Yubikey only at Vanguard now possible.

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
rkhusky
Posts: 12552
Joined: Thu Aug 18, 2011 8:09 pm

Re: Yubikey only at Vanguard now possible.

Post by rkhusky »

How easy is it to fake a Yubikey? How easy is it to fake a computer identity? Without access to the hardware.
criticalmass
Posts: 2531
Joined: Wed Feb 12, 2014 10:58 pm

Re: Yubikey only at Vanguard now possible.

Post by criticalmass »

cowdogman wrote: Sat Mar 12, 2022 11:28 am
HawkeyePierce wrote: Tue Mar 08, 2022 1:24 pm
cowdogman wrote: Tue Mar 08, 2022 11:44 am
Northern Flicker wrote: Sat Mar 05, 2022 2:31 am
cowdogman wrote: If you use Yubikey (which is in its way the same as computer restriction--Yubikey restriction)
Having a service remember your computer is not the equivalent of using a Yubikey in the level of security enhancement achieved.
Yes, I agree, but they are getting at the same thing--restricting access to a specific computer--the one Vanguard remembers or the one that has the Yubikey inserted.
They are not even remotely equivalent.
Please explain. I agreed above that they are not equivalent but are getting at the same thing. Specifically, would use both (1) computer restriction and (2) Yubikey? If so (or not), why?
For starters, “remembering” the saved browser is done by a browser cookie which is trivial to copy for reuse anywhere, if not able to just produce one arbitrarily.
The Yubikey uses hardware based strong cryptography and the key it generates may not be copied for reuse, or generated without the smartcard hardware built in to that specific Yubikey.
User avatar
cowdogman
Posts: 1448
Joined: Sat Dec 16, 2017 7:44 pm
Location: Washington State

Re: Yubikey only at Vanguard now possible.

Post by cowdogman »

criticalmass wrote: Sat Mar 12, 2022 11:40 am
cowdogman wrote: Sat Mar 12, 2022 11:28 am
HawkeyePierce wrote: Tue Mar 08, 2022 1:24 pm
cowdogman wrote: Tue Mar 08, 2022 11:44 am
Northern Flicker wrote: Sat Mar 05, 2022 2:31 am
Having a service remember your computer is not the equivalent of using a Yubikey in the level of security enhancement achieved.
Yes, I agree, but they are getting at the same thing--restricting access to a specific computer--the one Vanguard remembers or the one that has the Yubikey inserted.
They are not even remotely equivalent.
Please explain. I agreed above that they are not equivalent but are getting at the same thing. Specifically, would use both (1) computer restriction and (2) Yubikey? If so (or not), why?
For starters, “remembering” the saved browser is done by a browser cookie which is trivial to copy for reuse anywhere, if not able to just produce one arbitrarily.
The Yubikey uses hardware based strong cryptography and the key it generates may not be copied for reuse, or generated without the smartcard hardware built in to that specific Yubikey.
OK, but the question I was answering above was whether it was necessary to keep computer restriction on when using a Yubikey. I said no because they are essentially trying to do the same thing--limit access to a single computer--the one with the restriction cookie or the one with the Yubikey.

So I will ask again: would you use both (1) computer restriction and (2) Yubikey? If so (or not), why? If your answer is no, then we are in agreement.
criticalmass
Posts: 2531
Joined: Wed Feb 12, 2014 10:58 pm

Re: Yubikey only at Vanguard now possible.

Post by criticalmass »

Vanguard seems to ignore the remember this computer selection when using Yubikey to login.
User avatar
kevinf
Posts: 580
Joined: Mon Aug 05, 2019 11:35 pm

Re: Yubikey only at Vanguard now possible.

Post by kevinf »

cowdogman wrote: Sat Mar 12, 2022 1:09 pm
criticalmass wrote: Sat Mar 12, 2022 11:40 am
cowdogman wrote: Sat Mar 12, 2022 11:28 am
HawkeyePierce wrote: Tue Mar 08, 2022 1:24 pm
cowdogman wrote: Tue Mar 08, 2022 11:44 am

Yes, I agree, but they are getting at the same thing--restricting access to a specific computer--the one Vanguard remembers or the one that has the Yubikey inserted.
They are not even remotely equivalent.
Please explain. I agreed above that they are not equivalent but are getting at the same thing. Specifically, would use both (1) computer restriction and (2) Yubikey? If so (or not), why?
For starters, “remembering” the saved browser is done by a browser cookie which is trivial to copy for reuse anywhere, if not able to just produce one arbitrarily.
The Yubikey uses hardware based strong cryptography and the key it generates may not be copied for reuse, or generated without the smartcard hardware built in to that specific Yubikey.
OK, but the question I was answering above was whether it was necessary to keep computer restriction on when using a Yubikey. I said no because they are essentially trying to do the same thing--limit access to a single computer--the one with the restriction cookie or the one with the Yubikey.

So I will ask again: would you use both (1) computer restriction and (2) Yubikey? If so (or not), why? If your answer is no, then we are in agreement.
In this scenario I believe computer restriction could help prevent unauthorized access in the event of a stolen yubikey+credentials if the attacker didn't have access to the restricted PC.
HawkeyePierce
Posts: 1993
Joined: Tue Mar 05, 2019 10:29 pm
Location: Colorado

Re: Yubikey only at Vanguard now possible.

Post by HawkeyePierce »

rkhusky wrote: Sat Mar 12, 2022 11:39 am How easy is it to fake a Yubikey? How easy is it to fake a computer identity? Without access to the hardware.
Faking a Yubikey is impossible. Copying a cookie out of a browser is trivial.
Silence Dogood
Posts: 1589
Joined: Tue Feb 01, 2011 9:22 pm

Re: Yubikey only at Vanguard now possible.

Post by Silence Dogood »

Silence Dogood wrote: Wed Jul 21, 2021 11:49 am Disappointingly, when I attempt to sign in [using the mobile app], it prompts me to re-enable security codes. There is a drop-down menu that shows my phone number and another option that actually allows me to enter a new phone number to send a security code to.
Silence Dogood wrote: Wed Dec 22, 2021 11:02 am At the very least, Vanguard can and should get rid of the ability to add any new phone number for sending security codes to when using the mobile app (i.e., only allow existing phone numbers on file). That should not take long to implement.
Vanguard should really fix this; I notified them of this security flaw back in July.
User avatar
pokebowl
Posts: 562
Joined: Sat Dec 17, 2016 7:22 pm
Location: Alaska

Re: Yubikey only at Vanguard now possible.

Post by pokebowl »

Out of curiosity, did Vanguard ever fix that mobile app vulnerability? Seeing 9 pages of discussion over Vanguard finally catching up with the times on cybersecurity, only to see then that Vanguard made all those changes null with their mobile app allowing anyone to redirect SMS on accounts as a feature. :mrgreen:
User avatar
southerndoc
Posts: 1207
Joined: Wed Apr 22, 2009 7:07 pm
Location: Atlanta

Re: Yubikey only at Vanguard now possible.

Post by southerndoc »

I still haven't been able to turn off text messaging and default to Yubikey only (despite having 3 keys registered).

Can someone walk me through the process?
User avatar
anon_investor
Posts: 11150
Joined: Mon Jun 03, 2019 1:43 pm

Re: Yubikey only at Vanguard now possible.

Post by anon_investor »

pokebowl wrote: Sun Apr 24, 2022 4:44 pm Out of curiosity, did Vanguard ever fix that mobile app vulnerability? Seeing 9 pages of discussion over Vanguard finally catching up with the times on cybersecurity, only to see then that Vanguard made all those changes null with their mobile app allowing anyone to redirect SMS on accounts as a feature. :mrgreen:
I don't think so. :oops:
Silence Dogood
Posts: 1589
Joined: Tue Feb 01, 2011 9:22 pm

Re: Yubikey only at Vanguard now possible.

Post by Silence Dogood »

Shame on Vanguard for not taking this seriously.
User avatar
southerndoc
Posts: 1207
Joined: Wed Apr 22, 2009 7:07 pm
Location: Atlanta

Re: Yubikey only at Vanguard now possible.

Post by southerndoc »

I tried again today to take off my mobile number. I unenrolled all my Yubikeys and got rid of the mobile phone for codes texted to me. I couldn't reenroll my Yubikeys without signing up for SMS text codes again.

Are you sure you can use Yubikeys only without SMS backup?
User avatar
bertilak
Posts: 9262
Joined: Tue Aug 02, 2011 5:23 pm
Location: East of the Pecos, West of the Mississippi

Re: Yubikey only at Vanguard now possible.

Post by bertilak »

ThereAreNoGurus wrote: Wed Jul 14, 2021 12:24 pm
Marmot wrote: Wed Jul 14, 2021 12:16 pm I was looking at the Yubico site, how do you figure which type of key? Basically we have a combination of devices, Iphones, Ipads, a Dell desktop and laptop? I took the quiz on the website but an still a bit confused. Thanks.
That quiz seemed fishy to me. No matter what my choices it almost always recommended two keys, one that was standard USB and one that was USB-C even though it appeared to me I did not need USB-C.
I think they will always recommend two keys, one for backup.

I got the "5 nano" and the "5C NFC"

I keep the nano inserted in my laptop so I only have to touch it when logging in to Vanguard. Removing and inserting is a bit fiddly so I just leave it inserted. I will put it in my pocket when traveling. The 5C NFC is my backup.

But, I am still trying to decide if there is really much extra security. Experimenting!
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker (aka S.O.B.), the Cowboy Poet
User avatar
pokebowl
Posts: 562
Joined: Sat Dec 17, 2016 7:22 pm
Location: Alaska

Re: Yubikey only at Vanguard now possible.

Post by pokebowl »

bertilak wrote: Tue Apr 26, 2022 12:03 pm
But, I am still trying to decide if there is really much extra security. Experimenting!
Doesn't appear so at least right now. If I have your username password combo, I appear to be able to add my own phone number for SMS one time code on the mobile app if you no longer have it set up. I could in theory get around the yubikey requirement and access your account. Not sure if anyone has tested with a new number to see if Vanguard sends any notifications out on the changes and if access is still permitted.
MrJedi
Posts: 2036
Joined: Wed May 06, 2020 11:42 am

Re: Yubikey only at Vanguard now possible.

Post by MrJedi »

I just purchased two Yubikeys from their sale yesterday (54% off) and dipping my toes in with this type of authentication tech, but now reading through this thread is a bit disappointing. I assume no update to the app loophole?
User avatar
VictoriaF
Posts: 19857
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: Yubikey only at Vanguard now possible.

Post by VictoriaF »

MrJedi wrote: Thu May 05, 2022 12:17 pm I just purchased two Yubikeys from their sale yesterday (54% off) ...
MrJedi,

How did you learn about the 54% off sale? I just went to the Yubico site, and it does not have a sale.

Thank you,
Victoria
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)
increment
Posts: 947
Joined: Tue May 15, 2018 2:20 pm

Re: Yubikey only at Vanguard now possible.

Post by increment »

VictoriaF wrote: Sat May 07, 2022 9:05 am How did you learn about the 54% off sale? I just went to the Yubico site, and it does not have a sale.
The site said that it was a one day event for May the Fourth.
User avatar
VictoriaF
Posts: 19857
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: Yubikey only at Vanguard now possible.

Post by VictoriaF »

Does YubiKey 5 FIPS Series work at Vanguard? Yukico's quiz directs me to buy regular YubiKey 5 Series. But if I am willing to pay more, would I get greater security without losing compatibility with Vanguard and other services?

Victoria
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)
User avatar
kevinf
Posts: 580
Joined: Mon Aug 05, 2019 11:35 pm

Re: Yubikey only at Vanguard now possible.

Post by kevinf »

VictoriaF wrote: Sat May 07, 2022 9:27 am Does YubiKey 5 FIPS Series work at Vanguard? Yukico's quiz directs me to buy regular YubiKey 5 Series. But if I am willing to pay more, would I get greater security without losing compatibility with Vanguard and other services?

Victoria
Honestly, just get the cheaper security key (it's blue). They all offer the same effective level of protection, but the blue key just has fewer legacy standards included. The more expensive keys offer compliance with certain older standards and also a few features that consumer level users simply aren't going to use at home.
MrJedi
Posts: 2036
Joined: Wed May 06, 2020 11:42 am

Re: Yubikey only at Vanguard now possible.

Post by MrJedi »

VictoriaF wrote: Sat May 07, 2022 9:05 am
MrJedi wrote: Thu May 05, 2022 12:17 pm I just purchased two Yubikeys from their sale yesterday (54% off) ...
MrJedi,

How did you learn about the 54% off sale? I just went to the Yubico site, and it does not have a sale.

Thank you,
Victoria
I follow some deal sites and it turned up. Slick Deals. This used to be a really great site with user submitted deal findings, but has slowly turned more and more commercialized over the years with paid sponsors, shills, etc. I still frequent it though. Some gems still show up from time to time like this. I got two Yubikey 5 NFC keys for $41.

I was always a little curious about these devices but they were a little pricey for me at full price, but with the sale I decided it was enough for me to try it out and play with. And if nothing else, I've learned a little more about the tech.

As mentioned above it was a one dale sale for May the 4th (somebody is clearly a Star Wars fan at Yubico).
User avatar
K72
Posts: 205
Joined: Wed Dec 05, 2018 8:04 pm

Re: Yubikey only at Vanguard now possible.

Post by K72 »

Nicolas wrote: Sat Oct 09, 2021 4:32 pm
squirm wrote: Sat Oct 09, 2021 3:34 pm Why put the code in a safe? Nobody knows what it's for. I have mine taped behind as cabinet door with a bunch of tuna recipes mixed in, it looks like the printer printed junk in the middle of a tuna salad. Nobody has a clue.
This reminds me of what my coworker told me in 1980 during the silver boom. He said he was going to buy a big brick of silver as an investment and then paint it some other color and use it as a doorstop. The ultimate security, hiding in plain sight. I don’t know if he ever followed through (and he’s dead now). It would’ve been a poor investment anyway, silver hit a peak then of $50/ounce (in 1980 dollars) and of course paid no dividends.
Wow does this bring back a memory. When I was a young teenager I stashed what I thought were valuable bills (red seal $5 bills, silver certificate $1 bills) inside of paper back books I'd read. I soon forgot about them and I can only guess that my mom threw out the books after I finished college and moved far away.
All we want are the facts...
User avatar
anon_investor
Posts: 11150
Joined: Mon Jun 03, 2019 1:43 pm

Re: Yubikey only at Vanguard now possible.

Post by anon_investor »

MrJedi wrote: Thu May 05, 2022 12:17 pm I just purchased two Yubikeys from their sale yesterday (54% off) and dipping my toes in with this type of authentication tech, but now reading through this thread is a bit disappointing. I assume no update to the app loophole?
But all is not lost. You can use a Google Voice number as the SMS 2FA, then lock down you Google account with a Yubikey. This is why I did, makes your Vanguard account much more secure.
User avatar
bertilak
Posts: 9262
Joined: Tue Aug 02, 2011 5:23 pm
Location: East of the Pecos, West of the Mississippi

Re: Yubikey only at Vanguard now possible.

Post by bertilak »

If I decide I am not going to use a Ubikey I bought is there anything I should do before passing it on to someone else?

Assume I have deleted it from the apps I was using it with. For example, I removed any reference to the key from Vanguard's "Security Keys" web page.

It seems there is no problem. YubiKey manager has a "reset" option and I wonder just what that does and if I should use it.
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker (aka S.O.B.), the Cowboy Poet
Scorpion Stare
Posts: 41
Joined: Wed Dec 22, 2021 10:15 am

Re: Yubikey only at Vanguard now possible.

Post by Scorpion Stare »

bertilak wrote: Sat May 07, 2022 3:11 pm If I decide I am not going to use a Ubikey I bought is there anything I should do before passing it on to someone else? Assume I have deleted it from the apps I was using it with.
Probably you don't need to do anything else, but you can use the "reset" button in Yubikey Manager just to be sure.

The typical way of using Yubikeys (used by most sites like Vanguard, Google) doesn't store anything on the key aside from a cryptographic key, which is useless after you have unregistered the key from all your services.

There are some alternate uses that do store sensitive data on the key, for example if you use the Yubikey Authenticator app to store TOTP codes. If you did any of those things, resetting the key will erase them.
Last edited by Scorpion Stare on Sat May 07, 2022 11:57 pm, edited 1 time in total.
User avatar
bertilak
Posts: 9262
Joined: Tue Aug 02, 2011 5:23 pm
Location: East of the Pecos, West of the Mississippi

Re: Yubikey only at Vanguard now possible.

Post by bertilak »

Scorpion Stare wrote: Sat May 07, 2022 7:01 pm
bertilak wrote: Sat May 07, 2022 3:11 pm If I decide I am not going to use a Ubikey I bought is there anything I should do before passing it on to someone else? Assume I have deleted it from the apps I was using it with.
Probably you don't need to do anything else, but you can use the "reset" button in Yubikey Manager just to be sure.

The typical way of using Yubikeys (used by most sites like Vanguard, Google) doesn't store any data on the key. There are some alternate uses that do store data on the key, for example if you use the Yubikey Authenticator app to store TOTP codes on the key. If you did any of those things, resetting the key will erase them.
Thanks.
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker (aka S.O.B.), the Cowboy Poet
MrJedi
Posts: 2036
Joined: Wed May 06, 2020 11:42 am

Re: Yubikey only at Vanguard now possible.

Post by MrJedi »

anon_investor wrote: Sat May 07, 2022 2:03 pm
MrJedi wrote: Thu May 05, 2022 12:17 pm I just purchased two Yubikeys from their sale yesterday (54% off) and dipping my toes in with this type of authentication tech, but now reading through this thread is a bit disappointing. I assume no update to the app loophole?
But all is not lost. You can use a Google Voice number as the SMS 2FA, then lock down you Google account with a Yubikey. This is why I did, makes your Vanguard account much more secure.
Thanks for the tip. I've taken the steps to lockdown a Google account away from SMS and signed up for a Google Voice number. I put it into Vanguard security code section and it works. I tested it by trying to login with a mobile browser. It says security key not supported and sent a text to my Google voice number which worked. Better than nothing but still seems like a lazy implementation on Vanguard's part to so easily bypass a hardware key.
User avatar
K72
Posts: 205
Joined: Wed Dec 05, 2018 8:04 pm

Re: Yubikey only at Vanguard now possible.

Post by K72 »

anon_investor wrote: Tue Mar 08, 2022 1:38 pm Using a Google Voice number with a Google account secured by a Yubikey as the SMS 2FA for your Vanguard account and Yubikey as the other 2FA option for your Vanguard account is the only way to really secure your Vanguard account at this time.
Is your GV SMS forwarded to your actual cell #? I recall reading that it isn't a good idea to have GV SMS forwarded but I don't remember the reason. Does it matter from a security standpoint?
All we want are the facts...
User avatar
anon_investor
Posts: 11150
Joined: Mon Jun 03, 2019 1:43 pm

Re: Yubikey only at Vanguard now possible.

Post by anon_investor »

K72 wrote: Wed May 11, 2022 10:37 am
anon_investor wrote: Tue Mar 08, 2022 1:38 pm Using a Google Voice number with a Google account secured by a Yubikey as the SMS 2FA for your Vanguard account and Yubikey as the other 2FA option for your Vanguard account is the only way to really secure your Vanguard account at this time.
Is your GV SMS forwarded to your actual cell #? I recall reading that it isn't a good idea to have GV SMS forwarded but I don't remember the reason. Does it matter from a security standpoint?
I do not have it forwarded to my actually cell #. To access it on my phone I can check the Google Voice app or my email. So if my cell phone number is hijacked via a sim swap, the bad guys won't have access.
MrJedi
Posts: 2036
Joined: Wed May 06, 2020 11:42 am

Re: Yubikey only at Vanguard now possible.

Post by MrJedi »

Yeah if you setup forwarding then you are just re exposing yourself to the same vulnerability as before. Thief can steal your real phone number, request a Vanguard code which goes to Google voice number but then forwarded to the stolen number for the thief to access.

The Google Voice by itself is more secure because there is an option to lock the phone number within your Google account so that a carrier isn't allowed to port the number until it's unlocked. So thief cannot steal the number without access to your Google account to unlock the number.
Northern Flicker
Posts: 10434
Joined: Fri Apr 10, 2015 12:29 am

Re: Yubikey only at Vanguard now possible.

Post by Northern Flicker »

kevinf wrote: Sat Mar 12, 2022 2:01 pm
cowdogman wrote: Sat Mar 12, 2022 1:09 pm
OK, but the question I was answering above was whether it was necessary to keep computer restriction on when using a Yubikey. I said no because they are essentially trying to do the same thing--limit access to a single computer--the one with the restriction cookie or the one with the Yubikey.

So I will ask again: would you use both (1) computer restriction and (2) Yubikey? If so (or not), why? If your answer is no, then we are in agreement.
In this scenario I believe computer restriction could help prevent unauthorized access in the event of a stolen yubikey+credentials if the attacker didn't have access to the restricted PC.
No, remembering the computer means it is an authentication option, not a requirement. You can remember the computer and still login with 2FA on a different machine. But if you have a vulnerability in which both your yubikey and password are stolen, you probably are doing something wrong like storing your passwords in cleartext on a thumbdrive on the same keychain as your yubikey etc.

Properly configured, yubikeys and passwords have mostly independent attack surfaces. There may be some correlated vulnerabilities with respect to your browser being compromised, but it is very difficult to impossible to login in a secure manner by any method with a compromised browser.

If you checked remember your computer in the past, it reduces the security of your connection for every session where the yubikey is not used. A yubikey plus browser employs a protocol (challenge-response authentication) that defeats man-in-the-middle attacks and other types of Trojan horse attacks as long as you have a clean connection to a service when you initialize the yubikey.

The initialization involves the yubikey and service exchanging public-private key pairs so that encryption and authentication is end-to-end and both you and the service are assured that you are actually talking to each other. You are not just authenticating to Vanguard. Vanguard also essentially is authenticating to you. This eliminates risks associated with breached or rogue DNS servers and/or breached or rogue certificate authorities out on the internet. Remembering your computer defeats this any time it sidesteps the yubikey protocol being employed. There is also the risk that an attacker successfully spoofs your computer by obtaining a cookie and/or forging the IP address in packet headers etc. These tricks involve possession of data (cookie, IP address, browser (not human) fingerprints, etc.) not possession of hardware (yubikey). Even human fingerprints are data once digitized.

For Vanguard, you want to configure Google Voice for 2FA to protect against attacks using the Vanguard smartphone/tablet app, which does not support yubikeys. You still should use the yubikey for 2FA when using a browser to connect, which is preferred. Avoid using the app whenever practical. The GV 2FA option is still useful as a fallback to prevent lockout from your account if your yubikey fails or is lost— you can login with GV and disable the use of the lost yubikey. Be sure to secure your google voice account with 2 yubikeys and I prefer not to have any 1-time google passcodes implemented. They expand the attack surface, and are unnecessary if you have 2 yubikeys.
My postings are my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
User avatar
kevinf
Posts: 580
Joined: Mon Aug 05, 2019 11:35 pm

Re: Yubikey only at Vanguard now possible.

Post by kevinf »

Northern Flicker wrote: Thu May 12, 2022 3:26 am
kevinf wrote: Sat Mar 12, 2022 2:01 pm
cowdogman wrote: Sat Mar 12, 2022 1:09 pm
OK, but the question I was answering above was whether it was necessary to keep computer restriction on when using a Yubikey. I said no because they are essentially trying to do the same thing--limit access to a single computer--the one with the restriction cookie or the one with the Yubikey.

So I will ask again: would you use both (1) computer restriction and (2) Yubikey? If so (or not), why? If your answer is no, then we are in agreement.
In this scenario I believe computer restriction could help prevent unauthorized access in the event of a stolen yubikey+credentials if the attacker didn't have access to the restricted PC.
No, remembering the computer means it is an authentication option, not a requirement.
Hmmm, I'm under the impression that computer restriction means either a hardware fingerprint of a specific computer is generated or a specific cookies is used. The first would require spoofing the hardware if access to the actual computer is not available, and the second would require spoofing or stealing the cookie. If the computer attempting to login doesn't match the fingerprint/cookie then a login is simply not allowed which restricts your logins to specific devices.
Northern Flicker
Posts: 10434
Joined: Fri Apr 10, 2015 12:29 am

Re: Yubikey only at Vanguard now possible.

Post by Northern Flicker »

kevinf wrote: If the computer attempting to login doesn't match the fingerprint/cookie then a login is simply not allowed which restricts your logins to specific devices.
I don’t think the remember this computer option at Vanguard restricts the devices from which you can login. I think it eliminates the 2FA stage of the authentication protocol when 2FA is in play. If you click remember this computer you are not locked out if your cookie cache is flushed, or you purchase a new machine.

Whatever is used as a system fingerprint, it still is a piece of data that is transmitted to a service and that can be copied and communicated to an authentication session from somewhere else.

More precisely, the remember your computer feature leaves the user exposed to replay attacks where the same authentication session is replayed again later. If you get hit with a man-in-the-middle attack, attempts to inflict damage on your account while you are logged in often would be visible to you, and you could take defensive action. A more difficult situation is that the Trojan horse in the middle captures the session but does nothing else for the time being. You complete your transactions or whatever normally and would not know that the data going back and forth was being filtered.

The attacker then replays the authentication session later from a different machine.

2FA by text code defeats replay attacks because unique codes are generated for each session (modulo collisions due to being limited to 6 digits). Yubikey authentication additionally defeats Trojan horses and MITM attacks from the outset, which is more upstream protection.
My postings are my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
Northern Flicker
Posts: 10434
Joined: Fri Apr 10, 2015 12:29 am

Re: Yubikey only at Vanguard now possible.

Post by Northern Flicker »

I would add that a correct implementation of challenge-response authentication requires that challenges are never repeated. This is required for challenge-response authentication to defeat replay attacks. It normally is implemented by including a monotonically increasing sequence number or time of day in seconds since 1900 concatenated to the challenges used for a particular user, with enough bits in the encoding of the sequences not to re-use sequence numbers in the user’s lifetime.

Challenge-response authentication is robust by itself without a need for 2FA, and has been known since the late 1970’s (demonstrating that network authentication in practice today is still in the Bronze Age):

https://www.cs.swarthmore.edu/~newhall/ ... /popek.pdf

(To avoid confusion from the previous sentence, it is worth emphasizing that with a yubikey the challenge-response authentication is incorporated in the role of a second factor authentication with respect to the password).

I have not investigated whether protocols involving yubikeys implement challenge-response properly with no practical repeat of challenges, but I assume they do.
My postings are my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
User avatar
K72
Posts: 205
Joined: Wed Dec 05, 2018 8:04 pm

Re: Yubikey only at Vanguard now possible.

Post by K72 »

Northern Flicker wrote: Thu May 12, 2022 3:26 am For Vanguard, you want to configure Google Voice for 2FA to protect against attacks using the Vanguard smartphone/tablet app, which does not support yubikeys. You still should use the yubikey for 2FA when using a browser to connect, which is preferred. Avoid using the app whenever practical. The GV 2FA option is still useful as a fallback to prevent lockout from your account if your yubikey fails or is lost— you can login with GV and disable the use of the lost yubikey. Be sure to secure your google voice account with 2 yubikeys and I prefer not to have any 1-time google passcodes implemented. They expand the attack surface, and are unnecessary if you have 2 yubikeys.
Related but perhaps tangential question. If I implement 2FA for Vanguard using GV and 2 yubikeys as you've described, is there any issue with using the same GV number for junk transactions like a one time restaurant reservation, sport tickets, etc.?
All we want are the facts...
Northern Flicker
Posts: 10434
Joined: Fri Apr 10, 2015 12:29 am

Re: Yubikey only at Vanguard now possible.

Post by Northern Flicker »

I presently don’t see a security risk with that, but I’d likely not do it. I probably would set up a separate GV number for that.
My postings are my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
Northern Flicker
Posts: 10434
Joined: Fri Apr 10, 2015 12:29 am

Re: Yubikey only at Vanguard now possible.

Post by Northern Flicker »

Following up on clicking “remember this computer”…

If you set that up, you subsequently can go to Profile & Account Settings -> Computer Access Restrictions

And there is an option to select to restrict access to recognized computers, browsers, etc.

Vanguard recommends not using that setting on the page where it appears (by recommending the choice not to restrict). Presumably this is to avoid account lockout, say if that machine bites the dust. You would need to have 2 or 3 machines remembered before enabling to avoid lockout. This still does not prevent replay attacks.

It would provide an alternative to google voice 2FA to protect the mobile app, eg you could have multiple machines remembered to avoid lockout and have the mobile device be one of them.

Protecting a phone app with GV 2FA would be most secure if the GV or the app login were on a separate device so that you are not typing in a password on the same device where a 2FA text code is received (single point of compromise/breach).
My postings are my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
Post Reply