Vanguard 2-factor authentication becoming mandatory and available for non-US

Discuss all general (i.e. non-personal) investing questions and issues, investing news, and theory.
User avatar
Topic Author
asset_chaos
Posts: 1837
Joined: Tue Feb 27, 2007 6:13 pm
Location: Melbourne

Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by asset_chaos »

The spouse got an email today from Vanguard saying sign up for security codes by June 15,
For now, you'll still be able to log on to your account without a security code, but you'll need to sign up by June 15, 2020.
I've resisted 2-factor till now because we live abroad and they wouldn't send codes to non-US phone numbers or to email, which meant 2-factor would effectively lock us out of our accounts. But now Vanguard says,
If you live outside the U.S. and have an international phone number, you can receive security codes via text.* *Note: The delivery of security code text messages or automated calls may not be available to your phone number depending on your location.
And the sign up page has a dropbox menu with lots of country code dialing prefixes. So she signed up, tested receiving a code, and that all works. I don't think the minimal extra security is worth the extra hassle, but I'm not fussed as long as we can actually use the system.

I haven't yet gotten an email for my accounts, but I suppose that's coming soon.
Regards, | | Guy
HawkeyePierce
Posts: 1493
Joined: Tue Mar 05, 2019 10:29 pm
Location: Colorado

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by HawkeyePierce »

Good for Vanguard. :beer

2FA isn't "minimal" extra security, properly implemented it eliminates phishing attacks: https://security.googleblog.com/2019/05 ... basic.html

Now if Vanguard will just let customers use *only* Yubikeys without the phone fallback.
absolute zero
Posts: 515
Joined: Thu Dec 29, 2016 4:59 pm

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by absolute zero »

HawkeyePierce wrote: Wed Apr 29, 2020 10:08 pm Good for Vanguard. :beer

2FA isn't "minimal" extra security, properly implemented it eliminates phishing attacks: https://security.googleblog.com/2019/05 ... basic.html

Now if Vanguard will just let customers use *only* Yubikeys without the phone fallback.
Its been a couple years, but I remember reading about that on Vanguards website. The “phone fallback” made yubikey usage pretty much pointless. Left me scratching my head.

My vote is for Vanguard to get onboard with 2FA Authenticator apps. Last I checked they did not offer this as an option.
Dominic
Posts: 409
Joined: Sat Jul 02, 2016 11:36 am

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by Dominic »

absolute zero wrote: Wed Apr 29, 2020 11:00 pm
HawkeyePierce wrote: Wed Apr 29, 2020 10:08 pm Good for Vanguard. :beer

2FA isn't "minimal" extra security, properly implemented it eliminates phishing attacks: https://security.googleblog.com/2019/05 ... basic.html

Now if Vanguard will just let customers use *only* Yubikeys without the phone fallback.
Its been a couple years, but I remember reading about that on Vanguards website. The “phone fallback” made yubikey usage pretty much pointless. Left me scratching my head.

My vote is for Vanguard to get onboard with 2FA Authenticator apps. Last I checked they did not offer this as an option.
I don't think any financial institution I use offers app-based 2FA. I personally find this horrifying.
HawkeyePierce
Posts: 1493
Joined: Tue Mar 05, 2019 10:29 pm
Location: Colorado

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by HawkeyePierce »

Dominic wrote: Wed Apr 29, 2020 11:08 pm
absolute zero wrote: Wed Apr 29, 2020 11:00 pm
HawkeyePierce wrote: Wed Apr 29, 2020 10:08 pm Good for Vanguard. :beer

2FA isn't "minimal" extra security, properly implemented it eliminates phishing attacks: https://security.googleblog.com/2019/05 ... basic.html

Now if Vanguard will just let customers use *only* Yubikeys without the phone fallback.
Its been a couple years, but I remember reading about that on Vanguards website. The “phone fallback” made yubikey usage pretty much pointless. Left me scratching my head.

My vote is for Vanguard to get onboard with 2FA Authenticator apps. Last I checked they did not offer this as an option.
I don't think any financial institution I use offers app-based 2FA. I personally find this horrifying.
Schwab and M1 Finance both offer app-based 2FA.
occambogle
Posts: 527
Joined: Thu Dec 12, 2019 4:58 am

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by occambogle »

I had to get exempted manually from their 2FA because of international phone number. That's good if they are allowing it now, but VG is so unfriendly to any international aspects generally I'm inclined to stay without it, I don't trust they'll mess something up and I get locked out. I much prefer app-based 2FA... especially if you travel and have to swap SIM cards frequently.
HawkeyePierce
Posts: 1493
Joined: Tue Mar 05, 2019 10:29 pm
Location: Colorado

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by HawkeyePierce »

occambogle wrote: Thu Apr 30, 2020 2:58 am I had to get exempted manually from their 2FA because of international phone number. That's good if they are allowing it now, but VG is so unfriendly to any international aspects generally I'm inclined to stay without it, I don't trust they'll mess something up and I get locked out. I much prefer app-based 2FA... especially if you travel and have to swap SIM cards frequently.
Just use a Google Voice number. A locked-down Google account is an extremely difficult target for an attacker and this is much more secure than sending 2FA codes to a SIM-based number anyways.

https://landing.google.com/advancedprotection/
bobsled_bob
Posts: 1
Joined: Sat Feb 15, 2014 12:48 pm

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by bobsled_bob »

Yes, Yubikey as primary, option to turn off SMS, and have app based OTP as backup would be ideal for me. Bought a nice Yubikey a while back primarily for Vanguard. Then noticed you could not stop SMS. Bummer.
occambogle
Posts: 527
Joined: Thu Dec 12, 2019 4:58 am

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by occambogle »

HawkeyePierce wrote: Thu Apr 30, 2020 1:26 pm Just use a Google Voice number. A locked-down Google account is an extremely difficult target for an attacker and this is much more secure than sending 2FA codes to a SIM-based number anyways.
But you need a US real number to link to/verify when creating a Google Voice account. There are somewhat complicated ways around that, but GV just starts to get complicated when permamently not in the U.S. App-based 2FA is so much more flexible.
Faith20879
Posts: 763
Joined: Fri Mar 02, 2007 10:16 am

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by Faith20879 »

occambogle wrote: Fri May 01, 2020 1:22 am App-based 2FA is so much more flexible.
Could you please help this non-tech savvy person get educated? What is an App-based 2FA?

I am a PC user. My knowledge about 2FA signin at VG is limited to these steps: open the browser, click vanguard.com, a voice code sent to my home phone, enter the code into the box that's waiting, then I am in.

How do I use an App-based 2FA on a pc? I assume I'll have to first download the VG app to my pc? What happens after I click on the app?

Thanks!
absolute zero
Posts: 515
Joined: Thu Dec 29, 2016 4:59 pm

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by absolute zero »

bobsled_bob wrote: Thu Apr 30, 2020 3:10 pm Yes, Yubikey as primary, option to turn off SMS, and have app based OTP as backup would be ideal for me. Bought a nice Yubikey a while back primarily for Vanguard. Then noticed you could not stop SMS. Bummer.
Yeah it just doesn’t make sense. It’s like installing some state of the art locks on the front and back doors of your house, but leaving all your windows unlocked 24/7.
User avatar
Ged
Posts: 3923
Joined: Mon May 13, 2013 1:48 pm
Location: Roke

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by Ged »

HawkeyePierce wrote: Thu Apr 30, 2020 12:00 am Schwab and M1 Finance both offer app-based 2FA.
As does Fidelity.
MathWizard
Posts: 4346
Joined: Tue Jul 26, 2011 1:35 pm

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by MathWizard »

Faith20879 wrote: Fri May 01, 2020 12:02 pm
occambogle wrote: Fri May 01, 2020 1:22 am App-based 2FA is so much more flexible.
Could you please help this non-tech savvy person get educated? What is an App-based 2FA?

I am a PC user. My knowledge about 2FA signin at VG is limited to these steps: open the browser, click vanguard.com, a voice code sent to my home phone, enter the code into the box that's waiting, then I am in.

How do I use an App-based 2FA on a pc? I assume I'll have to first download the VG app to my pc? What happens after I click on the app?

Thanks!
Google Authenticator or Authy are two types of (free) One-Time Time-Based Passcodes (OTTP) . You can download these on your phone
from the Apple App Store or the Google Play store.

These are initialized with a key that you are sent (often a QR code that you can import into the app with a bar code scanner via your phone's camera)
Once initialized, the app will generate a new 6 digit random number every 30 seconds. You will type that in like a second password, and
Vanguard will check that this is the correct code for that 30 seconds. Think of it like the old password for the day in the military, only
instead of lasting a day, it lasts 30 seconds.

These will also be one time use, so if you enter this code and mess up your password, wait for a new code to be generated. This prevents a hacker from grabbing your passcode and using it in a second login, or trying the passcode multiple times before it changes.

If you don't have a smartphone, Google Chrome has an Authy plugin. The phone app is preferable, because it is completely separate device.
bhj
Posts: 8
Joined: Sat Mar 05, 2016 10:12 am

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by bhj »

Dominic wrote: Wed Apr 29, 2020 11:08 pm
absolute zero wrote: Wed Apr 29, 2020 11:00 pm
HawkeyePierce wrote: Wed Apr 29, 2020 10:08 pm Good for Vanguard. :beer

2FA isn't "minimal" extra security, properly implemented it eliminates phishing attacks: https://security.googleblog.com/2019/05 ... basic.html

Now if Vanguard will just let customers use *only* Yubikeys without the phone fallback.
Its been a couple years, but I remember reading about that on Vanguards website. The “phone fallback” made yubikey usage pretty much pointless. Left me scratching my head.

My vote is for Vanguard to get onboard with 2FA Authenticator apps. Last I checked they did not offer this as an option.
I don't think any financial institution I use offers app-based 2FA. I personally find this horrifying.
If you find it horrifying, maybe you should be running away from them. :wink:

This site may help you confirm the status of yours or find less-horrifying institutions. https://twofactorauth.org/
Faith20879
Posts: 763
Joined: Fri Mar 02, 2007 10:16 am

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by Faith20879 »

MathWizard wrote: Fri May 01, 2020 1:22 pm ...These are initialized with a key that you are sent (often a QR code that you can import into the app with a bar code scanner via your phone's camera)
Once initialized, the app will ...
Hoah, this part is a bit over my head. Thank you for the info thou. I will have to chew on it for a few days.
MathWizard
Posts: 4346
Joined: Tue Jul 26, 2011 1:35 pm

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by MathWizard »

Faith20879 wrote: Fri May 01, 2020 2:23 pm
MathWizard wrote: Fri May 01, 2020 1:22 pm ...These are initialized with a key that you are sent (often a QR code that you can import into the app with a bar code scanner via your phone's camera)
Once initialized, the app will ...
Hoah, this part is a bit over my head. Thank you for the info thou. I will have to chew on it for a few days.
A QR code is just a 2 dimensional version of a bar codes that they scan at the supermarket.

You do also get a 20 to 30 long alphabetic/numeric string of characters that you type in to initialize the app, but scanning the QR code is easier for me, you could just type it in.

Everybody has to have a different initializing string of characters, just like you need a different key for every house.

My apologies if the explanation was too techy. I consult in the tech field.
IndexCore
Posts: 159
Joined: Wed Mar 25, 2020 1:44 am

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by IndexCore »

In the years I've owned a Google Voice number, I've been happy with it. Banks, Vanguard, etc... all work with Google Voice without a hitch. It cost me $20 and a two step process to migrate a home phone number, but no costs since. For those planning to move abroad, it might be worth $20 to push your existing phone number into a Google Voice account for later use.

Speaking of international, I did hit problems using Google Voice with Interactive Brokers (IB). IB has phone numbers around the world, so they can send a local text message to your cell phone, which works. At some point I plan to figure out what went wrong for me with Google Voice and Interactive Brokers.
ftobin
Posts: 1062
Joined: Fri Mar 20, 2009 3:28 pm

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by ftobin »

IndexCore wrote: Fri May 01, 2020 8:33 pm At some point I plan to figure out what went wrong for me with Google Voice and Interactive Brokers.
Venmo also has this problem, and Facebook did too at one point. From what I've noticed, these providers are using a service that classify GV numbers as landlines, which would suggest they can't receive SMS.
occambogle
Posts: 527
Joined: Thu Dec 12, 2019 4:58 am

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by occambogle »

IndexCore wrote: Fri May 01, 2020 8:33 pm Speaking of international, I did hit problems using Google Voice with Interactive Brokers (IB). IB has phone numbers around the world, so they can send a local text message to your cell phone, which works. At some point I plan to figure out what went wrong for me with Google Voice and Interactive Brokers.
With IB you don't need to receive texts, intead you can use their mobile app for 2FA e.g. fingerprint on iPhone. Works great internationally. In any case they send texts to internaional numbers.
User avatar
Vulcan
Posts: 1330
Joined: Sat Apr 05, 2014 11:43 pm

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by Vulcan »

absolute zero wrote: Wed Apr 29, 2020 11:00 pm
HawkeyePierce wrote: Wed Apr 29, 2020 10:08 pm Good for Vanguard. :beer

2FA isn't "minimal" extra security, properly implemented it eliminates phishing attacks: https://security.googleblog.com/2019/05 ... basic.html

Now if Vanguard will just let customers use *only* Yubikeys without the phone fallback.
Its been a couple years, but I remember reading about that on Vanguards website. The “phone fallback” made yubikey usage pretty much pointless. Left me scratching my head.

My vote is for Vanguard to get onboard with 2FA Authenticator apps. Last I checked they did not offer this as an option.
Sign up for Google Voice
If you torture the data long enough, it will confess to anything. ~Ronald Coase
HawkeyePierce
Posts: 1493
Joined: Tue Mar 05, 2019 10:29 pm
Location: Colorado

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by HawkeyePierce »

ftobin wrote: Fri May 01, 2020 10:45 pm
IndexCore wrote: Fri May 01, 2020 8:33 pm At some point I plan to figure out what went wrong for me with Google Voice and Interactive Brokers.
Venmo also has this problem, and Facebook did too at one point. From what I've noticed, these providers are using a service that classify GV numbers as landlines, which would suggest they can't receive SMS.
It's not that they're necessarily classified as landlines. Some companies blacklist different telcos for anti-spam/abuse reasons. I've integrated with some of those systems in my work. The vast vast majority of companies sending SMS for 2FA outsource that part of the operation to a company like Twilio or Cisco or Avaya and may not even realize they've enabled such a blacklist. Google Voice is sometimes on those blacklists depending on the operator in question.

(My employer is the largest sender of SMS on the planet... we've thought about this a lot)
Turbo29
Posts: 868
Joined: Tue May 01, 2018 7:12 am

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by Turbo29 »

Ged wrote: Fri May 01, 2020 12:17 pm
HawkeyePierce wrote: Thu Apr 30, 2020 12:00 am Schwab and M1 Finance both offer app-based 2FA.
As does Fidelity.
So does E*trade.
It is by the goodness of God that in our country we have those three unspeakably precious things: freedom of speech, freedom of conscience, and the prudence never to practice either of them. --M. Twain
User avatar
beernutz
Posts: 332
Joined: Sun May 31, 2015 12:50 pm

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by beernutz »

HawkeyePierce wrote: Thu Apr 30, 2020 12:00 am
Dominic wrote: Wed Apr 29, 2020 11:08 pm
absolute zero wrote: Wed Apr 29, 2020 11:00 pm
HawkeyePierce wrote: Wed Apr 29, 2020 10:08 pm Good for Vanguard. :beer

2FA isn't "minimal" extra security, properly implemented it eliminates phishing attacks: https://security.googleblog.com/2019/05 ... basic.html

Now if Vanguard will just let customers use *only* Yubikeys without the phone fallback.
Its been a couple years, but I remember reading about that on Vanguards website. The “phone fallback” made yubikey usage pretty much pointless. Left me scratching my head.

My vote is for Vanguard to get onboard with 2FA Authenticator apps. Last I checked they did not offer this as an option.
I don't think any financial institution I use offers app-based 2FA. I personally find this horrifying.
Schwab and M1 Finance both offer app-based 2FA.
TIAA as well.
Don't gamble; take all your savings and buy some good stock and hold it till it goes up, then sell it. If it don't go up, don't buy it. --Will Rogers
Silence Dogood
Posts: 1432
Joined: Tue Feb 01, 2011 9:22 pm

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by Silence Dogood »

absolute zero wrote: Wed Apr 29, 2020 11:00 pm My vote is for Vanguard to get onboard with 2FA Authenticator apps.
App-based two-factor authentication would be a significant improvement over SMS-based two-factor authentication.

I don't understand why Vanguard hasn't already implemented this.
absolute zero
Posts: 515
Joined: Thu Dec 29, 2016 4:59 pm

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by absolute zero »

Faith20879 wrote: Fri May 01, 2020 2:23 pm
MathWizard wrote: Fri May 01, 2020 1:22 pm ...These are initialized with a key that you are sent (often a QR code that you can import into the app with a bar code scanner via your phone's camera)
Once initialized, the app will ...
Hoah, this part is a bit over my head. Thank you for the info thou. I will have to chew on it for a few days.
After going through the process, I bet you’d agree that it’s actually a lot simpler than it sounds.

That being said, if you were asking about authenticator apps for Vanguard, note that Vanguard does not allow authenticator apps as a method of 2FA. They utilize SMS and Yubikey only.

If you have a gmail account or PayPal account, those would be two example of websites that allow for the use of authenticator apps. It’s pretty convenient and more secure than SMS for 2FA.
Silence Dogood
Posts: 1432
Joined: Tue Feb 01, 2011 9:22 pm

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by Silence Dogood »

absolute zero wrote: Wed Apr 29, 2020 11:00 pm The “phone fallback” made yubikey usage pretty much pointless. Left me scratching my head.
Technically, those who have opted to use the YubiKey for their Vanguard account are actually worse off (security-wise) than those who haven't.

It's truly baffling.
absolute zero
Posts: 515
Joined: Thu Dec 29, 2016 4:59 pm

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by absolute zero »

Silence Dogood wrote: Sat May 02, 2020 9:52 pm
absolute zero wrote: Wed Apr 29, 2020 11:00 pm The “phone fallback” made yubikey usage pretty much pointless. Left me scratching my head.
Technically, those who have opted to use the YubiKey for their Vanguard account are actually worse off (security-wise) than those who haven't.

It's truly baffling.
Really? How so? I thought they were in pretty much the same boat (security-wise) as the SMS folks. It’s been awhile though since I looked at the security settings portion of Vanguards site. If someone’s 2FA selection is Yubikey, isn’t there just some sort of “lost my Yubikey” option that the person can click, which causes Vanguard to send a code to the cell phone number on file? I remember it being something along those lines.
index2max
Posts: 312
Joined: Mon Jan 21, 2019 11:01 pm

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by index2max »

HawkeyePierce wrote: Wed Apr 29, 2020 10:08 pm Good for Vanguard. :beer

2FA isn't "minimal" extra security, properly implemented it eliminates phishing attacks: https://security.googleblog.com/2019/05 ... basic.html

Now if Vanguard will just let customers use *only* Yubikeys without the phone fallback.
I read an article by the US National Institute of Standards and Technology (NIST) that 2FA using SMS is not foolproof because an attacker targeting you has ways of intercepting text messages.

But if it's based on simply plugging in a hardware device that only you own on your person, then the "something-you-have part of security is hard to beat.
Pacific
Posts: 1397
Joined: Tue Mar 06, 2007 8:19 pm
Location: Lost in the middle of the Pacific

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by Pacific »

occambogle wrote: Fri May 01, 2020 1:22 am
HawkeyePierce wrote: Thu Apr 30, 2020 1:26 pm Just use a Google Voice number. A locked-down Google account is an extremely difficult target for an attacker and this is much more secure than sending 2FA codes to a SIM-based number anyways.
But you need a US real number to link to/verify when creating a Google Voice account. There are somewhat complicated ways around that, but GV just starts to get complicated when permamently not in the U.S. App-based 2FA is so much more flexible.
THIS!!

"The delivery of security code text messages or automated calls may not be available to your phone number depending on your location."

So, while my location is devoid of any COVID-19 cases, it is also devoid of being able to receive texts. I called Vg on Thursday and they said that I could call back later and get some kind of an exemption. Hope this works. I have a bank that now also requires text codes and have not been able to access that account since January 1. So, I will be closing that account.
rolandtorres
Posts: 131
Joined: Sat Jan 09, 2016 8:44 pm

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by rolandtorres »

The best explanation I can come up with is that 1) a majority of Vanguard's clients are not tech-savvy (i.e. not born in the time of computers) and 2) customer service call centers continue to be overwhelmed. So any security measures that are challenging like mandating 2FA and/or don't have a fallback that is simple (even if insecure, like using SMS as backup for Yubikey) is not considered.

This doesn't explain why they won't just allow technically savvy users to opt-in to Yubikey only. Or on a slightly related note, to bring back a better cash management feature that now every roboadvisor has instead of throwing in the towel because the product likely brought customer service more problems than it was worth, in their eyes.
absolute zero
Posts: 515
Joined: Thu Dec 29, 2016 4:59 pm

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by absolute zero »

index2max wrote: Sat May 02, 2020 10:39 pm
HawkeyePierce wrote: Wed Apr 29, 2020 10:08 pm Good for Vanguard. :beer

2FA isn't "minimal" extra security, properly implemented it eliminates phishing attacks: https://security.googleblog.com/2019/05 ... basic.html

Now if Vanguard will just let customers use *only* Yubikeys without the phone fallback.
I read an article by the US National Institute of Standards and Technology (NIST) that 2FA using SMS is not foolproof because an attacker targeting you has ways of intercepting text messages.

But if it's based on simply plugging in a hardware device that only you own on your person, then the "something-you-have part of security is hard to beat.
While I don’t have any sort of “expertise” in this area, I got interested in digital security last year and spent many hours researching 2FA. It’s very widely acknowledged that SMS for 2FA is deeply flawed.

I think it’s still commonly used because (1) it’s the simplest-to-implement form of 2FA from an end-user perspective and (2) despite it’s vulnerability, SMS 2FA is still much more secure than not using an form of 2FA at all.
User avatar
dmcmahon
Posts: 2335
Joined: Fri Mar 21, 2008 10:29 pm

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by dmcmahon »

HawkeyePierce wrote: Thu Apr 30, 2020 12:00 am
Dominic wrote: Wed Apr 29, 2020 11:08 pm
absolute zero wrote: Wed Apr 29, 2020 11:00 pm
HawkeyePierce wrote: Wed Apr 29, 2020 10:08 pm Good for Vanguard. :beer

2FA isn't "minimal" extra security, properly implemented it eliminates phishing attacks: https://security.googleblog.com/2019/05 ... basic.html

Now if Vanguard will just let customers use *only* Yubikeys without the phone fallback.
Its been a couple years, but I remember reading about that on Vanguards website. The “phone fallback” made yubikey usage pretty much pointless. Left me scratching my head.

My vote is for Vanguard to get onboard with 2FA Authenticator apps. Last I checked they did not offer this as an option.
I don't think any financial institution I use offers app-based 2FA. I personally find this horrifying.
Schwab and M1 Finance both offer app-based 2FA.
Fidelity too
ftobin
Posts: 1062
Joined: Fri Mar 20, 2009 3:28 pm

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by ftobin »

dmcmahon wrote: Sun May 03, 2020 12:51 am Fidelity too
Unfortunately, for Fidelity, if you enable app TOTP 2FA, you have to use it on each login. If you simply use SMS-based 2FA, you can choose to enter it only when logging in from new devices. While I strongly prefer TOTP 2FA, I don't want to have to enter it all the time. Poor (lack of) design decision on their part, IMO.
IndexCore
Posts: 159
Joined: Wed Mar 25, 2020 1:44 am

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by IndexCore »

HawkeyePierce wrote: Sat May 02, 2020 12:15 pm
ftobin wrote: Fri May 01, 2020 10:45 pm
IndexCore wrote: Fri May 01, 2020 8:33 pm At some point I plan to figure out what went wrong for me with Google Voice and Interactive Brokers.
Venmo also has this problem, and Facebook did too at one point. From what I've noticed, these providers are using a service that classify GV numbers as landlines, which would suggest they can't receive SMS.
... The vast vast majority of companies sending SMS for 2FA outsource that part of the operation to a company like Twilio or Cisco or Avaya and may not even realize they've enabled such a blacklist. Google Voice is sometimes on those blacklists depending on the operator in question.
I didn't realize it was so widespread. I'd like to ask Interactive Brokers about the problem. How should I phrase my question/complaint to them, so they are most likely to act on it / get it to the right place?
IndexCore
Posts: 159
Joined: Wed Mar 25, 2020 1:44 am

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by IndexCore »

occambogle wrote: Sat May 02, 2020 12:32 am
IndexCore wrote: Fri May 01, 2020 8:33 pm Speaking of international, I did hit problems using Google Voice with Interactive Brokers (IB). IB has phone numbers around the world, so they can send a local text message to your cell phone, which works. At some point I plan to figure out what went wrong for me with Google Voice and Interactive Brokers.
With IB you don't need to receive texts, intead you can use their mobile app for 2FA e.g. fingerprint on iPhone. Works great internationally. In any case they send texts to internaional numbers.
Thanks for the tip - I think they might have a desktop version of that phone app, maybe worth looking into.

But if it's only available for phones, there's additional hassles for me if I want to replace my phone. So I have a strong preference for Google Voice receiving my authentication codes.
HawkeyePierce
Posts: 1493
Joined: Tue Mar 05, 2019 10:29 pm
Location: Colorado

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by HawkeyePierce »

IndexCore wrote: Sun May 03, 2020 6:18 am
HawkeyePierce wrote: Sat May 02, 2020 12:15 pm
ftobin wrote: Fri May 01, 2020 10:45 pm
IndexCore wrote: Fri May 01, 2020 8:33 pm At some point I plan to figure out what went wrong for me with Google Voice and Interactive Brokers.
Venmo also has this problem, and Facebook did too at one point. From what I've noticed, these providers are using a service that classify GV numbers as landlines, which would suggest they can't receive SMS.
... The vast vast majority of companies sending SMS for 2FA outsource that part of the operation to a company like Twilio or Cisco or Avaya and may not even realize they've enabled such a blacklist. Google Voice is sometimes on those blacklists depending on the operator in question.
I didn't realize it was so widespread. I'd like to ask Interactive Brokers about the problem. How should I phrase my question/complaint to them, so they are most likely to act on it / get it to the right place?
I honestly have no idea. Keep in mind they may be restricting GV intentionally.

In our case we wouldn't even entertain a customer request around this since it could expose some of our anti-abuse measures.
Silence Dogood
Posts: 1432
Joined: Tue Feb 01, 2011 9:22 pm

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by Silence Dogood »

absolute zero wrote: Sat May 02, 2020 10:32 pm
Silence Dogood wrote: Sat May 02, 2020 9:52 pm
absolute zero wrote: Wed Apr 29, 2020 11:00 pm The “phone fallback” made yubikey usage pretty much pointless. Left me scratching my head.
Technically, those who have opted to use the YubiKey for their Vanguard account are actually worse off (security-wise) than those who haven't.

It's truly baffling.
Really? How so? I thought they were in pretty much the same boat (security-wise) as the SMS folks. It’s been awhile though since I looked at the security settings portion of Vanguards site. If someone’s 2FA selection is Yubikey, isn’t there just some sort of “lost my Yubikey” option that the person can click, which causes Vanguard to send a code to the cell phone number on file? I remember it being something along those lines.
I think you've answered your own question!

It's true that they are pretty much in the same boat as those who haven't opted to use the YubiKey option. However, YubiKey with SMS as a backup carries all of the risks associated with SMS-based two-factor authentication (low-risk) along with all of the risks associated with the YubiKey option (extremely low-risk).

To be clear, using SMS-based two-factor authentication is more secure than not using two-factor authentication at all; using app-based two-factor authentication is more secure than using SMS-based two-factor authentication; using hardware-based (e.g., YubiKey) two-factor authentication is more secure than using app-based two-factor authentication.

In my opinion, using app-based two-factor authentication is also more convenient than using SMS-based two-factor authentication.
HawkeyePierce
Posts: 1493
Joined: Tue Mar 05, 2019 10:29 pm
Location: Colorado

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by HawkeyePierce »

index2max wrote: Sat May 02, 2020 10:39 pm
HawkeyePierce wrote: Wed Apr 29, 2020 10:08 pm Good for Vanguard. :beer

2FA isn't "minimal" extra security, properly implemented it eliminates phishing attacks: https://security.googleblog.com/2019/05 ... basic.html

Now if Vanguard will just let customers use *only* Yubikeys without the phone fallback.
I read an article by the US National Institute of Standards and Technology (NIST) that 2FA using SMS is not foolproof because an attacker targeting you has ways of intercepting text messages.

But if it's based on simply plugging in a hardware device that only you own on your person, then the "something-you-have part of security is hard to beat.
"Properly implemented" was the key in my post. 2FA over SMS is vulnerable to SIM-swapping.

TOTP apps like Authy and Google Authenticator is better because the code can't be as easily intercepted, but *you* can still end up entering the code into a phishing site.

Hardware tokens like Yubikeys eliminate that risk because the key won't authenticate against fake websites. When you register a Yubikey with a website, the device generates a long random number based on the site's domain name and a secret key. The secret key is generated on the Yubikey and never leaves the device.

Since that long random number is based on the site's domain name, if you get tricked into logging into a phishing site, the key won't generate the same number, so the attacker can't just use it to log into Vanguard.

Any form of 2FA protects against what's known as "credential stuffing", where lists of known username/password pairs and tried en mass against other websites. They also raise the bar on phishing attacks but only Yubikeys prevent it.

The best defense against credential stuffing is a password manager which ensures you use a unique password for every website. This way, a password stolen from one website can't be used against another. Using the autofill function of a password manager also offers some protection against phishing, since the autofill won't work against fake domains. Eg if you somehow land on vangaurd.com instead of vanguard.com, the password manager won't autofill because the misspelled domain won't match.

My recommendation to vastly improve your cybersecurity:
  • Get at least two Yubikeys. Keep one on a keychain or somewhere convenient, keep the other in a safe location. I use a fireproof document safe.
  • Use Gmail and set up your Google account to require 2FA using either your Yubikeys or a push notification to your phone's Gmail app—both are safe against phishing. Also ensure you print out your backup 2FA codes and keep them somewhere safe (again, fireproof document safe).
  • Use a password manager for ALL websites, even if they don't seem that important to your security (social media, forums like Bogleheads, etc).
  • Install your password manager's browser extension. If a password won't autofill, be VERY suspicious.
  • Use Google Voice for SMS 2FA codes for sites that allow it, it's invulnerable to SIM swap attacks and you've already locked down your Google account.
  • Use Authy for generating 2FA codes. It's easier to use than Google Authenticator and makes it much easier to move your codes to a new device.
Your email account is the key to your kingdom. Locking it down is central to staying safe, since an attacker who can get into your email can likely use that to get into just about any other account (eg by using password recovery on other sites). At that point you'll be in great shape. If you want to go a few extra steps:
  • Sign up for USPS Informed Delivery before someone else does so you know if your mail goes missing.
  • Install the "HTTPS Everywhere" browser extension to ensure that your browsing is encrypted wherever possible.
  • Make sure your hard drive is encrypted. If you have a Mac, just enable FileVault and you're set. Very easy.
  • Keep your software up to date. When Windows or MacOS prompts you to update, do it. Keep your phone up to date and upgrade if it's no longer supported.
  • Install uBlock Origin to block ad networks from loading in your browser. Compromised ad networks are a relatively common attack vector for malware.
  • Make sure your phone requires a passcode or biometric to unlock. This way if it's stolen or lost it won't be easy to get into.
  • Same for your computer: require a password to unlock it.
mrb55
Posts: 24
Joined: Sun Oct 25, 2015 1:28 pm

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by mrb55 »

If you are going to

1. use an app based authenticator that isn't Symantec VIP.
2. You already have or use yubikeys with near field communication (NFC) functionality that works with your smartphone.

The Yubico authenticator (similar to Google authenticator) can be installed on your smartphone and locked with your yubikey. That way if your phone gets misplaced or stolen, nobody can ever see the generated codes unless they also have your yubikey to tap and unlock them to display.

I use this method for Amazon, Microsoft account access etc. I' too am also hoping that Vanguard soon uses app codes as the backup authentication method rather than SMS texts to the phone.
index2max
Posts: 312
Joined: Mon Jan 21, 2019 11:01 pm

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by index2max »

HawkeyePierce wrote: Sun May 03, 2020 11:54 am
index2max wrote: Sat May 02, 2020 10:39 pm
HawkeyePierce wrote: Wed Apr 29, 2020 10:08 pm Good for Vanguard. :beer

2FA isn't "minimal" extra security, properly implemented it eliminates phishing attacks: https://security.googleblog.com/2019/05 ... basic.html

Now if Vanguard will just let customers use *only* Yubikeys without the phone fallback.
I read an article by the US National Institute of Standards and Technology (NIST) that 2FA using SMS is not foolproof because an attacker targeting you has ways of intercepting text messages.

But if it's based on simply plugging in a hardware device that only you own on your person, then the "something-you-have part of security is hard to beat.
"Properly implemented" was the key in my post. 2FA over SMS is vulnerable to SIM-swapping.

TOTP apps like Authy and Google Authenticator is better because the code can't be as easily intercepted, but *you* can still end up entering the code into a phishing site.

Hardware tokens like Yubikeys eliminate that risk because the key won't authenticate against fake websites. When you register a Yubikey with a website, the device generates a long random number based on the site's domain name and a secret key. The secret key is generated on the Yubikey and never leaves the device.

Since that long random number is based on the site's domain name, if you get tricked into logging into a phishing site, the key won't generate the same number, so the attacker can't just use it to log into Vanguard.

Any form of 2FA protects against what's known as "credential stuffing", where lists of known username/password pairs and tried en mass against other websites. They also raise the bar on phishing attacks but only Yubikeys prevent it.

The best defense against credential stuffing is a password manager which ensures you use a unique password for every website. This way, a password stolen from one website can't be used against another. Using the autofill function of a password manager also offers some protection against phishing, since the autofill won't work against fake domains. Eg if you somehow land on vangaurd.com instead of vanguard.com, the password manager won't autofill because the misspelled domain won't match.

My recommendation to vastly improve your cybersecurity:
  • Get at least two Yubikeys. Keep one on a keychain or somewhere convenient, keep the other in a safe location. I use a fireproof document safe.
  • Use Gmail and set up your Google account to require 2FA using either your Yubikeys or a push notification to your phone's Gmail app—both are safe against phishing. Also ensure you print out your backup 2FA codes and keep them somewhere safe (again, fireproof document safe).
  • Use a password manager for ALL websites, even if they don't seem that important to your security (social media, forums like Bogleheads, etc).
  • Install your password manager's browser extension. If a password won't autofill, be VERY suspicious.
  • Use Google Voice for SMS 2FA codes for sites that allow it, it's invulnerable to SIM swap attacks and you've already locked down your Google account.
  • Use Authy for generating 2FA codes. It's easier to use than Google Authenticator and makes it much easier to move your codes to a new device.
Your email account is the key to your kingdom. Locking it down is central to staying safe, since an attacker who can get into your email can likely use that to get into just about any other account (eg by using password recovery on other sites). At that point you'll be in great shape. If you want to go a few extra steps:
  • Sign up for USPS Informed Delivery before someone else does so you know if your mail goes missing.
  • Install the "HTTPS Everywhere" browser extension to ensure that your browsing is encrypted wherever possible.
  • Make sure your hard drive is encrypted. If you have a Mac, just enable FileVault and you're set. Very easy.
  • Keep your software up to date. When Windows or MacOS prompts you to update, do it. Keep your phone up to date and upgrade if it's no longer supported.
  • Install uBlock Origin to block ad networks from loading in your browser. Compromised ad networks are a relatively common attack vector for malware.
  • Make sure your phone requires a passcode or biometric to unlock. This way if it's stolen or lost it won't be easy to get into.
  • Same for your computer: require a password to unlock it.
I like those USB keys for 2FA. Thanks for the extra tech tips. Ublock origin rocks as an adblocker.

I recommend not using biometrics like fingerprints. Should someone be able to steal your fingerprint (aka "something you are"), it's not exactly something you can change very easily like buying a new USB security key device.

Is it possible to use these made-in-USA devices as a custom USB security key for 2FA on sites like Vanguard? I presume those yubikey things are made in china like most electronics these days.

https://wp.puri.sm/posts/made-in-usa-librem-key/
L82GAME
Posts: 329
Joined: Sat Dec 07, 2019 9:29 am

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by L82GAME »

index2max wrote: Sun May 03, 2020 3:45 pm
HawkeyePierce wrote: Sun May 03, 2020 11:54 am
index2max wrote: Sat May 02, 2020 10:39 pm
HawkeyePierce wrote: Wed Apr 29, 2020 10:08 pm Good for Vanguard. :beer

2FA isn't "minimal" extra security, properly implemented it eliminates phishing attacks: https://security.googleblog.com/2019/05 ... basic.html

Now if Vanguard will just let customers use *only* Yubikeys without the phone fallback.
I read an article by the US National Institute of Standards and Technology (NIST) that 2FA using SMS is not foolproof because an attacker targeting you has ways of intercepting text messages.

But if it's based on simply plugging in a hardware device that only you own on your person, then the "something-you-have part of security is hard to beat.
"Properly implemented" was the key in my post. 2FA over SMS is vulnerable to SIM-swapping.

TOTP apps like Authy and Google Authenticator is better because the code can't be as easily intercepted, but *you* can still end up entering the code into a phishing site.

Hardware tokens like Yubikeys eliminate that risk because the key won't authenticate against fake websites. When you register a Yubikey with a website, the device generates a long random number based on the site's domain name and a secret key. The secret key is generated on the Yubikey and never leaves the device.

Since that long random number is based on the site's domain name, if you get tricked into logging into a phishing site, the key won't generate the same number, so the attacker can't just use it to log into Vanguard.

Any form of 2FA protects against what's known as "credential stuffing", where lists of known username/password pairs and tried en mass against other websites. They also raise the bar on phishing attacks but only Yubikeys prevent it.

The best defense against credential stuffing is a password manager which ensures you use a unique password for every website. This way, a password stolen from one website can't be used against another. Using the autofill function of a password manager also offers some protection against phishing, since the autofill won't work against fake domains. Eg if you somehow land on vangaurd.com instead of vanguard.com, the password manager won't autofill because the misspelled domain won't match.

My recommendation to vastly improve your cybersecurity:
  • Get at least two Yubikeys. Keep one on a keychain or somewhere convenient, keep the other in a safe location. I use a fireproof document safe.
  • Use Gmail and set up your Google account to require 2FA using either your Yubikeys or a push notification to your phone's Gmail app—both are safe against phishing. Also ensure you print out your backup 2FA codes and keep them somewhere safe (again, fireproof document safe).
  • Use a password manager for ALL websites, even if they don't seem that important to your security (social media, forums like Bogleheads, etc).
  • Install your password manager's browser extension. If a password won't autofill, be VERY suspicious.
  • Use Google Voice for SMS 2FA codes for sites that allow it, it's invulnerable to SIM swap attacks and you've already locked down your Google account.
  • Use Authy for generating 2FA codes. It's easier to use than Google Authenticator and makes it much easier to move your codes to a new device.
Your email account is the key to your kingdom. Locking it down is central to staying safe, since an attacker who can get into your email can likely use that to get into just about any other account (eg by using password recovery on other sites). At that point you'll be in great shape. If you want to go a few extra steps:
  • Sign up for USPS Informed Delivery before someone else does so you know if your mail goes missing.
  • Install the "HTTPS Everywhere" browser extension to ensure that your browsing is encrypted wherever possible.
  • Make sure your hard drive is encrypted. If you have a Mac, just enable FileVault and you're set. Very easy.
  • Keep your software up to date. When Windows or MacOS prompts you to update, do it. Keep your phone up to date and upgrade if it's no longer supported.
  • Install uBlock Origin to block ad networks from loading in your browser. Compromised ad networks are a relatively common attack vector for malware.
  • Make sure your phone requires a passcode or biometric to unlock. This way if it's stolen or lost it won't be easy to get into.
  • Same for your computer: require a password to unlock it.
I like those USB keys for 2FA. Thanks for the extra tech tips. Ublock origin rocks as an adblocker.

I recommend not using biometrics like fingerprints. Should someone be able to steal your fingerprint (aka "something you are"), it's not exactly something you can change very easily like buying a new USB security key device.

Is it possible to use these made-in-USA devices as a custom USB security key for 2FA on sites like Vanguard? I presume those yubikey things are made in china like most electronics these days.

https://wp.puri.sm/posts/made-in-usa-librem-key/
Yubikeys made in the USA and Sweden
index2max
Posts: 312
Joined: Mon Jan 21, 2019 11:01 pm

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by index2max »

L82GAME wrote: Sun May 03, 2020 4:20 pm
index2max wrote: Sun May 03, 2020 3:45 pm
HawkeyePierce wrote: Sun May 03, 2020 11:54 am
index2max wrote: Sat May 02, 2020 10:39 pm
HawkeyePierce wrote: Wed Apr 29, 2020 10:08 pm Good for Vanguard. :beer

2FA isn't "minimal" extra security, properly implemented it eliminates phishing attacks: https://security.googleblog.com/2019/05 ... basic.html

Now if Vanguard will just let customers use *only* Yubikeys without the phone fallback.
I read an article by the US National Institute of Standards and Technology (NIST) that 2FA using SMS is not foolproof because an attacker targeting you has ways of intercepting text messages.

But if it's based on simply plugging in a hardware device that only you own on your person, then the "something-you-have part of security is hard to beat.
"Properly implemented" was the key in my post. 2FA over SMS is vulnerable to SIM-swapping.

TOTP apps like Authy and Google Authenticator is better because the code can't be as easily intercepted, but *you* can still end up entering the code into a phishing site.

Hardware tokens like Yubikeys eliminate that risk because the key won't authenticate against fake websites. When you register a Yubikey with a website, the device generates a long random number based on the site's domain name and a secret key. The secret key is generated on the Yubikey and never leaves the device.

Since that long random number is based on the site's domain name, if you get tricked into logging into a phishing site, the key won't generate the same number, so the attacker can't just use it to log into Vanguard.

Any form of 2FA protects against what's known as "credential stuffing", where lists of known username/password pairs and tried en mass against other websites. They also raise the bar on phishing attacks but only Yubikeys prevent it.

The best defense against credential stuffing is a password manager which ensures you use a unique password for every website. This way, a password stolen from one website can't be used against another. Using the autofill function of a password manager also offers some protection against phishing, since the autofill won't work against fake domains. Eg if you somehow land on vangaurd.com instead of vanguard.com, the password manager won't autofill because the misspelled domain won't match.

My recommendation to vastly improve your cybersecurity:
  • Get at least two Yubikeys. Keep one on a keychain or somewhere convenient, keep the other in a safe location. I use a fireproof document safe.
  • Use Gmail and set up your Google account to require 2FA using either your Yubikeys or a push notification to your phone's Gmail app—both are safe against phishing. Also ensure you print out your backup 2FA codes and keep them somewhere safe (again, fireproof document safe).
  • Use a password manager for ALL websites, even if they don't seem that important to your security (social media, forums like Bogleheads, etc).
  • Install your password manager's browser extension. If a password won't autofill, be VERY suspicious.
  • Use Google Voice for SMS 2FA codes for sites that allow it, it's invulnerable to SIM swap attacks and you've already locked down your Google account.
  • Use Authy for generating 2FA codes. It's easier to use than Google Authenticator and makes it much easier to move your codes to a new device.
Your email account is the key to your kingdom. Locking it down is central to staying safe, since an attacker who can get into your email can likely use that to get into just about any other account (eg by using password recovery on other sites). At that point you'll be in great shape. If you want to go a few extra steps:
  • Sign up for USPS Informed Delivery before someone else does so you know if your mail goes missing.
  • Install the "HTTPS Everywhere" browser extension to ensure that your browsing is encrypted wherever possible.
  • Make sure your hard drive is encrypted. If you have a Mac, just enable FileVault and you're set. Very easy.
  • Keep your software up to date. When Windows or MacOS prompts you to update, do it. Keep your phone up to date and upgrade if it's no longer supported.
  • Install uBlock Origin to block ad networks from loading in your browser. Compromised ad networks are a relatively common attack vector for malware.
  • Make sure your phone requires a passcode or biometric to unlock. This way if it's stolen or lost it won't be easy to get into.
  • Same for your computer: require a password to unlock it.
I like those USB keys for 2FA. Thanks for the extra tech tips. Ublock origin rocks as an adblocker.

I recommend not using biometrics like fingerprints. Should someone be able to steal your fingerprint (aka "something you are"), it's not exactly something you can change very easily like buying a new USB security key device.

Is it possible to use these made-in-USA devices as a custom USB security key for 2FA on sites like Vanguard? I presume those yubikey things are made in china like most electronics these days.

https://wp.puri.sm/posts/made-in-usa-librem-key/
Yubikeys made in the USA and Sweden
Well that's a pleasant surprise! I'm glad to hear it! Definitely will look into their USB security token sticks.
User avatar
tuningfork
Posts: 532
Joined: Wed Oct 30, 2013 8:30 pm

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by tuningfork »

HawkeyePierce wrote: Sun May 03, 2020 11:54 am My recommendation to vastly improve your cybersecurity:
Excellent set of recommendations. Everyone should do as many of these as they can.
  • Also ensure you print out your backup 2FA codes and keep them somewhere safe (again, fireproof document safe).
    ...
  • Use Authy for generating 2FA codes. It's easier to use than Google Authenticator and makes it much easier to move your codes to a new device.
If you're using Google Authenticator, you really should switch to Authy as soon as possible. If your phone dies, with GA you have to login to all the sites where you used GA and register your new phone. You better have your backup codes for every site saved somewhere or you may be locked out forever. Do you even know all the sites you setup in GA? Did you remember to save the backup codes for ALL of them?

If you use Authy, you can register multiple devices (phones, tablets, computers). Then if your phone dies, you still have access through your other devices. And when you get your replacement phone, just link it to your Authy account and you're done.

I had intended to switch from GA to Authy for many months in case my phone died, but kept putting it off. Then my phone suddenly and without warning bricked itself. So glad I had backup codes saved in my password manager. Now I'm using Authy.
Chaconne
Posts: 207
Joined: Sat Dec 15, 2007 4:18 pm

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by Chaconne »

Speaking of online security and just in case the worst happens, it's good to keep in mind Vanguard's reimbursement policy:

"We'll reimburse you the amount taken from your Vanguard account in an unauthorized online transaction on vanguard.com if you've followed the steps described in the Your responsibilities section below." (See the link for "your responsibilities."

http://vanguard.com/us/help/SecurityOnl ... ontent.jsp
User avatar
Cubicle
Posts: 939
Joined: Sun Sep 22, 2019 1:43 am

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by Cubicle »

I don't use Authy. But is it easy to link a new device to your Authy account? If yes, then is that a security vulnerability?
"Oh look another bajillion point declin-Ooooh!!! A coupon for pizza!!!!" <--- This is what everyone's IPS should be. ✓✓✓
HawkeyePierce
Posts: 1493
Joined: Tue Mar 05, 2019 10:29 pm
Location: Colorado

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by HawkeyePierce »

Cubicle wrote: Sun May 03, 2020 11:05 pm I don't use Authy. But is it easy to link a new device to your Authy account? If yes, then is that a security vulnerability?
No, because the copy stored in Authy’s cloud is encrypted before it leaves your device and they don’t have the key.
boomer_techie
Posts: 422
Joined: Fri Jan 18, 2019 6:47 am

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by boomer_techie »

MathWizard wrote: Fri May 01, 2020 1:22 pm Google Authenticator or Authy are two types of (free) One-Time Time-Based Passcodes (OTTP) . You can download these on your phone
from the Apple App Store or the Google Play store.
Do these work on a phone that does not get cell service, i.e. my "old" phone? I presume these apps need the device clock to be set "exactly" right. Without being on a cell network, and without connecting to a WiFi network, I expect the clock to drift.

I refuse to allow a device I carry around out in the world to have security access to anything important.
MathWizard
Posts: 4346
Joined: Tue Jul 26, 2011 1:35 pm

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by MathWizard »

boomer_techie wrote: Mon May 04, 2020 2:30 am
MathWizard wrote: Fri May 01, 2020 1:22 pm Google Authenticator or Authy are two types of (free) One-Time Time-Based Passcodes (OTTP) . You can download these on your phone
from the Apple App Store or the Google Play store.
Do these work on a phone that does not get cell service, i.e. my "old" phone? I presume these apps need the device clock to be set "exactly" right. Without being on a cell network, and without connecting to a WiFi network, I expect the clock to drift.

I refuse to allow a device I carry around out in the world to have security access to anything important.
You can with old smartphones if you can connect over wifi to get and initialize the app.

Other options are Duo and UbiKey hard tokens, if these are supported.

The app does not connect you to anything, it just produces a random code. It is useful if it is connected or not.
If you are worried, connect with your home encrypted wifi, and then turn off the wifi (or put it in airplane mode)
You can occasionally reconnect to set the time again.

If there is internet access to anything with sensitive information , like retirement accounts or your bank account, or your
Social Security account, or filing taxes online, then anyone can login as you if they have the proper information, such as
the URL, your account name and password. MultiFactor authentication just adds another layer of security on the account.
HawkeyePierce
Posts: 1493
Joined: Tue Mar 05, 2019 10:29 pm
Location: Colorado

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by HawkeyePierce »

boomer_techie wrote: Mon May 04, 2020 2:30 am
MathWizard wrote: Fri May 01, 2020 1:22 pm Google Authenticator or Authy are two types of (free) One-Time Time-Based Passcodes (OTTP) . You can download these on your phone
from the Apple App Store or the Google Play store.
Do these work on a phone that does not get cell service, i.e. my "old" phone? I presume these apps need the device clock to be set "exactly" right. Without being on a cell network, and without connecting to a WiFi network, I expect the clock to drift.

I refuse to allow a device I carry around out in the world to have security access to anything important.
If your device is locked and encrypted, which iPhones are by default, there is little to no risk in keeping important information on it.

Stealing phones to break into financial accounts is not a realistic threat. Mass phishing and credential stuffing are and happen on a daily basis.
crumbone
Posts: 90
Joined: Thu Oct 12, 2017 11:50 pm

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by crumbone »

Dominic wrote: Wed Apr 29, 2020 11:08 pm
absolute zero wrote: Wed Apr 29, 2020 11:00 pm
HawkeyePierce wrote: Wed Apr 29, 2020 10:08 pm Good for Vanguard. :beer

2FA isn't "minimal" extra security, properly implemented it eliminates phishing attacks: https://security.googleblog.com/2019/05 ... basic.html

Now if Vanguard will just let customers use *only* Yubikeys without the phone fallback.
Its been a couple years, but I remember reading about that on Vanguards website. The “phone fallback” made yubikey usage pretty much pointless. Left me scratching my head.

My vote is for Vanguard to get onboard with 2FA Authenticator apps. Last I checked they did not offer this as an option.
I don't think any financial institution I use offers app-based 2FA. I personally find this horrifying.
Vanguard is one of the very few to allow U2F hardware 2-factor authentication, which is better.
Post Reply