Yubikey only at Vanguard now possible.

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Grasshopper
Posts: 1097
Joined: Sat Oct 09, 2010 3:52 pm

Re: Yubikey only at Vanguard now possible.

Post by Grasshopper »

On the website VG login if the box is checked public computer, even on my home laptop the Yubikey is always required.

My Google account including Gmail is secured by my YubiKey, but I am sure there is a workaround without the YK, using codes, trusted device or whatever.
User avatar
cowdogman
Posts: 1077
Joined: Sat Dec 16, 2017 7:44 pm
Location: Washington State

Re: Yubikey only at Vanguard now possible.

Post by cowdogman »

ThereAreNoGurus wrote: Wed Jul 21, 2021 12:41 pm I'm less considered about these problems than whether VG has overlooked or neglected security procedures elsewhere that would leave their systems and databases vulnerable to attacks. So yeah, these simple and persisting screw-ups are quite disconcerting. (I'm sure you're thinking same.)
Exactly.
User avatar
Tubes
Posts: 305
Joined: Wed Apr 22, 2020 6:33 am

Re: Yubikey only at Vanguard now possible.

Post by Tubes »

OK, I'm completely new to keys. I promised I'd report my experience.

I just registered both my Yubicos and disabled SMS security codes. Yes, I had a "Disable" link.

The Yubicos work great. From a web perspective, all looks cool. But the discussion on the previous page about allowing SMS recovery of any number via the mobile app is extremely concerning. I mean, by disabling SMS, did I actually make the mobile entry easier for a hacker?

I don't know. I have no need for mobile and never used it. But I realize someone could pose as me if they knew my username. I wish I could just have a setting saying "no mobile access."

I'm finding all these reports very disconcerting.
User avatar
cowdogman
Posts: 1077
Joined: Sat Dec 16, 2017 7:44 pm
Location: Washington State

Re: Yubikey only at Vanguard now possible.

Post by cowdogman »

Tubes wrote: Wed Jul 21, 2021 2:24 pm OK, I'm completely new to keys. I promised I'd report my experience.

I just registered both my Yubicos and disabled SMS security codes. Yes, I had a "Disable" link.

The Yubicos work great. From a web perspective, all looks cool. But the discussion on the previous page about allowing SMS recovery of any number via the mobile app is extremely concerning. I mean, by disabling SMS, did I actually make the mobile entry easier for a hacker?

I don't know. I have no need for mobile and never used it. But I realize someone could pose as me if they knew my username. I wish I could just have a setting saying "no mobile access."

I'm finding all these reports very disconcerting.
I have some accounts at Fidelity, but not much money there. I signed up yesterday to use the Symantec VIP authenticator app at Fidelity. After sign up, there was no option to use SMS for web access. And I was able to disable SMS.

And I downloaded/tried the Fidelity mobile app today. It asked for the authenticator code and did not give me any other options (e.g., SMS) to log in.

Symantec VIP also has a token I can buy (e.g., on Amazon) rather than using the phone app. I'm pretty sure this would work with Fidelity too. https://www.amazon.com/Symantec-VIP-Har ... 876&sr=8-1

Nice!
User avatar
Marmot
Posts: 529
Joined: Sun Oct 10, 2010 1:44 pm
Location: Phoenix, AZ

Re: Yubikey only at Vanguard now possible.

Post by Marmot »

How does a Token work?
Marty....don't go to the year 2020....Dr. Emmett Brown
User avatar
cowdogman
Posts: 1077
Joined: Sat Dec 16, 2017 7:44 pm
Location: Washington State

Re: Yubikey only at Vanguard now possible.

Post by cowdogman »

Marmot wrote: Wed Jul 21, 2021 4:03 pm How does a Token work?
Same as the phone app. There is a ID number identifying the token (as there is for the app--each download of the app has its own ID number) that you register with Fidelity and the token provides a new code every 30 (I believe) seconds (just like the app). See photos on the amazon link.

More secure than a phone, especially if you use only at home. I would just leave it in my desk.

In the old days (10+ years ago) I used a token for VPN access. The battery runs for a very long time (years), and then you buy a new one.

P.S., I'm guessing this would work at Fidelity, but am not 100% sure. There is also a credit card size version. https://www.amazon.com/FEITIAN-Technolo ... G4H1&psc=1
nifty-thrifty
Posts: 32
Joined: Wed Mar 18, 2020 4:59 pm

Re: Yubikey only at Vanguard now possible.

Post by nifty-thrifty »

Tubes wrote: Wed Jul 21, 2021 2:24 pm OK, I'm completely new to keys. I promised I'd report my experience.

I just registered both my Yubicos and disabled SMS security codes. Yes, I had a "Disable" link.

The Yubicos work great. From a web perspective, all looks cool. But the discussion on the previous page about allowing SMS recovery of any number via the mobile app is extremely concerning. I mean, by disabling SMS, did I actually make the mobile entry easier for a hacker?

I don't know. I have no need for mobile and never used it. But I realize someone could pose as me if they knew my username. I wish I could just have a setting saying "no mobile access."

I'm finding all these reports very disconcerting.
I'm not seeing a disable SMS link. Would I need to unregister keys and re-register ?

Thank you.
User avatar
cowdogman
Posts: 1077
Joined: Sat Dec 16, 2017 7:44 pm
Location: Washington State

Re: Yubikey only at Vanguard now possible.

Post by cowdogman »

nifty-thrifty wrote: Wed Jul 21, 2021 4:53 pm
I'm not seeing a disable SMS link. Would I need to unregister keys and re-register ?

Thank you.
From the various messages above the conclusion is that you will either see "disable" or a lock icon. If you see a lock icon you cannot disable SMS codes without disabling the key(s). And you can't re-register the keys without turning on SMS codes.

It's unclear why some see "Disable" and some don't. See above for details.
nifty-thrifty
Posts: 32
Joined: Wed Mar 18, 2020 4:59 pm

Re: Yubikey only at Vanguard now possible.

Post by nifty-thrifty »

cowdogman wrote: Wed Jul 21, 2021 5:59 pm
nifty-thrifty wrote: Wed Jul 21, 2021 4:53 pm
I'm not seeing a disable SMS link. Would I need to unregister keys and re-register ?

Thank you.
From the various messages above the conclusion is that you will either see "disable" or a lock icon. If you see a lock icon you cannot disable SMS codes without disabling the key(s). And you can't re-register the keys without turning on SMS codes.

It's unclear why some see "Disable" and some don't. See above for details.
Thank you, I got excited for a second when I saw posts from other people and ran for my keys to delete and reinstall but got
the same experience as you and others (round and round). No Go!!. That's too bad that Vanguard can't see the vulnerability
here.
criticalmass
Posts: 1984
Joined: Wed Feb 12, 2014 10:58 pm

Re: Yubikey only at Vanguard now possible.

Post by criticalmass »

Silence Dogood wrote: Wed Jul 21, 2021 11:49 am
criticalmass wrote: Tue Jul 20, 2021 11:34 pm
Silence Dogood wrote: Tue Jul 20, 2021 6:27 pm
criticalmass wrote: Sun Jul 18, 2021 4:16 pm
On the second point, isn't that the main issue discussed in this thread? Is Vanguard allowing users to turn off SMS codes and gain website access by a key alone? Or is Vanguard continuing to give the user (or a hacker) the ability to use/reactivate SMS codes without needing the key to do so? If it's the latter, then the key is worthless--why even bother with a key? That's the issue being discussed in this thread.
Yes, Vanguard allows you to disable SMS validation codes. Yes, Vanguard allows Yubikey enrolled accounts to get SMS re-enabled WITHOUT logging in via the Yubikey, e.g. by downloading the mobile app or just requesting to enable SMS validation because the Yubikey isn't available at the moment, etc. That is the loophole which destroys Vanguard's secure token/Yubikey authentication model.
criticalmass,

To clarify, some of us (myself included) are now able to disable security codes (SMS) completely.

(As in, the loophole has been, thankfully, closed for us.)
Sounds good. I can also disable security codes completely, but attempts to login again provide an option re-enable the SMS verification codes.
If you attempt to login with the Vanguard mobile app after disabling SMS verification codes, does it allow you re-enable SMS verification like it does for me?
When I sign in using a web browser, I do not see any option to use a security code (SMS) as a backup (I looked carefully for it).

However, I just downloaded the mobile app to test this out...

Disappointingly, when I attempt to sign in, it prompts me to re-enable security codes. There is a drop-down menu that shows my phone number and another option that actually allows me to enter a new phone number to send a security code to. I did not actually go ahead and test that out, but presumably an attacker could actually enter any phone number and use that to get in. :shock:

In summary, the website works as expected/desired, but the mobile app has a serious security flaw. Ideally, the mobile apps would work with security keys, but in the meantime, the apps should simply not allow sign in at all (similar to how one can restrict access to recognized devices only).

Also, a feature that is missing for the security keys is the ability to require a security key with every log in - regardless of whether or not the device is recognized. This is currently a feature for the security codes (found under the "frequency" option).
Interestingly, I am always posted for the security key on a browser. I didn’t know that it might not if the browser is “recognized,” but I will see if there is a way to force it to recognize. If there is, that is not good……a security key is more secure than a browser cookie to “remember” you logged in before….hopefully.
User avatar
HomerJ
Posts: 16909
Joined: Fri Jun 06, 2008 12:50 pm

Re: Yubikey only at Vanguard now possible.

Post by HomerJ »

So how secure is the option for "only allow login from a recognized device"?
A Goldman Sachs associate provided a variety of detailed explanations, but then offered a caveat, “If I’m being dead-### honest, though, nobody knows what’s really going on.”
Silence Dogood
Posts: 1506
Joined: Tue Feb 01, 2011 9:22 pm

Re: Yubikey only at Vanguard now possible.

Post by Silence Dogood »

criticalmass wrote: Wed Jul 21, 2021 11:07 pm
Silence Dogood wrote: Wed Jul 21, 2021 11:49 am Also, a feature that is missing for the security keys is the ability to require a security key with every log in - regardless of whether or not the device is recognized. This is currently a feature for the security codes (found under the "frequency" option).
Interestingly, I am always posted for the security key on a browser. I didn’t know that it might not if the browser is “recognized,” but I will see if there is a way to force it to recognize. If there is, that is not good……a security key is more secure than a browser cookie to “remember” you logged in before….hopefully.
Apparently the security key is required every time - which is good news.

For some reason, Vanguard asks if the device is private/public, but the answer has no effect.

See this thread:
Tubes wrote: Wed Jul 21, 2021 6:10 pm
Silence Dogood wrote: Wed Jul 21, 2021 3:54 pm
Tubes wrote: Wed Jul 21, 2021 3:39 pm I cleared the pop up and changed it to "remember", and regardless, the next log in it ignored my "remember" and made me use the key. I guess that's what I mean.
Just to make sure that I understand this correctly, now when you sign in from your recognized device, you are no longer asked whether or not you are using a private/public device, yet you are still required to use the security key?

If so, that's good.

(But then why does Vanguard bother to ask whether the device is private/public in the first place..?)
It provides the two choices, but has no effect! No matter my answer, it requires me to use the key.
User avatar
Marmot
Posts: 529
Joined: Sun Oct 10, 2010 1:44 pm
Location: Phoenix, AZ

Re: Yubikey only at Vanguard now possible.

Post by Marmot »

cowdogman wrote: Wed Jul 21, 2021 4:10 pm
Marmot wrote: Wed Jul 21, 2021 4:03 pm How does a Token work?
Same as the phone app. There is a ID number identifying the token (as there is for the app--each download of the app has its own ID number) that you register with Fidelity and the token provides a new code every 30 (I believe) seconds (just like the app). See photos on the amazon link.

More secure than a phone, especially if you use only at home. I would just leave it in my desk.

In the old days (10+ years ago) I used a token for VPN access. The battery runs for a very long time (years), and then you buy a new one.

P.S., I'm guessing this would work at Fidelity, but am not 100% sure. There is also a credit card size version. https://www.amazon.com/FEITIAN-Technolo ... G4H1&psc=1
Thank you very much for the reply. I am trying to figure out if Yubikeys work on the Chase Bank site. They refer to "Tokens".
Marty....don't go to the year 2020....Dr. Emmett Brown
Silence Dogood
Posts: 1506
Joined: Tue Feb 01, 2011 9:22 pm

Re: Yubikey only at Vanguard now possible.

Post by Silence Dogood »

cowdogman wrote: Wed Jul 21, 2021 12:06 pm Does someone want to call Vanguard to see whether progress can be made on this Yubikey issue? See the summary of my call with Vanguard above.
I have made Vanguard aware of this thread.

Hopefully they will be able to use the feedback here to make improvements.
User avatar
HomerJ
Posts: 16909
Joined: Fri Jun 06, 2008 12:50 pm

Re: Yubikey only at Vanguard now possible.

Post by HomerJ »

If the mobile app just lets you pick a new phone number to send SMS texts to...

Holy cow...

I am seriously thinking about moving our money. Not joking.

How is Fidelity? What about T Rowe Price?
A Goldman Sachs associate provided a variety of detailed explanations, but then offered a caveat, “If I’m being dead-### honest, though, nobody knows what’s really going on.”
User avatar
LadyGeek
Site Admin
Posts: 74061
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia
Contact:

Re: Yubikey only at Vanguard now possible.

Post by LadyGeek »

If you're serious, not bad. Vanguard isn't all that competitive any more. See the wiki:

-Mutual funds for Bogleheads
-ETFs for Bogleheads

If you do this for real, wait a few days to remove emotion from the equation and think about it in detail. For example, be sure you don't trigger any taxable events due to the transfer. If you still want to proceed, then go for it.

(I don't have any experience with Yubikey. I'm just commenting on the financial part.)
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
User avatar
ThereAreNoGurus
Posts: 641
Joined: Fri Jan 24, 2014 11:41 pm

Re: Yubikey only at Vanguard now possible.

Post by ThereAreNoGurus »

Silence Dogood wrote: Fri Jul 23, 2021 5:10 pm
cowdogman wrote: Wed Jul 21, 2021 12:06 pm Does someone want to call Vanguard to see whether progress can be made on this Yubikey issue? See the summary of my call with Vanguard above.
I have made Vanguard aware of this thread.

Hopefully they will be able to use the feedback here to make improvements.
Thanks. Hopefully this thread gets to somebody who cares, understands, and can do something about it... posting here would be great! (Just dreaming)
Trade the news and you will lose.
User avatar
HomerJ
Posts: 16909
Joined: Fri Jun 06, 2008 12:50 pm

Re: Yubikey only at Vanguard now possible.

Post by HomerJ »

LadyGeek wrote: Fri Jul 23, 2021 8:45 pm If you do this for real, wait a few days to remove emotion from the equation and think about it in detail.
Always good advice from you.. thanks...

No, I would move stuff carefully.
A Goldman Sachs associate provided a variety of detailed explanations, but then offered a caveat, “If I’m being dead-### honest, though, nobody knows what’s really going on.”
User avatar
cowdogman
Posts: 1077
Joined: Sat Dec 16, 2017 7:44 pm
Location: Washington State

Re: Yubikey only at Vanguard now possible.

Post by cowdogman »

HomerJ wrote: Fri Jul 23, 2021 9:52 pm
LadyGeek wrote: Fri Jul 23, 2021 8:45 pm If you do this for real, wait a few days to remove emotion from the equation and think about it in detail.
Always good advice from you.. thanks...

No, I would move stuff carefully.
Totally agree, altho I'm already in discussions with Fidelity--and have already discussed making sure there are no taxable events in the transfer. I plan to move slowly tho.

See my post on Fidelity security above.
Post Reply