Vanguard 2-step verification almost every single time!

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills
Topic Author
rtt22
Posts: 66
Joined: Mon Nov 29, 2010 9:45 am

Vanguard 2-step verification almost every single time!

Post by rtt22 »

I have to go through the 2-step verification with Vanguard 9 out of 10 times even though I already set the frequency to send a security code in my account settings to "Only when Vanguard doesn't recognize my computer or device". I do have to switch in and out of my company VPN during the day, is that the reason? But Vanguard should have put a cookie in my browser to recognize my device the next time I log in? This annoyance only happens to my Vanguard logins.
User avatar
RickBoglehead
Posts: 7055
Joined: Wed Feb 14, 2018 9:10 am
Location: In a house

Re: Vanguard 2-step verification almost every single time!

Post by RickBoglehead »

rtt22 wrote: Sat Jul 17, 2021 8:37 am I have to go through the 2-step verification with Vanguard 9 out of 10 times even though I already set the frequency to send a security code in my account settings to "Only when Vanguard doesn't recognize my computer or device". I do have to switch in and out of my company VPN during the day, is that the reason? But Vanguard should have put a cookie in my browser to recognize my device the next time I log in? This annoyance only happens to my Vanguard logins.
Yes, that is exactly the reason. Try using your phone with WiFi, then switch to cellular, and you'll see.
Avid user of forums on variety of interests-financial, home brewing, F-150, PHEV, home repair, etc. Enjoy learning & passing on knowledge. It's PRINCIPAL, not PRINCIPLE. I ADVISE you to seek ADVICE.
Normchad
Posts: 2718
Joined: Thu Mar 03, 2011 7:20 am

Re: Vanguard 2-step verification almost every single time!

Post by Normchad »

It’s happens to me too, but I like it.

I always browse in incognito mode, so I expect it to happen. Are you doing that?

Is your IP address changing frequently?
User avatar
wander
Posts: 3773
Joined: Sat Oct 04, 2008 9:10 am

Re: Vanguard 2-step verification almost every single time!

Post by wander »

It does not happen to me unless when I clear all the browser cookies and cache. I think I like VG for that.
User avatar
RickBoglehead
Posts: 7055
Joined: Wed Feb 14, 2018 9:10 am
Location: In a house

Re: Vanguard 2-step verification almost every single time!

Post by RickBoglehead »

Normchad wrote: Sat Jul 17, 2021 8:41 am It’s happens to me too, but I like it.

I always browse in incognito mode, so I expect it to happen. Are you doing that?

Is your IP address changing frequently?
Since the OP is switching in and out of a VPN, yes.
Avid user of forums on variety of interests-financial, home brewing, F-150, PHEV, home repair, etc. Enjoy learning & passing on knowledge. It's PRINCIPAL, not PRINCIPLE. I ADVISE you to seek ADVICE.
Topic Author
rtt22
Posts: 66
Joined: Mon Nov 29, 2010 9:45 am

Re: Vanguard 2-step verification almost every single time!

Post by rtt22 »

Normchad wrote: Sat Jul 17, 2021 8:41 am It’s happens to me too, but I like it.

I always browse in incognito mode, so I expect it to happen. Are you doing that?

Is your IP address changing frequently?
I'm aware that my IP addr changes frequently but only Vanguard makes me do 2-steps very so often. Maybe it's a feature and not a bug?
Normchad
Posts: 2718
Joined: Thu Mar 03, 2011 7:20 am

Re: Vanguard 2-step verification almost every single time!

Post by Normchad »

rtt22 wrote: Sat Jul 17, 2021 9:23 am
Normchad wrote: Sat Jul 17, 2021 8:41 am It’s happens to me too, but I like it.

I always browse in incognito mode, so I expect it to happen. Are you doing that?

Is your IP address changing frequently?
I'm aware that my IP addr changes frequently but only Vanguard makes me do 2-steps very so often. Maybe it's a feature and not a bug?
Yep. If Vanguard sees a log in attempt from a new IP address, that should trigger their “unrecognized computer” challenge. If it didn’t, there would be a 10 page complaint thread about it around here. :)
bondsr4me
Posts: 1660
Joined: Fri Oct 18, 2013 7:08 am

Re: Vanguard 2-step verification almost every single time!

Post by bondsr4me »

wander wrote: Sat Jul 17, 2021 8:42 am It does not happen to me unless when I clear all the browser cookies and cache. I think I like VG for that.
+1

I clear all cookies (if I even allow them) and cache every time I close Safari.

Yes, this means VG will send a code to my phone every time I log in.
I’m OK with that; I’ll take the security.
VG is just trying to be more secure and I support that.
User avatar
kevinf
Posts: 416
Joined: Mon Aug 05, 2019 11:35 pm

Re: Vanguard 2-step verification almost every single time!

Post by kevinf »

rtt22 wrote: Sat Jul 17, 2021 8:37 am I have to go through the 2-step verification with Vanguard 9 out of 10 times even though I already set the frequency to send a security code in my account settings to "Only when Vanguard doesn't recognize my computer or device". I do have to switch in and out of my company VPN during the day, is that the reason? But Vanguard should have put a cookie in my browser to recognize my device the next time I log in? This annoyance only happens to my Vanguard logins.
You could turn this into a feature by using a hardware security token such as a Yubikey. I have a 2-factor challenge for every login, but it's as simple as reaching down slightly to tap my key... and I'm in. Any account that would cause substantial hardship were it to be hacked should be protected by a hardware token via 2-factor. That means all financial accounts, and for most people, their email account as well.
jebmke
Posts: 13136
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: Vanguard 2-step verification almost every single time!

Post by jebmke »

kevinf wrote: Sat Jul 17, 2021 1:17 pm You could turn this into a feature by using a hardware security token such as a Yubikey. I have a 2-factor challenge for every login, but it's as simple as reaching down slightly to tap my key... and I'm in. Any account that would cause substantial hardship were it to be hacked should be protected by a hardware token via 2-factor. That means all financial accounts, and for most people, their email account as well.
USAA has face recognition on the iPhone app (I have not installed it ... yet). Do you consider that secure?
When you discover that you are riding a dead horse, the best strategy is to dismount.
User avatar
kevinf
Posts: 416
Joined: Mon Aug 05, 2019 11:35 pm

Re: Vanguard 2-step verification almost every single time!

Post by kevinf »

I don't personally consider most consumer grade biometrics to be secure, and very few commercial grade ones. There are many examples of systems being defeated by photos or other reproductions. Your face, voice, and fingerprints are not secrets.

I consider it better than just 1-factor auth, but far less secure than a proper SECRET factor. Most smartphones these days have hardware tokens built in, and actual hardware key tokens are affordable, so there are few reasons not to use hardware token based 2-factor.
Colorado13
Posts: 1263
Joined: Thu Apr 07, 2011 4:58 pm
Location: Colorado

Re: Vanguard 2-step verification almost every single time!

Post by Colorado13 »

I think that is fabulous in terms if security but admit that computer security is not my area of expertise.

How often are you logging in? I'm curious why you view this login issue as problematic and welcome insights.
Last edited by Colorado13 on Mon Jul 19, 2021 10:53 am, edited 1 time in total.
Alan S.
Posts: 10715
Joined: Mon May 16, 2011 6:07 pm
Location: Prescott, AZ

Re: Vanguard 2-step verification almost every single time!

Post by Alan S. »

If you could think of all the times in your lifetime that bad actors have caused you inconveniences, they would count up to several every single day. This is just another one of those inconveniences.

If our legal system wasn't historically soft on white collar crime over many decades, the risks we live with would be much less. Nonetheless, protection of my life savings in these times takes precedence over the inconveniences necessary to provide that protection.

Remember the days that most people left their doors unlocked? Long gone and never coming back! :(
mptfan
Posts: 6625
Joined: Mon Mar 05, 2007 9:58 am

Re: Vanguard 2-step verification almost every single time!

Post by mptfan »

Alan S. wrote: Mon Jul 19, 2021 4:30 pm Remember the days that most people left their doors unlocked? Long gone and never coming back! :(
Not necessarily long gone, that depends on where you live.
Finridge
Posts: 865
Joined: Mon May 16, 2011 7:27 pm

Re: Vanguard 2-step verification almost every single time!

Post by Finridge »

I want 2-step verification every time. When they ask if I'm on a "public computer" I always say "yes" because, I don't want them to turn of 2-step verification for my computer. I've asked Vanguard if there is a way to always require 2-step without any exceptions, but they say there is not... so that is what I have to do.

If someone electronically hijacks my computer (not that hard to do actually) or physically steals my computer, I do not want them to be able to empty my account.
jerryk68
Posts: 220
Joined: Wed Jan 22, 2014 7:56 pm

Re: Vanguard 2-step verification almost every single time!

Post by jerryk68 »

I like 2FA. I want it every time I login. I also put it on every account that offers it including my banks, ebay, and amazon.
xenial
Posts: 2762
Joined: Tue Feb 27, 2007 1:36 am
Location: USA

Re: Vanguard 2-step verification almost every single time!

Post by xenial »

Finridge wrote: Mon Jul 19, 2021 6:48 pm I want 2-step verification every time. When they ask if I'm on a "public computer" I always say "yes" because, I don't want them to turn of 2-step verification for my computer. I've asked Vanguard if there is a way to always require 2-step without any exceptions, but they say there is not... so that is what I have to do.
It's easy to get 2-step verification every time on a recognized computer. Log in to your account, and select My Accounts > Profile & account settings from the menu bar on top of the page. In the "Security profile" section of the resulting page, click on Security code. You should be on the Security code settings page. Click the Edit link to the right of "Frequency." Now select Every time I log on and click the Continue button. That should do it.
Silence Dogood
Posts: 1506
Joined: Tue Feb 01, 2011 9:22 pm

Re: Vanguard 2-step verification almost every single time!

Post by Silence Dogood »

xenial wrote: Tue Jul 20, 2021 8:03 pm
Finridge wrote: Mon Jul 19, 2021 6:48 pm I want 2-step verification every time. When they ask if I'm on a "public computer" I always say "yes" because, I don't want them to turn of 2-step verification for my computer. I've asked Vanguard if there is a way to always require 2-step without any exceptions, but they say there is not... so that is what I have to do.
It's easy to get 2-step verification every time on a recognized computer. Log in to your account, and select My Accounts > Profile & account settings from the menu bar on top of the page. In the "Security profile" section of the resulting page, click on Security code. You should be on the Security code settings page. Click the Edit link to the right of "Frequency." Now select Every time I log on and click the Continue button. That should do it.
Unfortunately this option does not currently exist for security keys (as far as I can tell).
Katietsu
Posts: 5065
Joined: Sun Sep 22, 2013 1:48 am

Re: Vanguard 2-step verification almost every single time!

Post by Katietsu »

mptfan wrote: Mon Jul 19, 2021 4:40 pm
Alan S. wrote: Mon Jul 19, 2021 4:30 pm Remember the days that most people left their doors unlocked? Long gone and never coming back! :(
Not necessarily long gone, that depends on where you live.
Yup. I learned a long time ago that the chance I locked myself out of my house was orders of magnitude higher than a bad actor trying to get in.
stocknoob4111
Posts: 2055
Joined: Sun Jan 07, 2018 12:52 pm

Re: Vanguard 2-step verification almost every single time!

Post by stocknoob4111 »

I used to have this issue, constantly asking me even when I said "Remember this device" but it suddenly stopped asking me for the last couple months so I think it's fixed now
User avatar
Tubes
Posts: 305
Joined: Wed Apr 22, 2020 6:33 am

Re: Vanguard 2-step verification almost every single time!

Post by Tubes »

Silence Dogood wrote: Tue Jul 20, 2021 8:44 pm
xenial wrote: Tue Jul 20, 2021 8:03 pm
Finridge wrote: Mon Jul 19, 2021 6:48 pm I want 2-step verification every time. When they ask if I'm on a "public computer" I always say "yes" because, I don't want them to turn of 2-step verification for my computer. I've asked Vanguard if there is a way to always require 2-step without any exceptions, but they say there is not... so that is what I have to do.
It's easy to get 2-step verification every time on a recognized computer. Log in to your account, and select My Accounts > Profile & account settings from the menu bar on top of the page. In the "Security profile" section of the resulting page, click on Security code. You should be on the Security code settings page. Click the Edit link to the right of "Frequency." Now select Every time I log on and click the Continue button. That should do it.
Unfortunately this option does not currently exist for security keys (as far as I can tell).
I just converted to security key 2FA log in. It forced me to "every time" and would not allow "recognized computer". So, I must use the key every time, without a choice. That's good. Are you saying you can still log in without the key? Basically, my experience is once keys are registered, you have no choice, you must use it.
Silence Dogood
Posts: 1506
Joined: Tue Feb 01, 2011 9:22 pm

Re: Vanguard 2-step verification almost every single time!

Post by Silence Dogood »

Tubes wrote: Wed Jul 21, 2021 2:40 pm
Silence Dogood wrote: Tue Jul 20, 2021 8:44 pm
xenial wrote: Tue Jul 20, 2021 8:03 pm
Finridge wrote: Mon Jul 19, 2021 6:48 pm I want 2-step verification every time. When they ask if I'm on a "public computer" I always say "yes" because, I don't want them to turn of 2-step verification for my computer. I've asked Vanguard if there is a way to always require 2-step without any exceptions, but they say there is not... so that is what I have to do.
It's easy to get 2-step verification every time on a recognized computer. Log in to your account, and select My Accounts > Profile & account settings from the menu bar on top of the page. In the "Security profile" section of the resulting page, click on Security code. You should be on the Security code settings page. Click the Edit link to the right of "Frequency." Now select Every time I log on and click the Continue button. That should do it.
Unfortunately this option does not currently exist for security keys (as far as I can tell).
I just converted to security key 2FA log in. It forced me to "every time" and would not allow "recognized computer". So, I must use the key every time, without a choice. That's good. Are you saying you can still log in without the key? Basically, my experience is once keys are registered, you have no choice, you must use it.
That is good...

Where do you see that you are forced to use it "every time"?

Each time I sign in I am asked if I am signing in using a private or public device (by default, "public device" is selected - which is what I keep it at, since I prefer to always use two-factor authentication). When you are prompted to touch the Yubikey, are you asked this question?

Thank you for your time.
Northern Flicker
Posts: 8029
Joined: Fri Apr 10, 2015 12:29 am

Re: Vanguard 2-step verification almost every single time!

Post by Northern Flicker »

rtt22 wrote: Sat Jul 17, 2021 8:37 am I have to go through the 2-step verification with Vanguard 9 out of 10 times even though I already set the frequency to send a security code in my account settings to "Only when Vanguard doesn't recognize my computer or device". I do have to switch in and out of my company VPN during the day, is that the reason? But Vanguard should have put a cookie in my browser to recognize my device the next time I log in? This annoyance only happens to my Vanguard logins.
Why would you want to reduce the security robustness of the login protocol by doing this? Best practice is to configure the account always to require 2FA.
My postings are my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
User avatar
Tubes
Posts: 305
Joined: Wed Apr 22, 2020 6:33 am

Re: Vanguard 2-step verification almost every single time!

Post by Tubes »

Silence Dogood wrote: Wed Jul 21, 2021 3:22 pm
Tubes wrote: Wed Jul 21, 2021 2:40 pm
Silence Dogood wrote: Tue Jul 20, 2021 8:44 pm
xenial wrote: Tue Jul 20, 2021 8:03 pm
Finridge wrote: Mon Jul 19, 2021 6:48 pm I want 2-step verification every time. When they ask if I'm on a "public computer" I always say "yes" because, I don't want them to turn of 2-step verification for my computer. I've asked Vanguard if there is a way to always require 2-step without any exceptions, but they say there is not... so that is what I have to do.
It's easy to get 2-step verification every time on a recognized computer. Log in to your account, and select My Accounts > Profile & account settings from the menu bar on top of the page. In the "Security profile" section of the resulting page, click on Security code. You should be on the Security code settings page. Click the Edit link to the right of "Frequency." Now select Every time I log on and click the Continue button. That should do it.
Unfortunately this option does not currently exist for security keys (as far as I can tell).
I just converted to security key 2FA log in. It forced me to "every time" and would not allow "recognized computer". So, I must use the key every time, without a choice. That's good. Are you saying you can still log in without the key? Basically, my experience is once keys are registered, you have no choice, you must use it.
That is good...

Where do you see that you are forced to use it "every time"?

Each time I sign in I am asked if I am signing in using a private or public device (by default, "public device" is selected - which is what I keep it at, since I prefer to always use two-factor authentication). When you are prompted to touch the Yubikey, are you asked this question?

Thank you for your time.
OK. Firefox was overlaying a pop up over the "public"/"remember" questions, so I missed those.

I cleared the pop up and changed it to "remember", and regardless, the next log in it ignored my "remember" and made me use the key. I guess that's what I mean.

What I meant in my initial reply was that there's a place in security code configuration that you can choose the result of this public/remember question (i.e. the "frequency" setting). This setting doesn't exist for keys, so it ignores the public/remember checkbox. With codes, you can force it or not. At least in my case with Firefox! Perhaps if I used a different browser it would be different.

Sorry I think I was confused. I'm not going to own my confusion. Vanguard's 2FA implementation completely stinks.
Silence Dogood
Posts: 1506
Joined: Tue Feb 01, 2011 9:22 pm

Re: Vanguard 2-step verification almost every single time!

Post by Silence Dogood »

Tubes wrote: Wed Jul 21, 2021 3:39 pm I cleared the pop up and changed it to "remember", and regardless, the next log in it ignored my "remember" and made me use the key. I guess that's what I mean.
Just to make sure that I understand this correctly, now when you sign in from your recognized device, you are no longer asked whether or not you are using a private/public device, yet you are still required to use the security key?

If so, that's good.

(But then why does Vanguard bother to ask whether the device is private/public in the first place..?)
User avatar
Tubes
Posts: 305
Joined: Wed Apr 22, 2020 6:33 am

Re: Vanguard 2-step verification almost every single time!

Post by Tubes »

Silence Dogood wrote: Wed Jul 21, 2021 3:54 pm
Tubes wrote: Wed Jul 21, 2021 3:39 pm I cleared the pop up and changed it to "remember", and regardless, the next log in it ignored my "remember" and made me use the key. I guess that's what I mean.
Just to make sure that I understand this correctly, now when you sign in from your recognized device, you are no longer asked whether or not you are using a private/public device, yet you are still required to use the security key?

If so, that's good.

(But then why does Vanguard bother to ask whether the device is private/public in the first place..?)
It provides the two choices, but has no effect! No matter my answer, it requires me to use the key.
brianH
Posts: 550
Joined: Wed Aug 12, 2009 12:21 pm

Re: Vanguard 2-step verification almost every single time!

Post by brianH »

Normchad wrote: Sat Jul 17, 2021 9:25 am
Yep. If Vanguard sees a log in attempt from a new IP address, that should trigger their “unrecognized computer” challenge. If it didn’t, there would be a 10 page complaint thread about it around here. :)
Not from me. Locking a second-factor 'remember' cookie to an IP address is a newbie-level software design mistake. Security theater that just annoys users (as it did here, if that's what they're doing)
dropdx
Posts: 152
Joined: Thu Jun 06, 2019 9:01 pm

Re: Vanguard 2-step verification almost every single time!

Post by dropdx »

It’s super annoying. I also hate how they prompt for your password inside of the app too. I use a password manager, so I have to switch to that app to get the password and then when I go back to Vanguard it’s not on the same page anymore. Very, very annoying.
Topic Author
rtt22
Posts: 66
Joined: Mon Nov 29, 2010 9:45 am

Re: Vanguard 2-step verification almost every single time!

Post by rtt22 »

Northern Flicker wrote: Wed Jul 21, 2021 3:26 pm
rtt22 wrote: Sat Jul 17, 2021 8:37 am I have to go through the 2-step verification with Vanguard 9 out of 10 times even though I already set the frequency to send a security code in my account settings to "Only when Vanguard doesn't recognize my computer or device". I do have to switch in and out of my company VPN during the day, is that the reason? But Vanguard should have put a cookie in my browser to recognize my device the next time I log in? This annoyance only happens to my Vanguard logins.
Why would you want to reduce the security robustness of the login protocol by doing this? Best practice is to configure the account always to require 2FA.
Vanguard offers the option to send code "Only when Vanguard doesn't recognize my computer or device". I'll take it. Problem is it does not seem to recognize my computer or device even though I only use one laptop. IP address seems to be a factor but as someone pointed out above, "Locking a second-factor 'remember' cookie to an IP address is a newbie-level software design mistake" which I tend to agree.
montanagirl
Posts: 1514
Joined: Thu Nov 19, 2009 4:55 pm
Location: Montana

Re: Vanguard 2-step verification almost every single time!

Post by montanagirl »

Yes I have to register my PC over and over. I guess I have a dynamic IP?

Yet I can get on with mobile, same network, with only a password.

I don't get it.
User avatar
patrick013
Posts: 3219
Joined: Mon Jul 13, 2015 7:49 pm

Re: Vanguard 2-step verification almost every single time!

Post by patrick013 »

I wished they used Google authenticator or a like app.
May not get rid of all threats but quite a few of them.

They could possibly port scan a hardware key if the
firewall is not on and then need to decrypt it.

If set only for strange logins it should be convenient.
age in bonds, buy-and-hold, 10 year business cycle
brianH
Posts: 550
Joined: Wed Aug 12, 2009 12:21 pm

Re: Vanguard 2-step verification almost every single time!

Post by brianH »

patrick013 wrote: Thu Jul 22, 2021 8:44 am I wished they used Google authenticator or a like app.
Agreed. I don't know why everyone feels the need to reimplement their own version of 2FA. The one used by the Google Authenticator app is a standard (https://datatracker.ietf.org/doc/html/rfc6238), easy to implement as a software developer, and there are many code generating clients (Authy, Microsoft, GA) one can choose from.

The phone-app-generated codes are more secure than codes sent via email/text in most cases, and you don't have to wait for the code to be sent.
User avatar
patrick013
Posts: 3219
Joined: Mon Jul 13, 2015 7:49 pm

Re: Vanguard 2-step verification almost every single time!

Post by patrick013 »

brianH wrote: Thu Jul 22, 2021 11:39 am
patrick013 wrote: Thu Jul 22, 2021 8:44 am I wished they used Google authenticator or a like app.
The phone-app-generated codes are more secure than codes sent via email/text in most cases, and you don't have to wait for the code to be sent.
The one in google settings will render a secret code to use as well. Or different
codes if needed. Then just one input of the secret to a website to start using
the code generator for any website login that uses these code generators at login.
age in bonds, buy-and-hold, 10 year business cycle
Northern Flicker
Posts: 8029
Joined: Fri Apr 10, 2015 12:29 am

Re: Vanguard 2-step verification almost every single time!

Post by Northern Flicker »

rtt22 wrote: Thu Jul 22, 2021 8:32 am
Northern Flicker wrote: Wed Jul 21, 2021 3:26 pm
rtt22 wrote: Sat Jul 17, 2021 8:37 am I have to go through the 2-step verification with Vanguard 9 out of 10 times even though I already set the frequency to send a security code in my account settings to "Only when Vanguard doesn't recognize my computer or device". I do have to switch in and out of my company VPN during the day, is that the reason? But Vanguard should have put a cookie in my browser to recognize my device the next time I log in? This annoyance only happens to my Vanguard logins.
Why would you want to reduce the security robustness of the login protocol by doing this? Best practice is to configure the account always to require 2FA.
Vanguard offers the option to send code "Only when Vanguard doesn't recognize my computer or device". I'll take it. Problem is it does not seem to recognize my computer or device even though I only use one laptop. IP address seems to be a factor but as someone pointed out above, "Locking a second-factor 'remember' cookie to an IP address is a newbie-level software design mistake" which I tend to agree.
Just having a cookie that is independent of anything else as the second factor is a terrible software design mistake, because of the potential for the cookie to be copied somewhere else and used for your authentication. I believe that the FDIC disallows banks from using that method.

Also, if use a Yubikey for 2FA, it provides protection against man-in-the-middle attacks in addition to an enhanced authentication protocol. Telling the Vanguard service to remember the computer defeats that. It just is not best practice to do it.
My postings are my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
Northern Flicker
Posts: 8029
Joined: Fri Apr 10, 2015 12:29 am

Re: Vanguard 2-step verification almost every single time!

Post by Northern Flicker »

brianH wrote: Thu Jul 22, 2021 11:39 am
patrick013 wrote: Thu Jul 22, 2021 8:44 am I wished they used Google authenticator or a like app.
Agreed. I don't know why everyone feels the need to reimplement their own version of 2FA. The one used by the Google Authenticator app is a standard (https://datatracker.ietf.org/doc/html/rfc6238), easy to implement as a software developer, and there are many code generating clients (Authy, Microsoft, GA) one can choose from.

The phone-app-generated codes are more secure than codes sent via email/text in most cases, and you don't have to wait for the code to be sent.
Many hardware tokens like Yubikeys are more secure than the authenticator apps because they also defeat man-in-the-middle attacks if the service using them is configured properly.
My postings are my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
User avatar
Tubes
Posts: 305
Joined: Wed Apr 22, 2020 6:33 am

Re: Vanguard 2-step verification almost every single time!

Post by Tubes »

Northern Flicker wrote: Thu Jul 22, 2021 8:18 pm
Just having a cookie that is independent of anything else as the second factor is a terrible software design mistake, because of the potential for the cookie to be copied somewhere else and used for your authentication. I believe that the FDIC disallows banks from using that method.
That's interesting because Treasury Direct allows it. I know the Treasury Department is not FDIC insured, but still...
User avatar
patrick013
Posts: 3219
Joined: Mon Jul 13, 2015 7:49 pm

Re: Vanguard 2-step verification almost every single time!

Post by patrick013 »

Northern Flicker wrote: Thu Jul 22, 2021 8:23 pm
brianH wrote: Thu Jul 22, 2021 11:39 am
patrick013 wrote: Thu Jul 22, 2021 8:44 am I wished they used Google authenticator or a like app.
Agreed. I don't know why everyone feels the need to reimplement their own version of 2FA. The one used by the Google Authenticator app is a standard (https://datatracker.ietf.org/doc/html/rfc6238), easy to implement as a software developer, and there are many code generating clients (Authy, Microsoft, GA) one can choose from.

The phone-app-generated codes are more secure than codes sent via email/text in most cases, and you don't have to wait for the code to be sent.
Many hardware tokens like Yubikeys are more secure than the authenticator apps because they also defeat man-in-the-middle attacks if the service using them is configured properly.
Auth-apps get rid of most threats especially if the websites
only allow one login per generated 6 digit code, the primary
user of course. Hard for a threat to gain access then. Most
if not all threats are handled then. You'd need the Auth
program itself, several 6 digit codes, and run thousands of
simulations to produce the secret code needed to gain access
when wanted. Not impossible but some high-level math
involved, if the Auth program was freely available not just
the user app. That needs to be foolproof.

VG only asks me for 2FA when I switch browsers it seems.
age in bonds, buy-and-hold, 10 year business cycle
Northern Flicker
Posts: 8029
Joined: Fri Apr 10, 2015 12:29 am

Re: Vanguard 2-step verification almost every single time!

Post by Northern Flicker »

Tubes wrote: Fri Jul 23, 2021 6:33 am
Northern Flicker wrote: Thu Jul 22, 2021 8:18 pm
Just having a cookie that is independent of anything else as the second factor is a terrible software design mistake, because of the potential for the cookie to be copied somewhere else and used for your authentication. I believe that the FDIC disallows banks from using that method.
That's interesting because Treasury Direct allows it. I know the Treasury Department is not FDIC insured, but still...
I doubt it is implemented exclusively by cookies at treasury direct.
My postings are my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
User avatar
Tubes
Posts: 305
Joined: Wed Apr 22, 2020 6:33 am

Re: Vanguard 2-step verification almost every single time!

Post by Tubes »

Northern Flicker wrote: Fri Jul 23, 2021 11:38 am
Tubes wrote: Fri Jul 23, 2021 6:33 am
Northern Flicker wrote: Thu Jul 22, 2021 8:18 pm
Just having a cookie that is independent of anything else as the second factor is a terrible software design mistake, because of the potential for the cookie to be copied somewhere else and used for your authentication. I believe that the FDIC disallows banks from using that method.
That's interesting because Treasury Direct allows it. I know the Treasury Department is not FDIC insured, but still...
I doubt it is implemented exclusively by cookies at treasury direct.
Maybe I'm misunderstanding the conversation.

With TD, I log on, and once I give it my user ID, it asks for a 2FA challenge. Then I type in my password on a virtual keyboard.

On the next log on, I give it my user ID, it skips the 2FA challenge, and I directly get my password screen.

If I clear cookies (I just tried it), my next log on requires a 2FA challenge.

So cookies are part of this. But not everything, of course. They also time out sessions on the back end after a time.
Northern Flicker
Posts: 8029
Joined: Fri Apr 10, 2015 12:29 am

Re: Vanguard 2-step verification almost every single time!

Post by Northern Flicker »

patrick013 wrote: Auth-apps get rid of most threats especially if the websites
only allow one login per generated 6 digit code, the primary
user of course. Hard for a threat to gain access then.
As I mentioned, Auth apps do not prevent man-in-the-middle attacks. That is the case even if used as you describe. Yubikey can prevent them as long as you get a clean connection to the service when you initialize the Yubikey with the service.

There have been examples of rogue certificates provided by certificate authorities in countries that are lax (passively complicit?) in cyberattacks. You can reduce the risk by deleting"trusted" certificate authorities from your browser that you may prefer not to trust. It can break your ability to do e-commerce with businesses in the country or surrounding countries, but you may not care about that.
My postings are my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
Northern Flicker
Posts: 8029
Joined: Fri Apr 10, 2015 12:29 am

Re: Vanguard 2-step verification almost every single time!

Post by Northern Flicker »

Tubes wrote: Fri Jul 23, 2021 11:49 am
Northern Flicker wrote: Fri Jul 23, 2021 11:38 am
Tubes wrote: Fri Jul 23, 2021 6:33 am
Northern Flicker wrote: Thu Jul 22, 2021 8:18 pm
Just having a cookie that is independent of anything else as the second factor is a terrible software design mistake, because of the potential for the cookie to be copied somewhere else and used for your authentication. I believe that the FDIC disallows banks from using that method.
That's interesting because Treasury Direct allows it. I know the Treasury Department is not FDIC insured, but still...
I doubt it is implemented exclusively by cookies at treasury direct.
Maybe I'm misunderstanding the conversation.
Yes. If not implemented exclusively by cookies, the cookie is insufficient to spoof your browser, but still will defeat recognizing your browser if the cookie is cleared.

A BH posting is the same typing as a month or so of typing in 2FA 6-digit tokens. Just do it. This saves you the greater effort and need to have the technical background to do the detailed threat modeling to decide if it is sufficiently secure to turn on " remember this computer".
My postings are my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
User avatar
patrick013
Posts: 3219
Joined: Mon Jul 13, 2015 7:49 pm

Re: Vanguard 2-step verification almost every single time!

Post by patrick013 »

Northern Flicker wrote: Fri Jul 23, 2021 11:53 am
patrick013 wrote: Auth-apps get rid of most threats especially if the websites
only allow one login per generated 6 digit code, the primary
user of course. Hard for a threat to gain access then.
As I mentioned, Auth apps do not prevent man-in-the-middle attacks. That is the case even if used as you describe. Yubikey can prevent them as long as you get a clean connection to the service when you initialize the Yubikey with the service.
I'm not completely sold on that. A port scan can get a Yubikey code, a
static code. Google Authenticator generates a different code every time.
Or Microsoft or Symantec. A hacker would have to be pretty dedicated
to get a static code and be able to use that code acquired when name and password have been acquired. Even more so when the req'd code changes
with every login and he has no way to generate it.

Secure wifi, https, and more certificate usage are supposed to help
but any 2FA will make security a little better and harder for attackers.
age in bonds, buy-and-hold, 10 year business cycle
User avatar
patrick013
Posts: 3219
Joined: Mon Jul 13, 2015 7:49 pm

Re: Vanguard 2-step verification almost every single time!

Post by patrick013 »

Maybe my misunderstanding. If the hardware token is generating a different code
for each login it is functioning like a google authenticator which has a weakness in
that intercepting the initial secret at the time of registration using a person-in-the-middle
can render it useless. If the hardware token is only issuing a static ID code, the
same location ID code for all logins, that ID code could be used anytime by attackers
who discovered it in a port scan.
age in bonds, buy-and-hold, 10 year business cycle
User avatar
kevinf
Posts: 416
Joined: Mon Aug 05, 2019 11:35 pm

Re: Vanguard 2-step verification almost every single time!

Post by kevinf »

Securing the initial connection is NOT the purpose of the Yubikey, that is handled by other security measures. The Yubikey protects a preexisting secure connection from being compromised in the future.

I mean, yea... if you registered over a compromised connection with a compromised service from the get-go, then you have no valid security for later connections either. This kind of security presumes you've registered across an encrypted connection to an authenticated service to keep future connections secure from man-in-the-middle attacks. If your entire setup phase was compromised from the start, then nearly any security authentication measure fails. If you believe the internet route to the service you want to protect is compromised, you could technically mail the Yubikey to the service and have them setup 2FA locally and mail it back, then you can use the Yubikey to securely connect over the internet from that point forward.

But "port scanning the Yubikey" still makes no sense. Once the key has been registered, all that happens is the site sends its code to the Yubikey, which then authenticates against an internal private key and provides a yes/no to validity. There is nothing coming out of the Yubikey to "scan" outside of the initial security pairing... if the attacker doesn't have a valid key to send for verification, the Yubikey will not authenticate it and pass a "yes, verified" out.
User avatar
patrick013
Posts: 3219
Joined: Mon Jul 13, 2015 7:49 pm

Re: Vanguard 2-step verification almost every single time!

Post by patrick013 »

kevinf wrote: Fri Jul 23, 2021 3:16 pm But "port scanning the Yubikey" still makes no sense. Once the key has been registered, all that happens is the site sends its code to the Yubikey, which then authenticates against an internal private key and provides a yes/no to validity. There is nothing coming out of the Yubikey to "scan" outside of the initial security pairing... if the attacker doesn't have a valid key to send for verification, the Yubikey will not authenticate it and pass a "yes, verified" out.
Well I hope it can be used in the coffee shop with weak wifi security scenario very well.

I still like the different code generator for each login feature. Makes the attacker
need a new code for every login attempt which the attacker cannot generate. :)
age in bonds, buy-and-hold, 10 year business cycle
Northern Flicker
Posts: 8029
Joined: Fri Apr 10, 2015 12:29 am

Re: Vanguard 2-step verification almost every single time!

Post by Northern Flicker »

patrick013 wrote: Fri Jul 23, 2021 1:54 pm
Maybe my misunderstanding. If the hardware token is generating a different code
for each login it is functioning like a google authenticator which has a weakness in
that intercepting the initial secret at the time of registration using a person-in-the-middle
can render it useless. If the hardware token is only issuing a static ID code, the
same location ID code for all logins, that ID code could be used anytime by attackers
who discovered it in a port scan.
As I nentioned, as long as you have a clean connection for the initial configuration of the Yubikey, MITM attacks will be prevented. (Software authentication apps also require a clean connection for initialization). The key generation bootstraps end-to-end asymmetric key encryption with uniqueness in each session so that encrypted data cannot be recorded and replayed in another authentication session. It is more robust than software-generated 1-way hashes of time intervals. The latter are a robust authentication method but still leave you exposed to MITM attacks.
My postings are my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
Northern Flicker
Posts: 8029
Joined: Fri Apr 10, 2015 12:29 am

Re: Vanguard 2-step verification almost every single time!

Post by Northern Flicker »

patrick013 wrote: Fri Jul 23, 2021 3:36 pm
kevinf wrote: Fri Jul 23, 2021 3:16 pm But "port scanning the Yubikey" still makes no sense. Once the key has been registered, all that happens is the site sends its code to the Yubikey, which then authenticates against an internal private key and provides a yes/no to validity. There is nothing coming out of the Yubikey to "scan" outside of the initial security pairing... if the attacker doesn't have a valid key to send for verification, the Yubikey will not authenticate it and pass a "yes, verified" out.
Well I hope it can be used in the coffee shop with weak wifi security scenario very well.

I still like the different code generator for each login feature. Makes the attacker
need a new code for every login attempt which the attacker cannot generate. :)
If you already configured a Yubikey for a service, it would be more secure for connections over an untrusted network than a software authenticator app.

A software authenticator app is less convenient for multiple services because if you use the same sequence for multiple services, a compromise or rogue employee at one service provider could provide the sequence to use for another service provider.
Last edited by Northern Flicker on Fri Jul 23, 2021 7:36 pm, edited 2 times in total.
My postings are my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
User avatar
kevinf
Posts: 416
Joined: Mon Aug 05, 2019 11:35 pm

Re: Vanguard 2-step verification almost every single time!

Post by kevinf »

patrick013 wrote: Fri Jul 23, 2021 3:36 pm Well I hope it can be used in the coffee shop with weak wifi security scenario very well.
If you registered your key at home to that service (Vanguard, et al) on a connection that you feel is secure, you would then be able to use that key on a less secure network. That would prevent interception and duplication attacks because new secrets do not need to pass through the connection after the initial setup. If you ALSO created a secure tunnel through that insecure (coffee shop wifi) connection with a VPN, that paired with a hardware token would provide the highest possible protection from bad actors if using a potentially compromised internet connection because then even your meta-data is hidden.

What happens is the service (Vanguard, et al) sends the key it was given at the initial setup (protected by SSL encryption en route), which is verified against the internal key of the Yubikey which then simply passes a yes out if the site's key is correct. At some point, you need to trust that your side is secure, and the end point is secure... your yubikey, HTTPS/SSL, and VPN are what makes the on-going public connection between the two points trustworthy. If either end is compromised, the connection between them isn't going to be important any more.

I hope this answers your question?
brianH
Posts: 550
Joined: Wed Aug 12, 2009 12:21 pm

Re: Vanguard 2-step verification almost every single time!

Post by brianH »

Northern Flicker wrote: Thu Jul 22, 2021 8:18 pm Just having a cookie that is independent of anything else as the second factor is a terrible software design mistake, because of the potential for the cookie to be copied somewhere else and used for your authentication. I believe that the FDIC disallows banks from using that method.

Also, if use a Yubikey for 2FA, it provides protection against man-in-the-middle attacks in addition to an enhanced authentication protocol. Telling the Vanguard service to remember the computer defeats that. It just is not best practice to do it.
The 2FA cookie is not independent, you still need your login credentials. It just skips the 2F step, because the 'something you have' is your cookie on the machine. I've never seen professional guidance to use anything other than a cookie for remembering a machine, because other hacks like remembering the IP are confusing for users. I'd love to see a reference to someone requiring otherwise.
Post Reply