Yubikey only at Vanguard now possible.

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Fremdon Ferndock
Posts: 1004
Joined: Fri Dec 24, 2021 12:26 pm

Re: Yubikey only at Vanguard now possible.

Post by Fremdon Ferndock »

bertilak wrote: Sat Sep 03, 2022 10:21 am
Silence Dogood wrote: Sat Sep 03, 2022 9:53 am
Fremdon Ferndock wrote: Wed Aug 03, 2022 8:14 am I re-registered my Yubi 5 at Vanguard and now I have to enter the Yubi PIN every time I log in. What is the purpose of this and why?
I think a lot of the confusion/frustration is caused by the fact that people don't understand what FIDO2 looks like when fully implemented.
Include me in that group!

I use YubiKey with Vanguard as the second factor in a two-factor arrangement. Since I am asked to enter a PIN for the YubiKey that seems to be a THIRD factor:
  1. First Factor: ID/PW
  2. Second Factor: Touch YubiuKey
  3. Third Factor: Enter YubiKey PIN
(Actually, steps 2 and 3 are reversed.)

I don't think I asked for a 3-factor login, yet there it is!

Have I set this up wrong somehow? Can I fix it? I suspect I could remove the PIN if I knew how. I have both the YubiKey Manager and the YubiKey Personalization Tool. But am very fuzzy on how to use them, or is Vanguard the one asking?
Use the Yubikey Manager. Select Applications > Fido2 > Reset. This will delete the PIN you have set. When the PIN is deleted, Vanguard login will not interrogate for the Yubikey PIN any longer. At least that's the way it worked for me.
"Risk is what’s left over when you think you’ve thought of everything." ~ Morgan Housel
User avatar
bertilak
Posts: 9866
Joined: Tue Aug 02, 2011 5:23 pm
Location: East of the Pecos, West of the Mississippi

Re: Yubikey only at Vanguard now possible.

Post by bertilak »

Fremdon Ferndock wrote: Mon Sep 12, 2022 1:58 pm Use the Yubikey Manager. Select Applications > Fido2 > Reset. This will delete the PIN you have set. When the PIN is deleted, Vanguard login will not interrogate for the Yubikey PIN any longer. At least that's the way it worked for me.
I reset the key as described above.

I used my other key (still with a PIN) to log in to VG.

Deleted the key I just reset from VG then added it back.

VG made me establish a new PIN when I added it back.

Enough messing around for now!
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker (aka S.O.B.), the Cowboy Poet
Fremdon Ferndock
Posts: 1004
Joined: Fri Dec 24, 2021 12:26 pm

Re: Yubikey only at Vanguard now possible.

Post by Fremdon Ferndock »

bertilak wrote: Mon Sep 12, 2022 3:09 pm
Fremdon Ferndock wrote: Mon Sep 12, 2022 1:58 pm Use the Yubikey Manager. Select Applications > Fido2 > Reset. This will delete the PIN you have set. When the PIN is deleted, Vanguard login will not interrogate for the Yubikey PIN any longer. At least that's the way it worked for me.
I reset the key as described above.

I used my other key (still with a PIN) to log in to VG.

Deleted the key I just reset from VG then added it back.

VG made me establish a new PIN when I added it back.

Enough messing around for now!
I'm a bit confused. Do you have two Yubikeys, one with a PIN and one without? Perhaps you could start from scratch and try using just one key at a time. I deleted both of my registered Yubikeys from Vanguard, making sure I could still log on with a 2FA code to my phone. Then I logged off Vanguard. I reset one Yubikey to get rid of the PIN (the other didn't have one). Then I logged back on Vanguard using the 2FA code. I then registered one of the Yubikeys and then logged off and back on to see if I could log in using that Yubi without needing to enter a Yubi PIN. I only had that Yubi on my computer. It worked, so I went ahead and registered the 2nd Yubikey (with no PIN), and then logged off and back on to test that one. I could log in with either Yubi not needing a Yubi PIN with either >> success. This procedure basically implements the process for registering new Yubikeys to Vanguard, which does not require a Yubi PIN (new Yubis don't have a PIN).

Also, just in case -- use the Yubi Manager to select all the Applications for the Yubikey (not just FIDO) and make sure none of them has a PIN.
"Risk is what’s left over when you think you’ve thought of everything." ~ Morgan Housel
User avatar
bertilak
Posts: 9866
Joined: Tue Aug 02, 2011 5:23 pm
Location: East of the Pecos, West of the Mississippi

Re: Yubikey only at Vanguard now possible.

Post by bertilak »

Fremdon Ferndock wrote: Mon Sep 12, 2022 3:56 pm
I'm a bit confused. Do you have two Yubikeys, one with a PIN and one without? Perhaps you could start from scratch and try using just one key at a time.
Two Yubikeys, Each with a PIN, until I removed the PIN from one of them and had to put it back because VG insisted.

I'll reread what you say carefully and, probably, give it all another go (when I am in the mood).
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker (aka S.O.B.), the Cowboy Poet
User avatar
K72
Posts: 333
Joined: Wed Dec 05, 2018 8:04 pm

Re: Yubikey only at Vanguard now possible.

Post by K72 »

As per recommended in this forum as a workaround to the mobile app security flaw, I set up SMS to my GV number in additional to registering two security keys. Just for kicks, I tested the recovery from not having my security key. After clicking on the 'request a code' link on the security key confirmation page, I got a code sent to my GV number which I was able to use to get into my account, thus bypassing the hardware security keys.

It seems to me the workaround for the mobile app security flaw (i.e. setting up GV SMS) renders the hardware keys pretty much worthless. What I didn't try was disabling SMS (thus exposing the mobile app flaw) and trying it again to see what happens. Net is I think the best we can do for now is SMS to GV (or call to landline). Hopefully others can confirm what I just described.
All we want are the facts...
User avatar
bertilak
Posts: 9866
Joined: Tue Aug 02, 2011 5:23 pm
Location: East of the Pecos, West of the Mississippi

Re: Yubikey only at Vanguard now possible.

Post by bertilak »

K72 wrote: Tue Sep 13, 2022 5:06 pm As per recommended in this forum as a workaround to the mobile app security flaw, I set up SMS to my GV number in additional to registering two security keys. Just for kicks, I tested the recovery from not having my security key. After clicking on the 'request a code' link on the security key confirmation page, I got a code sent to my GV number which I was able to use to get into my account, thus bypassing the hardware security keys.

It seems to me the workaround for the mobile app security flaw (i.e. setting up GV SMS) renders the hardware keys pretty much worthless. What I didn't try was disabling SMS (thus exposing the mobile app flaw) and trying it again to see what happens. Net is I think the best we can do for now is SMS to GV (or call to landline). Hopefully others can confirm what I just described.
By GV, do you mean VG (for Vanguard?)

I am beginning to wonder about the worth of Yubikey for protection of my Vanguard accounts. I have a Yubikey but that doesn't prevent me from logging on from my phone app. The only thing I think it protects is using my laptop from being used to access my Vanguard accounts if I carelessly left it unattended. I'm not sure that is a big deal.
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker (aka S.O.B.), the Cowboy Poet
Fremdon Ferndock
Posts: 1004
Joined: Fri Dec 24, 2021 12:26 pm

Re: Yubikey only at Vanguard now possible.

Post by Fremdon Ferndock »

GV = google voice
"Risk is what’s left over when you think you’ve thought of everything." ~ Morgan Housel
User avatar
bertilak
Posts: 9866
Joined: Tue Aug 02, 2011 5:23 pm
Location: East of the Pecos, West of the Mississippi

Re: Yubikey only at Vanguard now possible.

Post by bertilak »

Fremdon Ferndock wrote: Tue Sep 13, 2022 5:24 pm GV = google voice
A new one on me!
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker (aka S.O.B.), the Cowboy Poet
Fremdon Ferndock
Posts: 1004
Joined: Fri Dec 24, 2021 12:26 pm

Re: Yubikey only at Vanguard now possible.

Post by Fremdon Ferndock »

K72 wrote: Tue Sep 13, 2022 5:06 pm As per recommended in this forum as a workaround to the mobile app security flaw, I set up SMS to my GV number in additional to registering two security keys. Just for kicks, I tested the recovery from not having my security key. After clicking on the 'request a code' link on the security key confirmation page, I got a code sent to my GV number which I was able to use to get into my account, thus bypassing the hardware security keys.

It seems to me the workaround for the mobile app security flaw (i.e. setting up GV SMS) renders the hardware keys pretty much worthless. What I didn't try was disabling SMS (thus exposing the mobile app flaw) and trying it again to see what happens. Net is I think the best we can do for now is SMS to GV (or call to landline). Hopefully others can confirm what I just described.
This has been discussed before. Haven't tried disabling SMS myself -- I'm afraid to do it and then have the Yubikey choke on Vanguard. I want to avoid having to call Vanguard about anything.
"Risk is what’s left over when you think you’ve thought of everything." ~ Morgan Housel
User avatar
bertilak
Posts: 9866
Joined: Tue Aug 02, 2011 5:23 pm
Location: East of the Pecos, West of the Mississippi

Re: Yubikey only at Vanguard now possible.

Post by bertilak »

Fremdon Ferndock wrote: Tue Sep 13, 2022 5:31 pm
K72 wrote: Tue Sep 13, 2022 5:06 pm As per recommended in this forum as a workaround to the mobile app security flaw, I set up SMS to my GV number in additional to registering two security keys. Just for kicks, I tested the recovery from not having my security key. After clicking on the 'request a code' link on the security key confirmation page, I got a code sent to my GV number which I was able to use to get into my account, thus bypassing the hardware security keys.

It seems to me the workaround for the mobile app security flaw (i.e. setting up GV SMS) renders the hardware keys pretty much worthless. What I didn't try was disabling SMS (thus exposing the mobile app flaw) and trying it again to see what happens. Net is I think the best we can do for now is SMS to GV (or call to landline). Hopefully others can confirm what I just described.
This has been discussed before. Haven't tried disabling SMS myself -- I'm afraid to do it and then have the Yubikey choke on Vanguard. I want to avoid having to call Vanguard about anything.
I have SMS in effect, but it is configured to only kick in of I am using an unfamiliar (to Vanguard) device. Otherwise, it's like it isn't there -- completely unobtrusive.

I just disabled Yubikey and SMS took over. I reconfigured it to only kick in on unfamiliar devices.
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker (aka S.O.B.), the Cowboy Poet
User avatar
anon_investor
Posts: 13472
Joined: Mon Jun 03, 2019 1:43 pm

Re: Yubikey only at Vanguard now possible.

Post by anon_investor »

K72 wrote: Tue Sep 13, 2022 5:06 pm As per recommended in this forum as a workaround to the mobile app security flaw, I set up SMS to my GV number in additional to registering two security keys. Just for kicks, I tested the recovery from not having my security key. After clicking on the 'request a code' link on the security key confirmation page, I got a code sent to my GV number which I was able to use to get into my account, thus bypassing the hardware security keys.

It seems to me the workaround for the mobile app security flaw (i.e. setting up GV SMS) renders the hardware keys pretty much worthless. What I didn't try was disabling SMS (thus exposing the mobile app flaw) and trying it again to see what happens. Net is I think the best we can do for now is SMS to GV (or call to landline). Hopefully others can confirm what I just described.
Yubikey has the benefit to protect against spoofed sites.
User avatar
elpollo
Posts: 82
Joined: Sun Jun 23, 2019 12:10 am

Re: Yubikey only at Vanguard now possible.

Post by elpollo »

I'm just waiting for Sept 20th, to see if anything happens, I re-registered my non -FIDO2 (non PIN) keys, I'm doubting that Sept 20 is going to change to FIDO2 (PIN) keys only.

I may end up buying a PIN key as I now understand the whole purpose is to move away from passwords as one of the factors to log in to accounts, (just a key and a PIN) (with the added bonus of the newer protocol also WEB-something) then never write down the PIN

the blue Yubis (aka security key) are reasonable at $25 for now, think I paid $17 for the FIDO U2F blue key some years ago


though, who knows if the few accounts I use will ever implement it
Discussions should be conducted without fondness for dispute or desire for victory. - Benjamin Franklin
User avatar
bertilak
Posts: 9866
Joined: Tue Aug 02, 2011 5:23 pm
Location: East of the Pecos, West of the Mississippi

Re: Yubikey only at Vanguard now possible.

Post by bertilak »

It would be really nice if the following worked:

From Yubikey's web site:
  • a YubiKey cannot be used in conjunction with signing into your computer using a Microsoft Account.
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker (aka S.O.B.), the Cowboy Poet
Silence Dogood
Posts: 1638
Joined: Tue Feb 01, 2011 9:22 pm

Re: Yubikey only at Vanguard now possible.

Post by Silence Dogood »

bertilak wrote: Sat Sep 03, 2022 10:21 am
Silence Dogood wrote: Sat Sep 03, 2022 9:53 am
Fremdon Ferndock wrote: Wed Aug 03, 2022 8:14 am I re-registered my Yubi 5 at Vanguard and now I have to enter the Yubi PIN every time I log in. What is the purpose of this and why?
I think a lot of the confusion/frustration is caused by the fact that people don't understand what FIDO2 looks like when fully implemented.
Include me in that group!

I use YubiKey with Vanguard as the second factor in a two-factor arrangement. Since I am asked to enter a PIN for the YubiKey that seems to be a THIRD factor:
  1. First Factor: ID/PW
  2. Second Factor: Touch YubiuKey
  3. Third Factor: Enter YubiKey PIN
(Actually, steps 2 and 3 are reversed.)

I don't think I asked for a 3-factor login, yet there it is!

Have I set this up wrong somehow? Can I fix it? I suspect I could remove the PIN if I knew how. I have both the YubiKey Manager and the YubiKey Personalization Tool. But am very fuzzy on how to use them, or is Vanguard the one asking?
Here is what I posted in another thread:
Silence Dogood wrote: Sun Aug 14, 2022 1:41 pm
Silence Dogood wrote: Sun Aug 07, 2022 1:01 pm Given that Vanguard requires a (separate) password, my recommendation would be for Vanguard to not require a PIN and to specify this in their user verification settings.
To expand on this, I think that Vanguard should eventually require a PIN - with the ultimate goal of implementing security key + PIN (only) for authentication. However, currently not all operating systems/browsers support this. For the most part, all modern operating systems/browsers do support username/password + security key.

Operating system and web browser support for FIDO2 and U2F

Of course, the main obstacle remains - the Vanguard mobile app, which currently does not support security keys at all.

I think the most effective action that we can all take is to contact Vanguard to let them know that security key support for the mobile app is important to us. The more they hear about this from their clients, the more likely they are to prioritize this.
Northern Flicker
Posts: 12335
Joined: Fri Apr 10, 2015 12:29 am

Re: Yubikey only at Vanguard now possible.

Post by Northern Flicker »

K72 wrote: Tue Sep 13, 2022 5:06 pm As per recommended in this forum as a workaround to the mobile app security flaw, I set up SMS to my GV number in additional to registering two security keys. Just for kicks, I tested the recovery from not having my security key. After clicking on the 'request a code' link on the security key confirmation page, I got a code sent to my GV number which I was able to use to get into my account, thus bypassing the hardware security keys.

It seems to me the workaround for the mobile app security flaw (i.e. setting up GV SMS) renders the hardware keys pretty much worthless. What I didn't try was disabling SMS (thus exposing the mobile app flaw) and trying it again to see what happens. Net is I think the best we can do for now is SMS to GV (or call to landline). Hopefully others can confirm what I just described.
If you use the Yubikey when you login, it protects against trojan horse attacks, including phishing attacks and man-in-the-middle attacks. But using the Yubikeys to lock down your GV account and using just GV for Vanguard 2FA is a reasonable option. Vanguard would do well to support Yubikeys for their app.
My postings represent my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
Northern Flicker
Posts: 12335
Joined: Fri Apr 10, 2015 12:29 am

Re: Yubikey only at Vanguard now possible.

Post by Northern Flicker »

Note that SIM swaps are not the only attack on cell phone SMS. There also have been attacks where the attacker poses as a bandwidth reseller (smaller cell company that resells a major carrier's bandwidth) and convinces a cell company that they now own the service for a large set of supplied phone numbers, taking over the administration of them.

https://krebsonsecurity.com/2021/03/can ... ecure-now/

GV would not be susceptible, and GV has a switch to turn off phone number ports. I believe the default is off, and I think you even have to pay google to turn it on.

The major cell carriers seem to have some safeguards for this in place, and at least some of them send an SMS code to authenticate a phone number port.

It is of course important to have a pin or password lock on the phone, and don't enable the display text messages when the phone is locked (so SMS is not compromised if the phone is lost or stolen).
My postings represent my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
Silence Dogood
Posts: 1638
Joined: Tue Feb 01, 2011 9:22 pm

Re: Yubikey only at Vanguard now possible.

Post by Silence Dogood »

I tested this out again today.

Vanguard allows me to opt-out of security codes - indicating that I am able to do so because I have at least two security keys registered. This works perfectly fine when logging onto the Vanguard website; it works exactly as it should.

However, I downloaded the Vanguard mobile app and attempted to log on. I entered my username, password, and answered a security question - all "something I know". Once again, it prompts me to set up security codes. I can choose my phone number on file or enter a new phone number.

It's frustrating that, after all this time, Vanguard still hasn't fixed this.

It should not take long for them to at least remove the option to add a new phone number (as in, at least limit the choice to phone numbers already on file). Ideally, Vanguard should implement security key support for the mobile app.
gavinsiu
Posts: 1701
Joined: Sun Nov 14, 2021 12:42 pm

Re: Yubikey only at Vanguard now possible.

Post by gavinsiu »

Can someone explain to me how to remove my sms security code. Right now, I can't disable the SMS security code. To do that, I have to remove my yubikey, and then I can delete my security code, but when I tried to add the yubikey back, I get a notice that I have to add SMS security code first. How do you add the key without adding the security code?
otinkyad
Posts: 413
Joined: Wed Jun 01, 2016 5:35 pm

Re: Yubikey only at Vanguard now possible.

Post by otinkyad »

gavinsiu wrote: Tue Nov 29, 2022 6:04 pm Can someone explain to me how to remove my sms security code.
See the post immediately before yours. First, you need two security keys to do it. Second, it’s a really bad idea to do it, given the phone app’s poor design (which you don’t have to be using to be vulnerable to).
gavinsiu
Posts: 1701
Joined: Sun Nov 14, 2021 12:42 pm

Re: Yubikey only at Vanguard now possible.

Post by gavinsiu »

otinkyad wrote: Tue Nov 29, 2022 6:37 pm See the post immediately before yours. First, you need two security keys to do it. Second, it’s a really bad idea to do it, given the phone app’s poor design (which you don’t have to be using to be vulnerable to).
That is not good. This mean there is still a way to bypass the yubikey. We don’t know if vanguard encrypt the security questions. A hack might expose enough info to register the mobile app maliciously.
TheGreyingDuke
Posts: 2052
Joined: Fri Sep 02, 2011 10:34 am

Re: Yubikey only at Vanguard now possible.

Post by TheGreyingDuke »

Maybe a little off topic...

When logging into the VG website I can now do a secondary login by using the app, I log in with user name and password, open the app on my phone and can authorize the log in without any SMS. Is the secure enough??
"Every time I see an adult on a bicycle, I no longer despair for the future of the human race." H.G. Wells
Northern Flicker
Posts: 12335
Joined: Fri Apr 10, 2015 12:29 am

Re: Yubikey only at Vanguard now possible.

Post by Northern Flicker »

TheGreyingDuke wrote: Mon Dec 12, 2022 5:31 pm Maybe a little off topic...

When logging into the VG website I can now do a secondary login by using the app, I log in with user name and password, open the app on my phone and can authorize the log in without any SMS. Is the secure enough??
Whether or not one login method is secure does not answer the question of whether the full range of options available to a cyberthief are sufficiently limited to provide adequate security.
My postings represent my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
Northern Flicker
Posts: 12335
Joined: Fri Apr 10, 2015 12:29 am

Re: Yubikey only at Vanguard now possible.

Post by Northern Flicker »

K72 wrote: Tue Sep 13, 2022 5:06 pm It seems to me the workaround for the mobile app security flaw (i.e. setting up GV SMS) renders the hardware keys pretty much worthless.
Setting up the GV SMS to protect access using the app, but using the Yubikey when you login from a browser still offers protection against man-in-the-middle attacks, phishing attacks, and other forms of Trojan horse attacks. Using GV SMS only also is secure enough. Be sure the GV account is secured adequately (yubikey or google authenticator).

Google has not yet implemented pins for yubikey configurations as far as I know.
My postings represent my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
gavinsiu
Posts: 1701
Joined: Sun Nov 14, 2021 12:42 pm

Re: Yubikey only at Vanguard now possible.

Post by gavinsiu »

Basically by leaving a sms fallback, a hacker would use that to try to break into your system. However, it is still a good idea to setup a Yubikey. the reason is that it will protect you from phishing. You will know for example that when Vanguard is asking for a sms verification instead of a Yubikey prompt, something is wrong.
cdaddio23
Posts: 25
Joined: Sun Feb 15, 2015 10:58 pm

Re: Yubikey only at Vanguard now possible.

Post by cdaddio23 »

I was successfully able to register two Yubikeys and to remove SMS as a method of 2-factor authentication on my account.

However, with DW's account which has access to the same taxable brokerage account but has some older TIRA/RIRA accounts as well, I am unable to disable SMS as a 2FA even after registering the two physical Yubikeys

I am in a cyclical limbo of having to being told my the website to delete my security keys. But to re-enroll them, I need to enroll in SMS text messaging again. Has anyone been able to figure out the solution to this issue? Does the fact my wife has the old non-brokerage RIRA/TIRA account type come into play?

Many thanks and Happy New Year
Northern Flicker
Posts: 12335
Joined: Fri Apr 10, 2015 12:29 am

Re: Yubikey only at Vanguard now possible.

Post by Northern Flicker »

Silence Dogood wrote: Wed Dec 22, 2021 11:02 am
The fact that these issues still haven't been fixed is very concerning.

At the very least, Vanguard can and should get rid of the ability to add any new phone number for sending security codes to when using the mobile app (i.e., only allow existing phone numbers on file). That should not take long to implement.
Bumping an old post because it was referenced in another thread. This is not the right logic. Once an attacker has breached the account to obtain access, the fact that they can set up a phone number for SMS 2FA is not the biggest risk. The fact that they have access to the account is the much bigger concern. Setting up a phone number would enable use of it to login again, but you also would be alerted of the change. This would a reason to get account alerts by email-- segregated from the 2FA mechanism, with duplicates for critical ones by text.

Vanguard should focus their energy on supporting Yubikeys with the app.
My postings represent my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
Silence Dogood
Posts: 1638
Joined: Tue Feb 01, 2011 9:22 pm

Re: Yubikey only at Vanguard now possible.

Post by Silence Dogood »

Northern Flicker wrote: Sun Jan 22, 2023 3:46 pm
Silence Dogood wrote: Wed Dec 22, 2021 11:02 am At the very least, Vanguard can and should get rid of the ability to add any new phone number for sending security codes to when using the mobile app (i.e., only allow existing phone numbers on file). That should not take long to implement.
Bumping an old post because it was referenced in another thread. This is not the right logic. Once an attacker has breached the account to obtain access, the fact that they can set up a phone number for SMS 2FA is not the biggest risk. The fact that they have access to the account is the much bigger concern. Setting up a phone number would enable use of it to login again, but you also would be alerted of the change. This would a reason to get account alerts by email-- segregated from the 2FA mechanism, with duplicates for critical ones by text.
Please note that this is what I expect Vanguard to do at the very least.
Northern Flicker wrote: Sun Jan 22, 2023 3:46 pm Vanguard should focus their energy on supporting Yubikeys with the app.
I agree - Vanguard should implement Yubikey support for the mobile app.
Silence Dogood wrote: Sun Aug 14, 2022 1:41 pm I think the most effective action that we can all take is to contact Vanguard to let them know that security key support for the mobile app is important to us. The more they hear about this from their clients, the more likely they are to prioritize this.
Northern Flicker
Posts: 12335
Joined: Fri Apr 10, 2015 12:29 am

Re: Yubikey only at Vanguard now possible.

Post by Northern Flicker »

Until the phone app supports Yubikeys, a switch in the web app to disable access altogether from the phone app would be a more effective bandaid.
My postings represent my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
User avatar
anon_investor
Posts: 13472
Joined: Mon Jun 03, 2019 1:43 pm

Re: Yubikey only at Vanguard now possible.

Post by anon_investor »

Northern Flicker wrote: Tue Jan 24, 2023 12:23 am Until the phone app supports Yubikeys, a switch in the web app to disable access altogether from the phone app would be a more effective bandaid.
I cannot believe this still has not been fixed. The Yubikey + GV SMS 2FA (with Google account secured by Yubikey) still seems like the current best solution.
Northern Flicker
Posts: 12335
Joined: Fri Apr 10, 2015 12:29 am

Re: Yubikey only at Vanguard now possible.

Post by Northern Flicker »

The issue I have with SMS 2FA as a bandaid for the phone app (GV or otherwise) is that Vanguard uses that to authenticate password resets, so it becomes a single point of failure. If SMS 2FA were not enabled, they might even use so-called security questions for that (even worse) but I've not tested that.
My postings represent my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
User avatar
anon_investor
Posts: 13472
Joined: Mon Jun 03, 2019 1:43 pm

Re: Yubikey only at Vanguard now possible.

Post by anon_investor »

Northern Flicker wrote: Tue Jan 24, 2023 12:59 am The issue I have with SMS 2FA as a bandaid for the phone app (GV or otherwise) is that Vanguard uses that to authenticate password resets, so it becomes a single point of failure. If SMS 2FA were not enabled, they might even use so-called security questions for that (even worse) but I've not tested that.
You can secure your google account (and thus your GV #) with a Yubikey.
Northern Flicker
Posts: 12335
Joined: Fri Apr 10, 2015 12:29 am

Re: Yubikey only at Vanguard now possible.

Post by Northern Flicker »

Yes, but the GV app (or email client if receiving the codes by an associated gmail address) is still part of the attack surface.

This is still better than cell phone SMS where a SIM swap will provide both the ability to reset a password and receive 2FA codes.

My preference would be if Vanguard implemented Yubikey support for the phone app, and allowed SMS to be configured for authenticating password resets but not logins. Then passwords and password resets could be fully segregated from the 2FA used for logins.

(Whether passwords even are needed with pin-protected Yubikeys with alphanumeric pins is a separate discussion).
My postings represent my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
Post Reply