Vanguard 2-factor authentication becoming mandatory and available for non-US

Discuss all general (i.e. non-personal) investing questions and issues, investing news, and theory.
crumbone
Posts: 90
Joined: Thu Oct 12, 2017 11:50 pm

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by crumbone »

HawkeyePierce wrote: Sun May 03, 2020 11:54 am
index2max wrote: Sat May 02, 2020 10:39 pm
HawkeyePierce wrote: Wed Apr 29, 2020 10:08 pm Good for Vanguard. :beer

2FA isn't "minimal" extra security, properly implemented it eliminates phishing attacks: https://security.googleblog.com/2019/05 ... basic.html

Now if Vanguard will just let customers use *only* Yubikeys without the phone fallback.
I read an article by the US National Institute of Standards and Technology (NIST) that 2FA using SMS is not foolproof because an attacker targeting you has ways of intercepting text messages.

But if it's based on simply plugging in a hardware device that only you own on your person, then the "something-you-have part of security is hard to beat.
"Properly implemented" was the key in my post. 2FA over SMS is vulnerable to SIM-swapping.

TOTP apps like Authy and Google Authenticator is better because the code can't be as easily intercepted, but *you* can still end up entering the code into a phishing site.

Hardware tokens like Yubikeys eliminate that risk because the key won't authenticate against fake websites. When you register a Yubikey with a website, the device generates a long random number based on the site's domain name and a secret key. The secret key is generated on the Yubikey and never leaves the device.

Since that long random number is based on the site's domain name, if you get tricked into logging into a phishing site, the key won't generate the same number, so the attacker can't just use it to log into Vanguard.

Any form of 2FA protects against what's known as "credential stuffing", where lists of known username/password pairs and tried en mass against other websites. They also raise the bar on phishing attacks but only Yubikeys prevent it.

The best defense against credential stuffing is a password manager which ensures you use a unique password for every website. This way, a password stolen from one website can't be used against another. Using the autofill function of a password manager also offers some protection against phishing, since the autofill won't work against fake domains. Eg if you somehow land on vangaurd.com instead of vanguard.com, the password manager won't autofill because the misspelled domain won't match.

My recommendation to vastly improve your cybersecurity:
  • Get at least two Yubikeys. Keep one on a keychain or somewhere convenient, keep the other in a safe location. I use a fireproof document safe.
  • Use Gmail and set up your Google account to require 2FA using either your Yubikeys or a push notification to your phone's Gmail app—both are safe against phishing. Also ensure you print out your backup 2FA codes and keep them somewhere safe (again, fireproof document safe).
  • Use a password manager for ALL websites, even if they don't seem that important to your security (social media, forums like Bogleheads, etc).
  • Install your password manager's browser extension. If a password won't autofill, be VERY suspicious.
  • Use Google Voice for SMS 2FA codes for sites that allow it, it's invulnerable to SIM swap attacks and you've already locked down your Google account.
  • Use Authy for generating 2FA codes. It's easier to use than Google Authenticator and makes it much easier to move your codes to a new device.
Your email account is the key to your kingdom. Locking it down is central to staying safe, since an attacker who can get into your email can likely use that to get into just about any other account (eg by using password recovery on other sites). At that point you'll be in great shape. If you want to go a few extra steps:
  • Sign up for USPS Informed Delivery before someone else does so you know if your mail goes missing.
  • Install the "HTTPS Everywhere" browser extension to ensure that your browsing is encrypted wherever possible.
  • Make sure your hard drive is encrypted. If you have a Mac, just enable FileVault and you're set. Very easy.
  • Keep your software up to date. When Windows or MacOS prompts you to update, do it. Keep your phone up to date and upgrade if it's no longer supported.
  • Install uBlock Origin to block ad networks from loading in your browser. Compromised ad networks are a relatively common attack vector for malware.
  • Make sure your phone requires a passcode or biometric to unlock. This way if it's stolen or lost it won't be easy to get into.
  • Same for your computer: require a password to unlock it.
This is all wonderful advice.

One I'd add, to go along with your recommendation to use a password manager: if a site forces you to select "security questions" to reset your password, instead of having the answers be autobiographical information, have them be randomly-generated nonsense, stored in your password manager.
crefwatch
Posts: 620
Joined: Sun Apr 15, 2007 1:07 pm
Location: New Jersey, USA

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by crefwatch »

So far, Vanguard's 2-factor policy allows persistent approval for a trusted computer. So I rarely have to have my phone beside by home desktop. And this persistence works much better than older (cookie-based???) permissions that disappear randomly (like for TIAA and T. Rowe Price.) I haven't found Vanguard's policy to be a problem. Yet.
boomer_techie
Posts: 410
Joined: Fri Jan 18, 2019 6:47 am

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by boomer_techie »

MathWizard wrote: Mon May 04, 2020 9:31 am The app does not connect you to anything, it just produces a random code. It is useful if it is connected or not.
If you are worried, connect with your home encrypted wifi, and then turn off the wifi (or put it in airplane mode)
You can occasionally reconnect to set the time again.
Presumably Google Authenticator is a https://en.wikipedia.org/wiki/Time-base ... _algorithm - um, yes, you confirmed that up above. Thus the clock needs to be reasonably correct. If not, the system won't work. Hmmm, just checked the time on my old iPhone: After seven weeks of not being online, it is a minute fast. So the clock would need to be "fixed" weekly or biweekly.
HawkeyePierce wrote: Mon May 04, 2020 9:57 am If your device is locked and encrypted, which iPhones are by default, there is little to no risk in keeping important information on it.
I'm a computer programmer by trade. If someone can get their hands on a physical device, I don't trust the security on the device no matter how much Apple brags about secure elements and encryption. I find it simpler to just not do anything important on a device that I carry around all over.
HawkeyePierce
Posts: 1431
Joined: Tue Mar 05, 2019 10:29 pm
Location: Colorado

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by HawkeyePierce »

boomer_techie wrote: Tue May 05, 2020 6:55 am
HawkeyePierce wrote: Mon May 04, 2020 9:57 am If your device is locked and encrypted, which iPhones are by default, there is little to no risk in keeping important information on it.
I'm a computer programmer by trade. If someone can get their hands on a physical device, I don't trust the security on the device no matter how much Apple brags about secure elements and encryption. I find it simpler to just not do anything important on a device that I carry around all over.
I don't want others following this thread to believe this is a reasonable precaution. It's absolutely not.

Carrying around a phone that has Authy or Google Authenticator on it poses such negligible risk that it's not worth worrying about. Think through the threat model: someone steals your phone, or you leave it at a Starbucks. Let's say you're right for the moment and Apple screwed up their crypto implementation. Now someone has your 2FA codes. They still don't have your passwords! The other factor saved you! It won't take you long to realize you've lost your phone, at which point you can contact your financial institutions etc and revoke those codes.

Fortunately Apple *didn't* screw up their crypto implementation, the data on your phone is *exceptionally* safe and this is not a scenario worth worrying about.

(I'm also a software engineer and I work closely with a world-class security team at my company. This is not something they worry about)
Silence Dogood
Posts: 1426
Joined: Tue Feb 01, 2011 9:22 pm

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by Silence Dogood »

There is essentially no reasonable security threat from using an authentication app on a smartphone.

Having said that, I limit the financial apps on my smartphone to mitigate the risk of user and/or behavioral error, which is always a possibility. :wink:
jebmke
Posts: 11265
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by jebmke »

Silence Dogood wrote: Tue May 05, 2020 5:10 pm There is essentially no reasonable security threat from using an authentication app on a smartphone.

Having said that, I limit the financial apps on my smartphone to mitigate the risk of user and/or behavioral error, which is always a possibility. :wink:
Same here. I'm never away from home for more than a couple of weeks so there really isn't a compelling reason to use the mobile device.
When you discover that you are riding a dead horse, the best strategy is to dismount.
HawkeyePierce
Posts: 1431
Joined: Tue Mar 05, 2019 10:29 pm
Location: Colorado

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by HawkeyePierce »

I consider accessing a financial institution via their app to be *more* secure than using their website, especially on an iPhone. You can't get phished, the OS guarantees all communications are encrypted, no risk of rogue browser extensions stealing data.
ftobin
Posts: 1062
Joined: Fri Mar 20, 2009 3:28 pm

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by ftobin »

HawkeyePierce wrote: Tue May 05, 2020 5:40 pm I consider accessing a financial institution via their app to be *more* secure than using their website, especially on an iPhone. You can't get phished, the OS guarantees all communications are encrypted, no risk of rogue browser extensions stealing data.
There are other nuanced considerations. For example, I use a password manager for every account I have. Using Firefox's built-in password manager, I'm guaranteed I only submit the password to the correct site. Using a password manager with mobile apps generally requires a cumbersome and insecure process of using an independent password manger to copy a password to the clipboard and then paste into the app. Any app can read from the clipboard during this time. On Android there are keyboard-based password entry approaches, but in general, the password is available for anything to sniff it out.

Obviously, I can't get phished using Firefox either, given the safeguards it has built-in. I'd have to go out of my way to submit a password to the wrong site.
ARoseByAnyOtherName
Posts: 1000
Joined: Wed Apr 26, 2017 12:03 am

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by ARoseByAnyOtherName »

ftobin wrote: Tue May 05, 2020 10:20 pm
HawkeyePierce wrote: Tue May 05, 2020 5:40 pm I consider accessing a financial institution via their app to be *more* secure than using their website, especially on an iPhone. You can't get phished, the OS guarantees all communications are encrypted, no risk of rogue browser extensions stealing data.
There are other nuanced considerations. For example, I use a password manager for every account I have. Using Firefox's built-in password manager, I'm guaranteed I only submit the password to the correct site. Using a password manager with mobile apps generally requires a cumbersome and insecure process of using an independent password manger to copy a password to the clipboard and then paste into the app.
Not on iOS. Password managers are integrated with most app authentication prompts. They mostly auto fill like websites.
Silence Dogood
Posts: 1426
Joined: Tue Feb 01, 2011 9:22 pm

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by Silence Dogood »

HawkeyePierce wrote: Tue May 05, 2020 5:40 pm I consider accessing a financial institution via their app to be *more* secure than using their website, especially on an iPhone. You can't get phished, the OS guarantees all communications are encrypted, no risk of rogue browser extensions stealing data.
I agree. (Was this in response to my post?)

As I wrote in another thread, about this same topic:
...I only access my Vanguard account via my desktop computer. I have my online account set to "only allow recognized devices" and only my desktop computer is recognized.

Not having easy - 24/7 - access to my account via my phone reduces my chances of doing something stupid. It takes effort for me to access my online account. I can't do it while I'm half-asleep in the middle of the night and I can't do it while I'm out at a bar with friends.

To be clear, I highly doubt this will ever be an issue. It has never been an issue in the past.

Yet, it's probably still more likely to happen than the unlikely chance that my account gets hacked.
Besides, like jebmke, I personally don't feel like I have a compelling reason to use certain financial apps. Why would I need to check my retirement account when I'm out and about?

I use two different credit cards and I do have the apps for those, so I'm not against it if a compelling reason exists. If I wanted to (I rarely do), I could view a recent transaction and there is a low-risk/limit of doing anything stupid.
Gadget
Posts: 383
Joined: Fri Mar 17, 2017 1:38 pm

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by Gadget »

ftobin wrote: Sun May 03, 2020 2:08 am
dmcmahon wrote: Sun May 03, 2020 12:51 am Fidelity too
Unfortunately, for Fidelity, if you enable app TOTP 2FA, you have to use it on each login. If you simply use SMS-based 2FA, you can choose to enter it only when logging in from new devices. While I strongly prefer TOTP 2FA, I don't want to have to enter it all the time. Poor (lack of) design decision on their part, IMO.
Does Fidelity support standard TOTP 2FA now? As in, I can save the TOTP code in 1Password and 1Password will automatically fill it in for me after it autofills my username/password?

Last I checked on Fidelity, they only supported 2FA via some silly 3rd party McAfee authenticator app. But maybe I didn't click far enough to find it was a standard QR code.
Faith20879
Posts: 745
Joined: Fri Mar 02, 2007 10:16 am

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by Faith20879 »

absolute zero wrote: Sat May 02, 2020 9:43 pm If you have a gmail account or PayPal account, those would be two example of websites that allow for the use of authenticator apps. It’s pretty convenient and more secure than SMS for 2FA.
I do have a gmail account and use it often. It has a straightforward login process - goto the website, type in the email address and give my password and voila I am in. I am still not grasping how it is different from a App-based 2FA. Is it that if I were using a gmail app, there is a different kind of 2FA procedure?
HawkeyePierce
Posts: 1431
Joined: Tue Mar 05, 2019 10:29 pm
Location: Colorado

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by HawkeyePierce »

Faith20879 wrote: Fri May 08, 2020 11:33 am
absolute zero wrote: Sat May 02, 2020 9:43 pm If you have a gmail account or PayPal account, those would be two example of websites that allow for the use of authenticator apps. It’s pretty convenient and more secure than SMS for 2FA.
I do have a gmail account and use it often. It has a straightforward login process - goto the website, type in the email address and give my password and voila I am in. I am still not grasping how it is different from a App-based 2FA. Is it that if I were using a gmail app, there is a different kind of 2FA procedure?
Sounds like you haven't enabled 2FA on your Google account. You should do so. Google supports every 2FA method under the sun.

You can choose for app-based, where an app generates a six-digit code that rotates every minute.

You can go push-based, where a login on one client (eg your computer) pushes a prompt to another client (the Gmail app on your phone) to confirm the request is you.

You can go for a hardware token, where you plug in a Yubikey to authenticate.
absolute zero
Posts: 408
Joined: Thu Dec 29, 2016 4:59 pm

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by absolute zero »

Faith20879 wrote: Fri May 08, 2020 11:33 am
absolute zero wrote: Sat May 02, 2020 9:43 pm If you have a gmail account or PayPal account, those would be two example of websites that allow for the use of authenticator apps. It’s pretty convenient and more secure than SMS for 2FA.
I do have a gmail account and use it often. It has a straightforward login process - goto the website, type in the email address and give my password and voila I am in. I am still not grasping how it is different from a App-based 2FA. Is it that if I were using a gmail app, there is a different kind of 2FA procedure?
Your current system utilizes a password as it’s security measure. That is definitely straightforward and simple. But it’s just 1 layer of security. 2FA methods represent a second layer of security, in addition to the password.

In the case of an authenticator app (just an example form of 2FA) the steps are:

1. Go to gmail’s website on your computer.
2. Enter username and password.
3. Open up your authenticator app on your phone. Can be google Authenticator app, or can be a similar app from a number of other companies (totally unrelated to gmail).
4. Read the code shown in the app and enter it into the gmail box on your computer where it requests the code.
5. You’re made it into your gmail account.
Faith20879
Posts: 745
Joined: Fri Mar 02, 2007 10:16 am

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by Faith20879 »

HawkeyePierce wrote: Fri May 08, 2020 11:43 am
Sounds like you haven't enabled 2FA on your Google account. You should do so. Google supports every 2FA method under the sun.

You can choose for app-based, where an app generates a six-digit code that rotates every minute.
I think I finally see the light. Will get on Google to set it. Thanks for the enlightenment.
mptfan
Posts: 6159
Joined: Mon Mar 05, 2007 9:58 am

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by mptfan »

Faith20879 wrote: Fri May 08, 2020 11:33 am I do have a gmail account and use it often. It has a straightforward login process - goto the website, type in the email address and give my password and voila I am in. I am still not grasping how it is different from a App-based 2FA. Is it that if I were using a gmail app, there is a different kind of 2FA procedure?
Watch this video...

https://www.youtube.com/watch?v=zMabEyrtPRg

The video is from 2011 and the software has been updated since then, but the principles are the same.
sfly510
Posts: 14
Joined: Tue Feb 12, 2019 9:23 am

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by sfly510 »

Logged into Vanguard via Firefox today and was greeted with a prompt to press my Fido-U2F enabled Yubikey. Previously this had only worked for me with Chrome, despite multiple past attempts to trick the vanguard site into believing I was using Chrome via the User Agent string. Looks like Firefox is finally supported by Vanguard for Fido-U2F!
Samosa22
Posts: 59
Joined: Tue Dec 31, 2019 10:51 am

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by Samosa22 »

HawkeyePierce wrote: Tue May 05, 2020 5:40 pm
My recommendation to vastly improve your cybersecurity:
Thanks for your wonderful recommendations. Very helpful, especially to people like me who are still using SMS based 2FA...time to buy ubikeys.
HawkeyePierce wrote: Tue May 05, 2020 5:40 pm I consider accessing a financial institution via their app to be *more* secure than using their website, especially on an iPhone. You can't get phished, the OS guarantees all communications are encrypted, no risk of rogue browser extensions stealing data.
One serious question: Suppose a person frequently uses an iPhone to access financial institutions via their apps, but s/he also uses the same iPhone to visit porn sites through a private browser mode. How vulnerable such iPhone is to hacking attempts? If one has to assign a security-risk score on a scale of 1-10 (with 10 being the most vulnerable) what score would such an iPhone receive?
Lesson learned from 2008 financial crisis: "In the fury of the final hour, all correlations went to 1".
HawkeyePierce
Posts: 1431
Joined: Tue Mar 05, 2019 10:29 pm
Location: Colorado

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by HawkeyePierce »

Samosa22 wrote: Mon Sep 14, 2020 8:40 pm
HawkeyePierce wrote: Tue May 05, 2020 5:40 pm
My recommendation to vastly improve your cybersecurity:
Thanks for your wonderful recommendations. Very helpful, especially to people like me who are still using SMS based 2FA...time to buy ubikeys.
HawkeyePierce wrote: Tue May 05, 2020 5:40 pm I consider accessing a financial institution via their app to be *more* secure than using their website, especially on an iPhone. You can't get phished, the OS guarantees all communications are encrypted, no risk of rogue browser extensions stealing data.
One serious question: Suppose a person frequently uses an iPhone to access financial institutions via their apps, but s/he also uses the same iPhone to visit porn sites through a private browser mode. How vulnerable such iPhone is to hacking attempts? If one has to assign a security-risk score on a scale of 1-10 (with 10 being the most vulnerable) what score would such an iPhone receive?
This scenario would not worry me.
JBTX
Posts: 6821
Joined: Wed Jul 26, 2017 12:46 pm

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by JBTX »

Gadget wrote: Thu May 07, 2020 4:25 pm
ftobin wrote: Sun May 03, 2020 2:08 am
dmcmahon wrote: Sun May 03, 2020 12:51 am Fidelity too
Unfortunately, for Fidelity, if you enable app TOTP 2FA, you have to use it on each login. If you simply use SMS-based 2FA, you can choose to enter it only when logging in from new devices. While I strongly prefer TOTP 2FA, I don't want to have to enter it all the time. Poor (lack of) design decision on their part, IMO.
Does Fidelity support standard TOTP 2FA now? As in, I can save the TOTP code in 1Password and 1Password will automatically fill it in for me after it autofills my username/password?

Last I checked on Fidelity, they only supported 2FA via some silly 3rd party McAfee authenticator app. But maybe I didn't click far enough to find it was a standard QR code.
Is there some problem with McAfee authenticator?
mptfan
Posts: 6159
Joined: Mon Mar 05, 2007 9:58 am

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by mptfan »

Samosa22 wrote: Mon Sep 14, 2020 8:40 pm One serious question: Suppose a person frequently uses an iPhone to access financial institutions via their apps, but s/he also uses the same iPhone to visit porn sites through a private browser mode.
Are you asking for a friend? lol
sfly510
Posts: 14
Joined: Tue Feb 12, 2019 9:23 am

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by sfly510 »

JBTX wrote: Wed Sep 16, 2020 12:13 am
Gadget wrote: Thu May 07, 2020 4:25 pm
ftobin wrote: Sun May 03, 2020 2:08 am
dmcmahon wrote: Sun May 03, 2020 12:51 am Fidelity too
Unfortunately, for Fidelity, if you enable app TOTP 2FA, you have to use it on each login. If you simply use SMS-based 2FA, you can choose to enter it only when logging in from new devices. While I strongly prefer TOTP 2FA, I don't want to have to enter it all the time. Poor (lack of) design decision on their part, IMO.
Does Fidelity support standard TOTP 2FA now? As in, I can save the TOTP code in 1Password and 1Password will automatically fill it in for me after it autofills my username/password?

Last I checked on Fidelity, they only supported 2FA via some silly 3rd party McAfee authenticator app. But maybe I didn't click far enough to find it was a standard QR code.
Is there some problem with McAfee authenticator?
It's actually Symantec VIP that Fidelity uses. For the technologically savvy, you can mimic the request to Symantec and take the resultant secret key and plug it into anything that supports TOTP. Someone also created a Docker image which can handle the request, if you trust not doing it manually.
JBTX
Posts: 6821
Joined: Wed Jul 26, 2017 12:46 pm

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by JBTX »

At the risk of being a luddite, how would I use an authenticator like Authy? For what? I don't think they can be used at financial sites. Where could they be used where it actually matters?
JBTX
Posts: 6821
Joined: Wed Jul 26, 2017 12:46 pm

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by JBTX »

sfly510 wrote: Wed Sep 16, 2020 10:51 am
JBTX wrote: Wed Sep 16, 2020 12:13 am
Gadget wrote: Thu May 07, 2020 4:25 pm
ftobin wrote: Sun May 03, 2020 2:08 am
dmcmahon wrote: Sun May 03, 2020 12:51 am Fidelity too
Unfortunately, for Fidelity, if you enable app TOTP 2FA, you have to use it on each login. If you simply use SMS-based 2FA, you can choose to enter it only when logging in from new devices. While I strongly prefer TOTP 2FA, I don't want to have to enter it all the time. Poor (lack of) design decision on their part, IMO.
Does Fidelity support standard TOTP 2FA now? As in, I can save the TOTP code in 1Password and 1Password will automatically fill it in for me after it autofills my username/password?

Last I checked on Fidelity, they only supported 2FA via some silly 3rd party McAfee authenticator app. But maybe I didn't click far enough to find it was a standard QR code.
Is there some problem with McAfee authenticator?
It's actually Symantec VIP that Fidelity uses. For the technologically savvy, you can mimic the request to Symantec and take the resultant secret key and plug it into anything that supports TOTP. Someone also created a Docker image which can handle the request, if you trust not doing it manually.
I have no idea what any of that means. Is what you describe a real problem or just a theoretical weakness that practically never happens?
sfly510
Posts: 14
Joined: Tue Feb 12, 2019 9:23 am

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by sfly510 »

JBTX wrote: Wed Sep 16, 2020 12:30 pm I have no idea what any of that means. Is what you describe a real problem or just a theoretical weakness that practically never happens?
Most of my reply was addressing Gadget's concern about the dependency on Symantec VIP. The workaround is a one-time step which mimics the Symantec VIP app calling out to the Symantec VIP server, and can be used to set up TOTP for Fidelity (or Schwab or any other entity which uses Symantec VIP) using any other TOTP capable system, e.g. a Yubikey, Authy, Google Authenticator, Bitwarden, 1Password, etc.

Personally I added the TOTP secret key(s) to my Yubikey because I prefer the hardware security it offers, with the obvious caveat that the secret key is (securely) transferred over the internet during the one-time setup.

For reference:

https://www.cyrozap.com/2014/09/29/reve ... -protocol/
https://hub.docker.com/r/kayvan/vipaccess/
https://www.mjt.me.uk/posts/yubikey-sym ... ip-access/
CCD
Posts: 73
Joined: Wed Mar 09, 2016 10:17 am

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by CCD »

sfly510 wrote: Wed Sep 16, 2020 3:39 pm
JBTX wrote: Wed Sep 16, 2020 12:30 pm I have no idea what any of that means. Is what you describe a real problem or just a theoretical weakness that practically never happens?
Most of my reply was addressing Gadget's concern about the dependency on Symantec VIP. The workaround is a one-time step which mimics the Symantec VIP app calling out to the Symantec VIP server, and can be used to set up TOTP for Fidelity (or Schwab or any other entity which uses Symantec VIP) using any other TOTP capable system, e.g. a Yubikey, Authy, Google Authenticator, Bitwarden, 1Password, etc.

Personally I added the TOTP secret key(s) to my Yubikey because I prefer the hardware security it offers, with the obvious caveat that the secret key is (securely) transferred over the internet during the one-time setup.

For reference:

https://www.cyrozap.com/2014/09/29/reve ... -protocol/
https://hub.docker.com/r/kayvan/vipaccess/
https://www.mjt.me.uk/posts/yubikey-sym ... ip-access/
Is there an easy way to do this for non-programmers? :(
User avatar
abuss368
Posts: 21079
Joined: Mon Aug 03, 2009 2:33 pm
Location: Where the water is warm, the drinks are cold, and I don't know the names of the players!
Contact:

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by abuss368 »

Good for Vanguard and enhanced security. I am surprised it has taken this long.
John C. Bogle: “Simplicity is the master key to financial success."
sfly510
Posts: 14
Joined: Tue Feb 12, 2019 9:23 am

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by sfly510 »

CCD wrote: Wed Sep 16, 2020 5:06 pm
sfly510 wrote: Wed Sep 16, 2020 3:39 pm
JBTX wrote: Wed Sep 16, 2020 12:30 pm I have no idea what any of that means. Is what you describe a real problem or just a theoretical weakness that practically never happens?
Most of my reply was addressing Gadget's concern about the dependency on Symantec VIP. The workaround is a one-time step which mimics the Symantec VIP app calling out to the Symantec VIP server, and can be used to set up TOTP for Fidelity (or Schwab or any other entity which uses Symantec VIP) using any other TOTP capable system, e.g. a Yubikey, Authy, Google Authenticator, Bitwarden, 1Password, etc.

Personally I added the TOTP secret key(s) to my Yubikey because I prefer the hardware security it offers, with the obvious caveat that the secret key is (securely) transferred over the internet during the one-time setup.

For reference:

https://www.cyrozap.com/2014/09/29/reve ... -protocol/
https://hub.docker.com/r/kayvan/vipaccess/
https://www.mjt.me.uk/posts/yubikey-sym ... ip-access/
Is there an easy way to do this for non-programmers? :(
I wouldn't say there's an "easy" way.

Perhaps the easiest way:
  1. Install Python on your computer - e.g. for Windows https://www.python.org/ftp/python/3.8.5 ... -amd64.exe
  2. From a command line run

    Code: Select all

    pip install image lxml oath PyCrypto qrcode requests
  3. From a command line run

    Code: Select all

    pip install python-vipaccess
  4. From a command line run

    Code: Select all

    vipaccess
Feel free to PM me if you want more details.
ErRyTour
Posts: 5
Joined: Tue Apr 23, 2019 10:56 pm

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by ErRyTour »

HawkeyePierce wrote: Sun May 03, 2020 11:54 am My recommendation to vastly improve your cybersecurity:
  • Get at least two Yubikeys. Keep one on a keychain or somewhere convenient, keep the other in a safe location. I use a fireproof document safe.
  • Use Gmail and set up your Google account to require 2FA using either your Yubikeys or a push notification to your phone's Gmail app—both are safe against phishing. Also ensure you print out your backup 2FA codes and keep them somewhere safe (again, fireproof document safe).
Agree with everything you wrote, but feel these two should have some revision:

- have another Yubikey kept off-site. A fireproof safe becomes proof of a fire if the fire burns long enough.
- don't create backup TOTP 2FA codes. They only serve as another entry point. Just keep the original 2FA code tucked away and use it to re-seed a new device.

One more thing - when the site says do you want to remember this computer - always say no.
otinkyad
Posts: 257
Joined: Wed Jun 01, 2016 5:35 pm

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by otinkyad »

ftobin wrote: Sun May 03, 2020 2:08 am Unfortunately, for Fidelity, if you enable app TOTP 2FA, you have to use it on each login. If you simply use SMS-based 2FA, you can choose to enter it only when logging in from new devices. While I strongly prefer TOTP 2FA, I don't want to have to enter it all the time. Poor (lack of) design decision on their part, IMO.
That’s a feature, not a bug. If you get to choose whether to remember a device, you will sometimes choose poorly by accident. I never save cookies for financial sites, so that’s how everything behaves for me.
Samosa22
Posts: 59
Joined: Tue Dec 31, 2019 10:51 am

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by Samosa22 »

HawkeyePierce wrote: Tue Sep 15, 2020 11:35 pm My recommendation to vastly improve your cybersecurity:
Thanks again for your wonderful recommendations! I have now purchased two Yubikeys, enrolled my as well as DW's google account in advance protection program (using the same two yubikeys), and have removed our phone numbers as account recovery method. So, both accounts are now locked down. Questions;

1. My account still has DW's gmail as a recovery methods, and DW's account has my gmail as a recovery method. Is this okey since each recovery account is "locked down" in itself? Or should we remove recovery option altogether?

2. Can my account be still recovered using backup codes that I created previously? Or are those codes null and void as along as I am enrolled in advance protection program.

3. While enrolling in this program I noticed that one of the disclaimers was that if you get locked out of your account it may take 3-5 days to regain account access. I wonder how would google verify my identity and restore my account in case I get locked out? This seems like a potential weakness that someone can use to takeover the account.

Thanks for your help!
Lesson learned from 2008 financial crisis: "In the fury of the final hour, all correlations went to 1".
Post Reply