them.

Faith20879
Posts: 578
Joined: Fri Mar 02, 2007 10:16 am

Re: Vanguard - You'll need to sign up for security codes soon

Post by Faith20879 » Mon Oct 08, 2018 9:43 am

rkhusky wrote:
Fri Oct 05, 2018 9:04 pm
....
Before you go to a lot of effort with Google Voice, know that sites can detect and block the use of Google Voice.
....
That is a very legit concern. Thanks for bringing it up.

Just to give a report on my progress here. I have gotten a GV number and entered it into my VG profile. However, because I also (without thinking, ugh...) activated "recognize my device" during the same login, I have not been able to test the 2FA via the GV number. Been scrambling for ways to "un-recognize" my device without much success.

3-20Characters
Posts: 84
Joined: Tue Jun 19, 2018 2:20 pm

Re: Vanguard - You'll need to sign up for security codes soon

Post by 3-20Characters » Mon Oct 08, 2018 10:03 am

Faith20879 wrote:
Mon Oct 08, 2018 9:43 am
rkhusky wrote:
Fri Oct 05, 2018 9:04 pm
....
Before you go to a lot of effort with Google Voice, know that sites can detect and block the use of Google Voice.
....
That is a very legit concern. Thanks for bringing it up.

Just to give a report on my progress here. I have gotten a GV number and entered it into my VG profile. However, because I also (without thinking, ugh...) activated "recognize my device" during the same login, I have not been able to test the 2FA via the GV number. Been scrambling for ways to "un-recognize" my device without much success.
Try logging in with a different browser.

mptfan
Posts: 4714
Joined: Mon Mar 05, 2007 9:58 am

Re: Vanguard - You'll need to sign up for security codes soon

Post by mptfan » Mon Oct 08, 2018 11:38 am

LadyGeek wrote:
Thu Oct 04, 2018 9:59 pm
Someone else expressed a wish for them to turn off phone authentication when they have physical presence of a security key (device).
I strongly second this. Having the option of using a physical security key (like yubikey) as a second form of authentication is a very secure option, but it is much less secure if you can default to phone authentication by someone who claims to not have the key. Having the option of getting a code by email while removing the phone or SMS text option is a much more secure backup method.
Last edited by mptfan on Thu Oct 11, 2018 7:31 am, edited 2 times in total.

staunchlydubious
Posts: 1
Joined: Mon Oct 08, 2018 5:36 pm

Re: Vanguard - You'll need to sign up for security codes soon

Post by staunchlydubious » Mon Oct 08, 2018 7:48 pm

Can anyone confirm that the new Yubico Security Key - U2F and FIDO2, USB-A, Two-Factor Authentication (2nd gen FIDO key) works with the Vanguard FIDO U2F deployment (1st gen FIDO)? The FIDO U2F (1st gen) keys are no longer available at Amazon or Yubico, and in today's conversation with a Vanguard associate (who was in turn conferring with an IT rep), I was told that they can't guarantee that the FIDO2 keys will work? On the other hand, an email response from Yubico support stated that "all of the Yubico devices that support FIDO2 also support U2F." I'd like to get some "boots on the ground" feedback before laying out $20 for the FIDO2 key.

Thanks, Mike

Faith20879
Posts: 578
Joined: Fri Mar 02, 2007 10:16 am

Re: Vanguard - You'll need to sign up for security codes soon

Post by Faith20879 » Tue Oct 09, 2018 12:46 pm

3-20Characters wrote:
Mon Oct 08, 2018 10:03 am
Try logging in with a different browser.
Thanks! Switched to a different browser and surely the 2FA screen came up. Was able to re-direct the security code to a GV # and got my transactions fulfilled. What a wonderful feeling! Thanks again.

However I am also aware that some posters reported that their GV calls being blocked. I will continue to keep a close eye on the development and test it further when traveling, especially internationally.

3-20Characters
Posts: 84
Joined: Tue Jun 19, 2018 2:20 pm

Re: Vanguard - You'll need to sign up for security codes soon

Post by 3-20Characters » Tue Oct 09, 2018 1:03 pm

Faith20879 wrote:
Tue Oct 09, 2018 12:46 pm
3-20Characters wrote:
Mon Oct 08, 2018 10:03 am
Try logging in with a different browser.
Thanks! Switched to a different browser and surely the 2FA screen came up. Was able to re-direct the security code to a GV # and got my transactions fulfilled. What a wonderful feeling! Thanks again.

However I am also aware that some posters reported that their GV calls being blocked. I will continue to keep a close eye on the development and test it further when traveling, especially internationally.
:beer

I read only one account here of a blocked GV # (actually it was the whole google account). Many other travelers reported no such problem. Could be a one off. If you’re worried about google blocking your account while traveling internationally, you can forward your GV messages to a non-Google email.

WanderingDoc
Posts: 1133
Joined: Sat Aug 05, 2017 8:21 pm

Re: Vanguard - You'll need to sign up for security codes soon

Post by WanderingDoc » Tue Oct 09, 2018 1:17 pm

Still same as before. No security codes needed.
Don't wait to buy real estate. Buy real estate, and wait. | Rent where you live, buy where others pay your mortgage for you.

Grasshopper
Posts: 913
Joined: Sat Oct 09, 2010 3:52 pm

Re: Vanguard - You'll need to sign up for security codes soon

Post by Grasshopper » Wed Oct 10, 2018 12:15 pm

staunchlydubious wrote:
Mon Oct 08, 2018 7:48 pm
Can anyone confirm that the new Yubico Security Key - U2F and FIDO2, USB-A, Two-Factor Authentication (2nd gen FIDO key) works with the Vanguard FIDO U2F deployment (1st gen FIDO)? The FIDO U2F (1st gen) keys are no longer available at Amazon or Yubico, and in today's conversation with a Vanguard associate (who was in turn conferring with an IT rep), I was told that they can't guarantee that the FIDO2 keys will work? On the other hand, an email response from Yubico support stated that "all of the Yubico devices that support FIDO2 also support U2F." I'd like to get some "boots on the ground" feedback before laying out $20 for the FIDO2 key.

Thanks, Mike
I have both the old and FIDO2 keys, both are registered with Vanguard and Google and both work on my Chromebooks with Chrome. YMMV

mptfan
Posts: 4714
Joined: Mon Mar 05, 2007 9:58 am

Re: Vanguard - You'll need to sign up for security codes soon

Post by mptfan » Wed Oct 10, 2018 1:06 pm

Grasshopper wrote:
Wed Oct 10, 2018 12:15 pm
I have both the old and FIDO2 keys, both are registered with Vanguard and Google and both work on my Chromebooks with Chrome. YMMV
Same here, I have a new FIDO2 key from yubikey and it worked with Chrome OS.

User avatar
dratkinson
Posts: 4355
Joined: Thu Jul 26, 2007 6:23 pm
Location: Centennial CO

2FA security code can be waived. It was for me.

Post by dratkinson » Wed Oct 10, 2018 9:24 pm

(Read this page. Didn't read previous pages.)


Received Vanguard email saying monthly statement was ready.

Followed bookmarked URL to Vanguard statement webpage. (Old PC doesn't like Vanguard's new homepage or personal homepage.)

Statement webpage request intercepted by login screen. (As normal. Old PC likes Vanguard's login screen and statement page.)

After login, received request to set up security code access. (Old PC didn't support that page request. Dial-up connection doesn't support this. And I don't have a text-capable cell phone.)

Called Vanguard CSR. (Used voice verification; has worked well since setup many months ago. When voice menu prompt asked what I was calling about, I said "security code access".)

Explained to CSR: (1) I needed a workaround to download my statement, or (2) can Vanguard mail monthly statements. (I preferred the workaround.)

CSR said my situation qualified for a waiver. But!... with the waiver:
--I will not be able to make online updates to my home address information.
--I will not be able to make online updates to my linked bank accounts.


Those seemed to me to be reasonable restrictions to protect client accounts.

If I want to change my home address or linked banks, I must go through CSR* or use a Vanguard form. That seemed reasonable as I make all transactions by CSR anyway. (Old PC doesn’t like Vanguard’s new transaction screen.)

* In the past, CSR was able to delete a linked bank (I'd closed that account) and I received a transaction confirmation number for this CSR action. But I had to request a form to add a bank account.


Waiver was granted and I downloaded my statement as soon as I hung up the phone. (2FA security code sign-up screen did not reappear when I next accessed: bookmarked statement URL --> login request screen intercept --> statement page presented.)


After posting my monthly statement updates to my offline Excel investment-tracking workbook, had more time to think about Vanguard 2FA security code.

Called CSR back (again requested "security code access" at voice menu prompt, spoke to same CSR) and asked that Vanguard include the option to send security code by email.
--Explained that OTL (IRS freefile online tax s/w option) sends me emailed security code for 2FA.
--CSR said they had been getting many requests for an email option and would include my request.

Emailed security code should work for me if/when I get a new PC, but keep my dial-up connection.


Yea, I know. I may be the lowest (un)common denominator.
d.r.a, not dr.a. | I'm a novice investor, you are forewarned.

scoroi
Posts: 4
Joined: Tue Jun 13, 2017 9:18 am

Re: Vanguard - You'll need to sign up for security codes soon

Post by scoroi » Thu Nov 01, 2018 1:31 am

[Moved into the on-going discussion from: Vanguard's new security key option --admin LadyGeek. Post title was "Re: Vanguard's new security key option"]

The recommendation is:

0. Buy several (at least two) Youbikeys. Ideally from official Yubico website or Google Titan keys. Keep at least one key in a secure deposit (verify that the key works before storing).
1. Enable Google Advanced Protection Program (https://landing.google.com/advancedprotection/). This will require two Yubikeys and will not allow SMS/Phone 2FA or backup codes. Ideally this should a separate email used only for financial/banking purposes. Ideally accessed only from a separate browser (profile).
2. Under the email account from step 1 create a Project Fi phone number, it will cost $20/month. Do no reveal this phone number to any other third parties or use it for any activities. This phone number should only be used as the Vanguard contact information.
3. In Vanguard change the default preferred method from SMS to phone (voice call).
4. Use a password manager that supports Yubikeys and record in it both password and secret questions/answers. Answers should be long random char strings (currently max allowed by Vanguard is 50 chars). Ideally the password manager does not store the data online like KeePassXC (make several copies of the password database). Keep a copy in secure deposit with the Youbikey from step 0.
5. Enable alerts for any type of change to Vanguard account on the specified email from step 1 and monitor regularly. Since no other messages should arrive at the email address it should be quite straight forward to monitor. Be suspicious if any spam or other mails arrive in email account set up in step 1.
6. Call/message Vanguard regularly to comply with NIST recommendation. They should allow the option to remove any VOIP/SMS/phone carrier recovery mechanism, similar to Google Advanced Protection Program. This will spare the $20/month Project Fi expense from step 2.

Best of luck.

User avatar
Doom&Gloom
Posts: 2288
Joined: Thu May 08, 2014 3:36 pm

Re: Vanguard - You'll need to sign up for security codes soon

Post by Doom&Gloom » Thu Nov 01, 2018 4:45 pm

scoroi wrote:
Thu Nov 01, 2018 1:31 am
[Moved into the on-going discussion from: Vanguard's new security key option --admin LadyGeek. Post title was "Re: Vanguard's new security key option"]

The recommendation is:

0. Buy several (at least two) Youbikeys. Ideally from official Yubico website or Google Titan keys. Keep at least one key in a secure deposit (verify that the key works before storing).
1. Enable Google Advanced Protection Program (https://landing.google.com/advancedprotection/). This will require two Yubikeys and will not allow SMS/Phone 2FA or backup codes. Ideally this should a separate email used only for financial/banking purposes. Ideally accessed only from a separate browser (profile).
2. Under the email account from step 1 create a Project Fi phone number, it will cost $20/month. Do no reveal this phone number to any other third parties or use it for any activities. This phone number should only be used as the Vanguard contact information.
3. In Vanguard change the default preferred method from SMS to phone (voice call).
4. Use a password manager that supports Yubikeys and record in it both password and secret questions/answers. Answers should be long random char strings (currently max allowed by Vanguard is 50 chars). Ideally the password manager does not store the data online like KeePassXC (make several copies of the password database). Keep a copy in secure deposit with the Youbikey from step 0.
5. Enable alerts for any type of change to Vanguard account on the specified email from step 1 and monitor regularly. Since no other messages should arrive at the email address it should be quite straight forward to monitor. Be suspicious if any spam or other mails arrive in email account set up in step 1.
6. Call/message Vanguard regularly to comply with NIST recommendation. They should allow the option to remove any VOIP/SMS/phone carrier recovery mechanism, similar to Google Advanced Protection Program. This will spare the $20/month Project Fi expense from step 2.

Best of luck.
It seems as if you have been a member of this forum for over a year and this is your first post. Welcome. I commend you for your patience.

But good grief! I only want to be able to keep my financial accounts secure and have convenient access to them--not safeguard the nuclear codes.

scoroi
Posts: 4
Joined: Tue Jun 13, 2017 9:18 am

Re: Vanguard - You'll need to sign up for security codes soon

Post by scoroi » Sun Nov 04, 2018 11:19 am

Thank you for welcome.
I wish we did not have to reserve to such measures but the systems have been designed with almost no security characteristics from beginning.

TravelGeek
Posts: 2362
Joined: Sat Oct 25, 2014 3:23 pm

Re: Vanguard - You'll need to sign up for security codes soon

Post by TravelGeek » Mon Nov 05, 2018 5:25 pm

scoroi wrote:
Thu Nov 01, 2018 1:31 am

2. Under the email account from step 1 create a Project Fi phone number, it will cost $20/month. Do no reveal this phone number to any other third parties or use it for any activities. This phone number should only be used as the Vanguard contact information.
Can you elaborate on why a Project Fi number (vs Google Voice, which is free)?

scoroi
Posts: 4
Joined: Tue Jun 13, 2017 9:18 am

Re: Vanguard - You'll need to sign up for security codes soon

Post by scoroi » Thu Nov 08, 2018 3:48 am

Can you elaborate on why a Project Fi number (vs Google Voice, which is free)?
Google Voice is free and provides no direct phone support contact number. In addition the numbers are highly recycled and thus may cause unnecessary suspicious concerns. The purpose is to have a number that is only configured with Vanguard (financial institution) that has no ties to real identity.
In case Google Voice is setup then the recommendation is to NOT forward the phone call to your real phone number because real phone number can be spoofed and there will be no benefit from Google Voice that will serve just as an intermediary to the vulnerable real number anyway.

Post Reply