Urge Vanguard to support better two-factor authentication

Have a question about your personal investments? No matter how simple or complex, you can ask it here.
zlandar
Posts: 187
Joined: Wed Apr 10, 2019 8:51 am

Re: Urge Vanguard to support better two-factor authentication

Post by zlandar » Thu Nov 28, 2019 9:08 am

grok87 wrote:
Thu Nov 28, 2019 8:09 am
zlandar wrote:
Wed Nov 27, 2019 11:21 am
Katie wrote:
Wed Nov 27, 2019 11:10 am
I feel sort of dumb here, but I have no idea how these other authentication methods work although I guess I'd figure it out if I had to do so.
You download an app to your smartphone. You link your app to your online bank/email/etc account. When you log in you enter a 6 digit code on the app that changes every 30 seconds.

Criminals are tricking cellular providers into transferring phone numbers to a phone in their hands. Once that occurs they can cause all kinds of havoc, especially if your main email account also uses text messages to recover a lost password. They can reset your email and brokerage accounts, lock you out, and steal your money doing this.

With the app it doesn't matter if criminals hijack your phone number. That's why it's better to disable text messages as a way to recover your email/brokerage accounts.
this just happened to a friend of mine. his cellphone was hijacked and they used to the 2 factor authentication to clean out his bank accounts etc.
apparently the way they hijacked his phone was they somehow got access to his account at cellphone provider- tricked their customer service or something. then they "ported" the phone to another cell phone provider.

so one suggestion is that you can lock down your phone so it can't be ported? has anyone done this?
Some of the cellular providers have a 4 number PIN to protect your cell phone account. It's extremely flimsy protection as a criminal can sweet-talk/brow-beat/con the customer rep answering the phone into porting the number. There are also cases where the criminals pay an employee of the cellular provider to port the phone.

There was a recent article in WSJ where someone had been sim-swapped and requested an extra layer of protection with his cellular provider. Criminals broke in anyway:

"Here is the really scary part: Mr. Terpin had been SIM-swapped seven months earlier. He got lucky and didn’t lose any money that time, but had taken serious steps to prevent it from happening again. He had consulted with security professionals. He had gone to an AT&T store and added a security feature to his account that required a secret six-digit PIN to make any changes. He removed text-message authentication where he could, replacing it with Google Authenticator.

Mr. Terpin believes employees at an AT&T authorized dealer handed hackers control of his phone number, and those hackers found a way into his digital wallets by breaking into accounts of his that couldn’t be protected by Authenticator."

https://markets.businessinsider.com/cur ... 1028677818

rkhusky
Posts: 7560
Joined: Thu Aug 18, 2011 8:09 pm

Re: Urge Vanguard to support better two-factor authentication

Post by rkhusky » Thu Nov 28, 2019 9:46 am

You can also have Vanguard call your home phone and give the PIN via voice - no cell phone required.

grok87
Posts: 8865
Joined: Tue Feb 27, 2007 9:00 pm

Re: Urge Vanguard to support better two-factor authentication

Post by grok87 » Thu Nov 28, 2019 10:06 am

rkhusky wrote:
Thu Nov 28, 2019 9:46 am
You can also have Vanguard call your home phone and give the PIN via voice - no cell phone required.
thanks- that's an interesting idea
RIP Mr. Bogle.

BuddyJet
Posts: 252
Joined: Mon Jun 24, 2019 8:56 pm

Re: Urge Vanguard to support better two-factor authentication

Post by BuddyJet » Thu Nov 28, 2019 10:07 am

dmcmahon wrote:
Wed Nov 27, 2019 9:52 pm
BuddyJet wrote:
Wed Nov 27, 2019 8:46 pm
Along with the SMS fallback at Vanguard, Vanguard only supports YubiKey with chrome on windows and macs. YubiKeys on phones and tablets with chrome is not supported. I have tried yubikeys with lightning, usb-c and NFC on various iPad, iPhone and android with no success after registering them on my Mac.
I've had success using the Yubikey to access Vanguard with Chrome on Linux.
Thanks. I always forget about Linux.
People say nothing is impossible. I do nothing all day.

yogesh
Posts: 406
Joined: Thu Oct 11, 2012 6:20 pm

Re: Urge Vanguard to support better two-factor authentication

Post by yogesh » Thu Nov 28, 2019 10:16 am

Fidelity 2FA can be SMS, Voice or email.
You can also put full account lockdown.
Emergency: FDIC | Taxable: VTMFX | Retirement: TR2040

grok87
Posts: 8865
Joined: Tue Feb 27, 2007 9:00 pm

Re: Urge Vanguard to support better two-factor authentication

Post by grok87 » Thu Nov 28, 2019 10:21 am

yogesh wrote:
Thu Nov 28, 2019 10:16 am
Fidelity 2FA can be SMS, Voice or email.
You can also put full account lockdown.
is email more secure than sms?
RIP Mr. Bogle.

mptfan
Posts: 5637
Joined: Mon Mar 05, 2007 9:58 am

Re: Urge Vanguard to support better two-factor authentication

Post by mptfan » Thu Nov 28, 2019 12:48 pm

grok87 wrote:
Thu Nov 28, 2019 10:21 am
yogesh wrote:
Thu Nov 28, 2019 10:16 am
Fidelity 2FA can be SMS, Voice or email.
You can also put full account lockdown.
is email more secure than sms?
If you follow reasonable security practices and use 2 factor authentication for your email account, then yes, email is much safer than SMS.

mptfan
Posts: 5637
Joined: Mon Mar 05, 2007 9:58 am

Re: Urge Vanguard to support better two-factor authentication

Post by mptfan » Thu Nov 28, 2019 12:49 pm

yogesh wrote:
Thu Nov 28, 2019 10:16 am
Fidelity 2FA can be SMS, Voice or email.
Or Symantec VIP access.

https://www.fidelity.com/security/extra-security-login

I don't see an option for email, can you explain how that is set up?

yogesh
Posts: 406
Joined: Thu Oct 11, 2012 6:20 pm

Re: Urge Vanguard to support better two-factor authentication

Post by yogesh » Thu Nov 28, 2019 2:36 pm

mptfan wrote:
Thu Nov 28, 2019 12:49 pm
yogesh wrote:
Thu Nov 28, 2019 10:16 am
Fidelity 2FA can be SMS, Voice or email.
Or Symantec VIP access.

https://www.fidelity.com/security/extra-security-login

I don't see an option for email, can you explain how that is set up?
When I enabled 2FA it gave me options after entering login/password; options included 2 phone numbers for sms, 2 phone numbers for call & email
Emergency: FDIC | Taxable: VTMFX | Retirement: TR2040

ARoseByAnyOtherName
Posts: 322
Joined: Wed Apr 26, 2017 12:03 am

Re: Urge Vanguard to support better two-factor authentication

Post by ARoseByAnyOtherName » Thu Nov 28, 2019 4:39 pm

yogesh wrote:
Thu Nov 28, 2019 2:36 pm
mptfan wrote:
Thu Nov 28, 2019 12:49 pm
yogesh wrote:
Thu Nov 28, 2019 10:16 am
Fidelity 2FA can be SMS, Voice or email.
Or Symantec VIP access.

https://www.fidelity.com/security/extra-security-login

I don't see an option for email, can you explain how that is set up?
When I enabled 2FA it gave me options after entering login/password; options included 2 phone numbers for sms, 2 phone numbers for call & email
Symantec VIP access is the best 2FA option at Fidelity at this point.

I’ve been quite impressed with Fidelity when it comes to IT/technology, so I am hoping they will implement FIDO/Yubikey support at some point. But they haven’t yet.

7eight9
Posts: 436
Joined: Fri May 17, 2019 7:11 pm

Re: Urge Vanguard to support better two-factor authentication

Post by 7eight9 » Thu Nov 28, 2019 5:00 pm

ARoseByAnyOtherName wrote:
Wed Nov 27, 2019 7:58 pm
dboeger1 wrote:
Wed Nov 27, 2019 4:06 pm
I very consciously DO NOT use TOTP in my personal life. I almost locked myself out of a valuable account when trading in a phone once because of it, and thankfully was able to find my recovery codes which I had written down (itself a security risk) years prior. I also don't secure my phone all that well because I frequently share it with my wife, especially when traveling out in public. Therefore, I trust the nowadays fairly prevalent email encryption between major email providers far more than my phone as an authentication factor. So yes, if I were a better user of TOTP, I suppose the security would be superior, but for my use case, I am not willing to trade the conveniences I regularly make use of for the extra security. And yes, I know about SIM-swapping. It's a pretty nasty attack. But I trust that mobile service providers will crack down on that before it affects me, considering that's really a security flaw on their end, not the users. In the end, SMS is still just a 2nd factor, and good passwords will still be sufficient for most accounts and responsible users.
This is really horrible, horrible security practice.

Not securing your phone is really bad. I assume you have email on there? Your personal email I imagine? Maybe your work email too? And that's just the tip of the iceberg. There's an easy solution - just put a passcode on it and tell your wife your passcode. Problem solved.

And trusting that mobile service providers will crack down on that before it affects you.... well I have a bridge to sell you.

Security is almost always a tradeoff with convenience but in my opinion the above goes way, way too far in service of convince. I hope nobody else takes this as advice.

I posted a list of good security practices here:
viewtopic.php?f=11&t=288310#p4702423
I'm with dboeger1. My phone isn't locked. I don't need to lock it. I'm not a terrorist.

Someone steals my phone and accesses my email? Great. Nothing exciting there. No apps to click other than what came on the phone to begin with and one free game. I guess I would feel bad if I lost my game but I could always start over.
I guess it all could be much worse. | They could be warming up my hearse.

User avatar
dmcmahon
Posts: 2025
Joined: Fri Mar 21, 2008 10:29 pm

Re: Urge Vanguard to support better two-factor authentication

Post by dmcmahon » Thu Nov 28, 2019 11:52 pm

yogesh wrote:
Thu Nov 28, 2019 10:16 am
Fidelity 2FA can be SMS, Voice or email.
You can also put full account lockdown.
Or you can use the VIP Access app on mobile devices (it's an RSA key mechanism similar to a physical fob).

ARoseByAnyOtherName
Posts: 322
Joined: Wed Apr 26, 2017 12:03 am

Re: Urge Vanguard to support better two-factor authentication

Post by ARoseByAnyOtherName » Fri Nov 29, 2019 12:59 am

7eight9 wrote:
Thu Nov 28, 2019 5:00 pm
ARoseByAnyOtherName wrote:
Wed Nov 27, 2019 7:58 pm
dboeger1 wrote:
Wed Nov 27, 2019 4:06 pm
I very consciously DO NOT use TOTP in my personal life. I almost locked myself out of a valuable account when trading in a phone once because of it, and thankfully was able to find my recovery codes which I had written down (itself a security risk) years prior. I also don't secure my phone all that well because I frequently share it with my wife, especially when traveling out in public. Therefore, I trust the nowadays fairly prevalent email encryption between major email providers far more than my phone as an authentication factor. So yes, if I were a better user of TOTP, I suppose the security would be superior, but for my use case, I am not willing to trade the conveniences I regularly make use of for the extra security. And yes, I know about SIM-swapping. It's a pretty nasty attack. But I trust that mobile service providers will crack down on that before it affects me, considering that's really a security flaw on their end, not the users. In the end, SMS is still just a 2nd factor, and good passwords will still be sufficient for most accounts and responsible users.
This is really horrible, horrible security practice.

Not securing your phone is really bad. I assume you have email on there? Your personal email I imagine? Maybe your work email too? And that's just the tip of the iceberg. There's an easy solution - just put a passcode on it and tell your wife your passcode. Problem solved.

And trusting that mobile service providers will crack down on that before it affects you.... well I have a bridge to sell you.

Security is almost always a tradeoff with convenience but in my opinion the above goes way, way too far in service of convince. I hope nobody else takes this as advice.

I posted a list of good security practices here:
viewtopic.php?f=11&t=288310#p4702423
I'm with dboeger1. My phone isn't locked. I don't need to lock it. I'm not a terrorist.

Someone steals my phone and accesses my email? Great. Nothing exciting there. No apps to click other than what came on the phone to begin with and one free game. I guess I would feel bad if I lost my game but I could always start over.
If your phone isn't locked anyone who picks up your phone - or swipes it out of your hand on the street - can trivially access your personal email. If an attacker can access your personal email they can do a password reset ("Forgot your password?" style) at a bunch of online sites and take over your accounts. Possibly including your email account itself.

Once they gain control over an account or two they can likely leverage those to take over more accounts, and in the process possibly glean enough information to attempt a social engineering takeover of accounts at financial institutions. Information from your Contacts and Calendar events stored on your unlocked phone will likely come in handy during this process.

Are you sure you don't need to lock your phone? Really sure?

If so then I wish you the best. But I would never recommend anyone do the same, especially now that fingerprint unlocking and facial unlocking are so fast and easy.

rkhusky
Posts: 7560
Joined: Thu Aug 18, 2011 8:09 pm

Re: Urge Vanguard to support better two-factor authentication

Post by rkhusky » Fri Nov 29, 2019 8:33 am

ARoseByAnyOtherName wrote:
Fri Nov 29, 2019 12:59 am
If your phone isn't locked anyone who picks up your phone - or swipes it out of your hand on the street - can trivially access your personal email. If an attacker can access your personal email they can do a password reset ("Forgot your password?" style) at a bunch of online sites and take over your accounts. Possibly including your email account itself.

Once they gain control over an account or two they can likely leverage those to take over more accounts, and in the process possibly glean enough information to attempt a social engineering takeover of accounts at financial institutions. Information from your Contacts and Calendar events stored on your unlocked phone will likely come in handy during this process.

Are you sure you don't need to lock your phone? Really sure?

If so then I wish you the best. But I would never recommend anyone do the same, especially now that fingerprint unlocking and facial unlocking are so fast and easy.
Only if you have your account access email on your phone. My account access email is only on my computer at home. I don't do any financial transactions on my phone. Nevertheless, I still have a PIN to access my phone.

kevinf
Posts: 78
Joined: Mon Aug 05, 2019 11:35 pm

Re: Urge Vanguard to support better two-factor authentication

Post by kevinf » Fri Nov 29, 2019 11:19 am

rkhusky wrote:
Fri Nov 29, 2019 8:33 am
ARoseByAnyOtherName wrote:
Fri Nov 29, 2019 12:59 am
If your phone isn't locked anyone who picks up your phone - or swipes it out of your hand on the street - can trivially access your personal email. If an attacker can access your personal email they can do a password reset ("Forgot your password?" style) at a bunch of online sites and take over your accounts. Possibly including your email account itself.

Once they gain control over an account or two they can likely leverage those to take over more accounts, and in the process possibly glean enough information to attempt a social engineering takeover of accounts at financial institutions. Information from your Contacts and Calendar events stored on your unlocked phone will likely come in handy during this process.

Are you sure you don't need to lock your phone? Really sure?

If so then I wish you the best. But I would never recommend anyone do the same, especially now that fingerprint unlocking and facial unlocking are so fast and easy.
Only if you have your account access email on your phone. My account access email is only on my computer at home. I don't do any financial transactions on my phone. Nevertheless, I still have a PIN to access my phone.
If your phone isn't also encrypted an attacker can simply plug it in and retrieve data that may reveal personal information and show where you keep sensitive accounts. Then they'll factory reset the phone, and attempt to social engineer reps at institutions you hold accounts at with your phone number and personal info.

bryanm
Posts: 220
Joined: Mon Aug 13, 2018 3:48 pm

Re: Urge Vanguard to support better two-factor authentication

Post by bryanm » Fri Nov 29, 2019 12:08 pm

tuningfork wrote:
Wed Nov 27, 2019 11:00 pm
I currently use Google Authenticator wherever possible, but I'm contemplating switching to Authy. My understanding is that Authy will store your authentication tokens in the cloud, encrypted with a password only you know, so if you lose or trade in your phone, you can easily associate your next phone with Authy and have access to all your tokens. Anybody else here using Authy and can confirm it's easy to switch phones?

I really detest those recovery codes, which I don't have for all the sites I use GA on. I'm assuming if I switch to Authy then I never have to bother with recovery codes, as long as I have access to at least one device with Authy.
sfmdk240 wrote:
Thu Nov 28, 2019 1:37 am
I was considering switching to Authy as well but I've read a couple of posts on the internet expressing concern that the Authy app is susceptible to the same SIM-swap vulnerability as an SMS 2FA system, if within the Authy app the multiple devices feature is turned on, since your phone number essentially functions as your username. This is definitely into the weeds of 2FA and beyond my expertise, but something to think about. Anyone with more experience, feel free to chime in. I use DUO at work and it's good as well. Basically the same as Google Authenticator.

https://support.authy.com/hc/en-us/arti ... SIM-Swap-
https://www.reddit.com/r/Bitcoin/commen ... _a_hacker/
I don't have experience with Authy, but if you're a Lastpass user, Lastpass Authenticator backs up to your LP Vault. That's how I deal with this issue.

User avatar
Wiggums
Posts: 1922
Joined: Thu Jan 31, 2019 8:02 am

Re: Urge Vanguard to support better two-factor authentication

Post by Wiggums » Fri Nov 29, 2019 12:54 pm

mptfan wrote:
Wed Nov 27, 2019 10:34 am
Using a yubikey or other physical security device is the gold standard for 2 factor authentication and Vanguard deserves credit for adopting it. However, they should give their customers the option to remove SMS texting as a fallback option and provide other options.
I agree. A hardware token is more secure than the software based equivalent.

Broken Man 1999
Posts: 3459
Joined: Wed Apr 08, 2015 11:31 am

Re: Urge Vanguard to support better two-factor authentication

Post by Broken Man 1999 » Fri Nov 29, 2019 1:32 pm

For dinosaurs like myself, one can direct their Vanguard security code to be sent to their landline phone.

That eliminates the SIM card issue.

Yeah, I get it, who has a landline any longer? :D

So far as any cell phone issue, any would-be crook would find slim pickings if they stole my cell phone. I have ZERO permanent financial apps on it, and the only email address is a burner one, gmail, which receives ZERO emails from any of our financial entities. I do download the app for my credit union, but after I deposit a check (only use of the app) I immediately remove the app.

Any financial dealings are done on my PC, connected by an Ethernet cable to the router.

I am OK being a dinosaur, but I think I see something really large in the sky coming my way. Seems to be getting closer every year!

Broken Man 1999
“If I cannot drink Bourbon and smoke cigars in Heaven than I shall not go. " -Mark Twain

ARoseByAnyOtherName
Posts: 322
Joined: Wed Apr 26, 2017 12:03 am

Re: Urge Vanguard to support better two-factor authentication

Post by ARoseByAnyOtherName » Fri Nov 29, 2019 3:15 pm

rkhusky wrote:
Fri Nov 29, 2019 8:33 am
ARoseByAnyOtherName wrote:
Fri Nov 29, 2019 12:59 am
If your phone isn't locked anyone who picks up your phone - or swipes it out of your hand on the street - can trivially access your personal email. If an attacker can access your personal email they can do a password reset ("Forgot your password?" style) at a bunch of online sites and take over your accounts. Possibly including your email account itself.

Once they gain control over an account or two they can likely leverage those to take over more accounts, and in the process possibly glean enough information to attempt a social engineering takeover of accounts at financial institutions. Information from your Contacts and Calendar events stored on your unlocked phone will likely come in handy during this process.

Are you sure you don't need to lock your phone? Really sure?

If so then I wish you the best. But I would never recommend anyone do the same, especially now that fingerprint unlocking and facial unlocking are so fast and easy.
Only if you have your account access email on your phone.
dboeger1, who I was responding to, clearly stated they have their email account set up on their phone.
rkhusky wrote:
Fri Nov 29, 2019 8:33 am
I don't do any financial transactions on my phone. Nevertheless, I still have a PIN to access my phone.
Yup that's the point of my post - everyone should have a PIN code set on their mobile phones.

ARoseByAnyOtherName
Posts: 322
Joined: Wed Apr 26, 2017 12:03 am

Re: Urge Vanguard to support better two-factor authentication

Post by ARoseByAnyOtherName » Fri Nov 29, 2019 3:18 pm

kevinf wrote:
Fri Nov 29, 2019 11:19 am
If your phone isn't also encrypted an attacker can simply plug it in and retrieve data that may reveal personal information and show where you keep sensitive accounts. Then they'll factory reset the phone, and attempt to social engineer reps at institutions you hold accounts at with your phone number and personal info.
Any smartphone you buy better have encrypted storage by default!

Are there any popular ones that aren't?

ARoseByAnyOtherName
Posts: 322
Joined: Wed Apr 26, 2017 12:03 am

Re: Urge Vanguard to support better two-factor authentication

Post by ARoseByAnyOtherName » Fri Nov 29, 2019 3:20 pm

Broken Man 1999 wrote:
Fri Nov 29, 2019 1:32 pm
So far as any cell phone issue, any would-be crook would find slim pickings if they stole my cell phone. I have ZERO permanent financial apps on it, and the only email address is a burner one, gmail, which receives ZERO emails from any of our financial entities. I do download the app for my credit union, but after I deposit a check (only use of the app) I immediately remove the app.
Do you have a PIN code set on your cell phone?

(I hope you have a PIN code set on your cell phone.)

kevinf
Posts: 78
Joined: Mon Aug 05, 2019 11:35 pm

Re: Urge Vanguard to support better two-factor authentication

Post by kevinf » Fri Nov 29, 2019 3:34 pm

ARoseByAnyOtherName wrote:
Fri Nov 29, 2019 3:18 pm
kevinf wrote:
Fri Nov 29, 2019 11:19 am
If your phone isn't also encrypted an attacker can simply plug it in and retrieve data that may reveal personal information and show where you keep sensitive accounts. Then they'll factory reset the phone, and attempt to social engineer reps at institutions you hold accounts at with your phone number and personal info.
Any smartphone you buy better have encrypted storage by default!

Are there any popular ones that aren't?
It's still possible to buy older or refurbished phones that aren't encrypted by default. I also wouldn't necessarily trust the encryption on certain foreign budget phones.

Silence Dogood
Posts: 1155
Joined: Tue Feb 01, 2011 9:22 pm

Re: Urge Vanguard to support better two-factor authentication

Post by Silence Dogood » Fri Nov 29, 2019 3:37 pm

ARoseByAnyOtherName wrote:
Fri Nov 29, 2019 3:18 pm
kevinf wrote:
Fri Nov 29, 2019 11:19 am
If your phone isn't also encrypted an attacker can simply plug it in and retrieve data that may reveal personal information and show where you keep sensitive accounts. Then they'll factory reset the phone, and attempt to social engineer reps at institutions you hold accounts at with your phone number and personal info.
Any smartphone you buy better have encrypted storage by default!

Are there any popular ones that aren't?
Android and iOS (combined) make up about 99%+ of smartphone market share and both encrypt by default.

Broken Man 1999
Posts: 3459
Joined: Wed Apr 08, 2015 11:31 am

Re: Urge Vanguard to support better two-factor authentication

Post by Broken Man 1999 » Fri Nov 29, 2019 3:39 pm

ARoseByAnyOtherName wrote:
Fri Nov 29, 2019 3:20 pm
Broken Man 1999 wrote:
Fri Nov 29, 2019 1:32 pm
So far as any cell phone issue, any would-be crook would find slim pickings if they stole my cell phone. I have ZERO permanent financial apps on it, and the only email address is a burner one, gmail, which receives ZERO emails from any of our financial entities. I do download the app for my credit union, but after I deposit a check (only use of the app) I immediately remove the app.
Do you have a PIN code set on your cell phone?

(I hope you have a PIN code set on your cell phone.)
Nope. Why?

Broken Man 1999
“If I cannot drink Bourbon and smoke cigars in Heaven than I shall not go. " -Mark Twain

HawkeyePierce
Posts: 729
Joined: Tue Mar 05, 2019 10:29 pm
Location: Colorado

Re: Urge Vanguard to support better two-factor authentication

Post by HawkeyePierce » Fri Nov 29, 2019 5:47 pm

An up-to-date phone protected by a PIN is more secure than a PC. You can’t get phished via the App Store, everything on disk is encrypted and the OS enforces HTTPS. Far less chance of a keylogger or other form of malware infecting your phone.

“Dinosaur” thinking, in this case, is the belief that keeping financial information on your PC will protect you. If anything the reverse is more likely.

kevinf
Posts: 78
Joined: Mon Aug 05, 2019 11:35 pm

Re: Urge Vanguard to support better two-factor authentication

Post by kevinf » Fri Nov 29, 2019 6:02 pm

HawkeyePierce wrote:
Fri Nov 29, 2019 5:47 pm
An up-to-date phone protected by a PIN is more secure than a PC. You can’t get phished via the App Store, everything on disk is encrypted and the OS enforces HTTPS. Far less chance of a keylogger or other form of malware infecting your phone.

“Dinosaur” thinking, in this case, is the belief that keeping financial information on your PC will protect you. If anything the reverse is more likely.
Largely accurate, the disadvantage to the phone being that it is far easier to lose. If you set your unlocked phone down for a moment and it disappears, you may be in for a bad day. A determined attacker with access to the hardware is a huge threat as well. It's possible to access low-level functions on certain devices by using the earphone jack as a serial port which could make cracking a PIN via brute-force very simple. This route was demonstrated by a security researcher to root a "hardened" tablet.

We're still not quite where we need to be for general security. I hope we'll all be using sandbox'd VM instances with full disk encryption for sensitive online activities with 2-factor access and FOB-based proximity locks in the future.

User avatar
pokebowl
Posts: 317
Joined: Sat Dec 17, 2016 7:22 pm
Location: The Orion Spur of the Milky Way galaxy.

Re: Urge Vanguard to support better two-factor authentication

Post by pokebowl » Fri Nov 29, 2019 8:47 pm

HawkeyePierce wrote:
Fri Nov 29, 2019 5:47 pm
An up-to-date phone protected by a PIN is more secure than a PC. You can’t get phished via the App Store, everything on disk is encrypted and the OS enforces HTTPS. Far less chance of a keylogger or other form of malware infecting your phone.

“Dinosaur” thinking, in this case, is the belief that keeping financial information on your PC will protect you. If anything the reverse is more likely.
The major type of attacks currently targeting end users for financial gain, a mobile device will not protect you any more than a computer. The inherent risks are still present as these attacks are environment independent. You can still be susceptible to time-of-use phishing attacks, malvertising, and watering hole attacks (fraudulent apps uploaded to the app stores, ginp malware as a recent example) etc.
Nullius in verba.

dboeger1
Posts: 97
Joined: Fri Jan 13, 2017 7:32 pm

Re: Urge Vanguard to support better two-factor authentication

Post by dboeger1 » Tue Dec 03, 2019 10:25 pm

ARoseByAnyOtherName wrote:
Wed Nov 27, 2019 7:58 pm
dboeger1 wrote:
Wed Nov 27, 2019 4:06 pm
I very consciously DO NOT use TOTP in my personal life. I almost locked myself out of a valuable account when trading in a phone once because of it, and thankfully was able to find my recovery codes which I had written down (itself a security risk) years prior. I also don't secure my phone all that well because I frequently share it with my wife, especially when traveling out in public. Therefore, I trust the nowadays fairly prevalent email encryption between major email providers far more than my phone as an authentication factor. So yes, if I were a better user of TOTP, I suppose the security would be superior, but for my use case, I am not willing to trade the conveniences I regularly make use of for the extra security. And yes, I know about SIM-swapping. It's a pretty nasty attack. But I trust that mobile service providers will crack down on that before it affects me, considering that's really a security flaw on their end, not the users. In the end, SMS is still just a 2nd factor, and good passwords will still be sufficient for most accounts and responsible users.
This is really horrible, horrible security practice.

Not securing your phone is really bad. I assume you have email on there? Your personal email I imagine? Maybe your work email too? And that's just the tip of the iceberg. There's an easy solution - just put a passcode on it and tell your wife your passcode. Problem solved.

And trusting that mobile service providers will crack down on that before it affects you.... well I have a bridge to sell you.

Security is almost always a tradeoff with convenience but in my opinion the above goes way, way too far in service of convince. I hope nobody else takes this as advice.

I posted a list of good security practices here:
viewtopic.php?f=11&t=288310#p4702423
I just want to clarify my position, because 1) I believe you misunderstood me, and disagree with your assessment as a result, and 2) I believe others subsequently misunderstood me in ways which do in fact result in horrible security practices.

I do have a pattern on my phone. To be fair, I didn't explicitly detail how my phone was secured, but I also did not say I don't secure it at all. I absolutely do secure it. I just don't treat it as part of my own being. To me, my accounts are supposed to be an extension of me as a person. Nobody else should be (ab)using them. They are strictly mine, and security measures should work to keep it that way. I don't see my phone that way. I see it like I see my PC at home or work. It's just a machine that can do work. Now, there is a design difference, in that smartphones today are more or less tied to a single user-account. They're not designed to work well as multi-user shared devices, unlike a typical desktop or game console OS. That's personally a design bandwagon that I never really wanted to hop on, but it is what it is. So to me, my phone can be replaced, but yes, I want to protect the data that it has access to when I use it. So please, nobody misunderstand me and think I was saying you shouldn't have some form of PIN or password or whatever. All I'm really saying is that if my phone spontaneously explodes, I'd like to be able to access my accounts still, because the phone is essentially disposable, but the accounts represent my personal life, including finances.

Fundamentally, all security measures are based on a set of assumptions which aren't necessarily universally true. For example, passwords are based on only the account owner knowing them. 2FA is based on the account owner having multiple factors in order to increase security. OTP is based on an even stronger assumption that a particular device belongs to the account owner. Biometrics are based on the assumption that attackers can't easily reproduce biometric signatures of the account owner. But any of those assumptions can become invalid. Imagine if you could clone me such that my clone would be an exact copy with all my memories and biometric signatures intact. Well, all of those listed mechanisms would become pretty terrible, and you'd need to supplement them with some sort of brain microchipping or geography-based authentication mechanism. That may sound contrived, but SIM-swapping is a very real recent example. It used to be considered secure to use your phone number as an authentication factor, until a fairly trivial vulnerability was discovered. Until security experts can somehow manage to plug directly into your soul and/or individual consciousness (neither of which are concepts humans currently understand on a deep-enough scientific level), there's always going to be some distance between you as a person and your authentication factors, and so the best any security mechanism can hope to do is make good assumptions about when to trust that you are in fact who you say you are. This is true of every single authentication mechanism, regardless of whether it's the soup du jour or not. Don't let current best practices fool you into believing they are fundamentally any different in this regard. If someone can fake being you under the assumptions of your authentication mechanism, they can access your accounts as if they are you. This is a universal truth.

OTP is absolutely one of the most effective forms of 2FA today. It is certainly capable of preventing several kinds of attacks that prior methods could not, such as SIM-swapping. However, it does so BECAUSE of its VERY STRONG assumption that a mobile device is under the sole possession and control of the account owner. When that assumption fails, so does the mechanism. The only reason people are going around insisting that it's superior to SMS-based 2FA is that it is currently significantly easier to compromise phone numbers than it is phones themselves. Had someone created a virus that was able to extract account secrets from OTP apps, or otherwise come up with some social engineering scheme to get them from unsuspecting victims, instead of discovering how vulnerable mobile carriers were to SIM-swapping, the headlines would be very different. But they're not, so OTP is currently good practice. I'm not arguing against that.

My main point was that the tradeoff in security is a very different beast than it was for using strong passwords. Passwords have been used since long before computers existed because they manage to give a great deal of security for very little inconvenience, and in a very intuitive way. And while computers did exacerbate problems like brute-force, dictionary attacks, common passwords, etc., they also resulted in many enhancements behind the scenes, such as salts, hashes, encryption, password managers, password rotation and complexity policies, etc. Eventually, SMS/email-based 2FA increased security by a substantial margin without much additional hassle. Biometrics are also becoming more common and adding to security without trading away much convenience. And last but not least, many enterprises are using hard tokens for 2FA with systems that allow them to centrally manage access in case one is stolen, broken, lost, etc. Basically, all of those things are relatively easy and intuitive, but help to secure accounts against most attacks that we have some degree of control of as users (obviously, we can't be responsible for securing an account provider's back end infrastructure, for instance).

Schemes such as OTP are, in my opinion, the first time that an authentication mechanism has gone mainstream DESPITE demanding a level of technical knowledge and understanding which is beyond the average user's grasp. That's because it's not obvious to most people that they run the risk of locking themselves out of their accounts when they set the system up, and in return, they only get marginal security benefits. In other words, it's a wolf in sheep's clothing. It's a much more difficult-to-swallow tradeoff. That's not to say people shouldn't make it. When used properly, it is more secure than SMS 2FA. I would contend that the vast majority of users don't understand it enough to use it properly, and it's only a matter of time before enough people get screwed by it that they decide to move onto something else. Hopefully biometrics will be better and more widespread by then.

I'm a software engineer for a living. I've actually worked on projects related to authentication and authorization. I also did not realize I might get locked out of a valuable account for failing to disable 2FA when trading in my phone. I simply used Google Authenticator because another service suggested it, without understanding the details of OTP. Thank goodness I had my recovery codes. I promise you, beyond a shadow of a doubt, that people like my mother-in-law, who constantly got viruses on her PC when I was growing up and needed me to pave her systems on almost a monthly basis, no matter how many antivirus programs I tried, do not intuitively understand the implications of OTP. It's much easier to start using it and lock yourself out of an account than it is to understand how it works. And for what? You stop a certain class of relatively advanced attacks against SMS/email-based 2FA which has only gotten much attention recently because of downright irresponsible behavior by mobile carriers. That's not that big of a deal, and by the time the average user can understand how they might lock themselves out of an account by misplacing their phone, the mobile carriers really should be able to stop letting attackers simply call in and ask for a SIM swap. That's basically what happened with email. Before email-based 2FA even became that widespread, major email providers had already begun work on encrypting email traffic behind the scenes, without requiring any additional effort on the part of users. Today, the vast majority of email is encrypted in transit, so unless you're going out of your way to use some no-name provider who doesn't do it, then email is fairly safe in transit.

In real life, probabilities often matter as much as precise vulnerabilities. You deal with the things that are most likely to affect you. I don't think phones are inherently as tied to their owners as people think. I mean, if someone was really serious about accessing your data, all they'd have to do is knock you out while you're using your phone in public, and bam, they have it. If you've ever done something as common as open your phone during an Uber ride to give a tip or review, you've put your phone at risk. If you've ever traded a phone, had it with you at a bar when you were drinking, shared it with your spouse, taken it on a cruise, or any number of common behaviors, then your phone was at a fairly significant risk. The idea of then making such a strong assumption that the phone is tied to you as a person that you're willing to lock yourself out of your accounts with only a few one-time-use codes which you may have stored years ago as your recovery options just doesn't make sense to me in a world where all these behaviors are common. I personally would make the jump if it was some sort of trusted biometric scanner or a microchip or other signature implanted directly into my body, but my phone? You may as well use my dog or my shoes as an authentication factor, if you ask me.

It's like when you teach your high school kids to drive. Do you put them in a Corolla or a Corvette? For the sake of the thought exercise, let's assume everything but speed and acceleration are equal, including safety ratings and features. The security expert might say, "Well, the Corvette is obviously the better option. In the event of an angry road rager attempting to run your child off the road, the Corvette can likely get away! Vulnerability plugged!". But virtually every parent knows a teen learning to drive in a Corvette is a bad idea, because they're likely to be a bigger threat to themselves than attackers are. I don't see how OTP is any different. It's the Corvette of 2FA. Sure, I see how it's better, but maybe I don't trust myself in it just yet. My car analogy might seem silly and contrived, but believe it or not, the exploding-phone one is not. Wasn't there a whole controversy about Samsung Galaxy phones spontaneously burning several years back due to a battery issue, and they were banned from planes? Who's to say a newer phone can't have a design flaw which causes it to burst into flames? I sure hope you have your recovery codes then.

To summarize, I'm not advocating that people don't secure their devices, or that they don't use OTP. I am 100% advocating that you understand and adapt to the implications of OTP before using it. I don't know how I can make it any clearer than my personal experience. I'm a relatively technologically-minded person, and I almost fell into a trap that could have locked me out of an account I had spent hundreds of dollars on. So I most definitely would not recommend my grandparents to use OTP on their retirement accounts which they're currently drawing from in their old age. Absolutely no way. It doesn't fit their lifestyle, level of knowledge, or risk profile. I made the conscious decision to switch away from OTP because I nearly screwed up with it. It doesn't mean it's bad, but if I were to take the time to switch my accounts back to using it, I would at the very least make sure I had a safer and more reliable way of storing the recovery codes than the piece of paper that I found in a pile of junk years after I had written them down, which somehow managed to move with us into our new apartment. And no, having it in some sort of computer note app would not be enough, because it's easy to accidentally delete them. I'd want read-only copies accessible from multiple password-protected accounts, which ironically sort of defeats the purpose of OTP, because it's just shifting the vulnerability from one account to another.

I hope I've made my position clear. If you disagree with me and consider it bad advice, well, that's fine I suppose. Just be careful is all I can say.

Northern Flicker
Posts: 4918
Joined: Fri Apr 10, 2015 12:29 am

Re: Urge Vanguard to support better two-factor authentication

Post by Northern Flicker » Tue Dec 03, 2019 11:27 pm

jhfenton wrote:
Wed Nov 27, 2019 10:30 am
sfmdk240 wrote:
Wed Nov 27, 2019 12:55 am
Just wanted to bump this thread. I've messaged Vanguard several times requesting that they support Authenticator, Duo, Authy, etc for Two-Factor authentication. Specifically given recent events I've expressed my concern about their use of SMS and the potential for a SIM swap. I've gotten the boiler-plate response "we'll pass this along to our security team" but maybe if enough people contact them, something will actually happen. For me at least, Yubi-key for hardware authentication is too much trouble.
I do use Yubikey for convenience, but with automatic fallback to SMS, it doesn't add much in the way of security. Like you, I would like the ability to turn on OTP via Authenticator or the like and turn off fallback to SMS.
Activating a yubikey slightly weakens the authentication protocol by increasing the attack surface. But authenticating with the yubikey does offer a tangible increase in protection against man-in-the-middle attacks, which I think is a net win.
Index fund investor since 1987.

mptfan
Posts: 5637
Joined: Mon Mar 05, 2007 9:58 am

Re: Urge Vanguard to support better two-factor authentication

Post by mptfan » Wed Dec 04, 2019 2:11 pm

Northern Flicker wrote:
Tue Dec 03, 2019 11:27 pm
Activating a yubikey slightly weakens the authentication protocol by increasing the attack surface.
Not if you simultaneously remove other methods of authentication, especially SMS.

jkrm
Posts: 82
Joined: Wed Oct 08, 2008 8:20 am

Re: Urge Vanguard to support better two-factor authentication

Post by jkrm » Wed Dec 04, 2019 3:35 pm

I have sent numerous messages to my Vanguard rep urging Vanguard to remove the SMS fallback to the Yubikey - the SMS fallback just makes a Yubikey no more secure than if you only had SMS. Each message included a link to an article about an account with SMS as the second authentication factor having been broken into, usually by a SIM swap. My rep told me that she had forwarded each of them up the hierarchy. I finally gave up out of fear of getting her into trouble!

My own solution was the same as a couple of other posters on this thread. We still have a landline, so I have the "SMS" backup go as a voice call to the landline. We used to have an actual copper loop but were recently forced to switch to an VoIP-type service. I think that's still pretty secure.

mptfan
Posts: 5637
Joined: Mon Mar 05, 2007 9:58 am

Re: Urge Vanguard to support better two-factor authentication

Post by mptfan » Wed Dec 04, 2019 4:31 pm

jkrm wrote:
Wed Dec 04, 2019 3:35 pm
I have sent numerous messages to my Vanguard rep urging Vanguard to remove the SMS fallback to the Yubikey - the SMS fallback just makes a Yubikey no more secure than if you only had SMS.
That's not quite true. I agree that having an SMS backup option greatly reduces the security of using a security key, and I wish Vanguard would give users the option to disable that option, but I would not go so far as to say that makes the security key no more secure than SMS. Here is why...if you use your security key to log in, as opposed to getting a code by SMS, you can be assured that you are not being "phished" and you are actually accessing the Vanguard site and not some other site pretending to be Vanguard because the security key is communicating with Vanguard and will only allow access if it verifies the site as the genuine Vanguard site.

Bluquark, another Boglehead, explained it this way...the key still protects you against phishing. If you never use security codes, you cannot be tricked into inputting a security code on a fake Vanguard page mocked up to look exactly like the real one. The key will refuse to cooperate with any website other than the authentic vanguard.com. Phishing is the method used for the majority of account compromises -- hacking your phone, intercepting the SMS or porting your phone number is much higher-effort -- so I consider it still worth turning this feature on.

Northern Flicker
Posts: 4918
Joined: Fri Apr 10, 2015 12:29 am

Re: Urge Vanguard to support better two-factor authentication

Post by Northern Flicker » Wed Dec 04, 2019 7:06 pm

mptfan wrote:
Wed Dec 04, 2019 2:11 pm
Northern Flicker wrote:
Tue Dec 03, 2019 11:27 pm
Activating a yubikey slightly weakens the authentication protocol by increasing the attack surface.
Not if you simultaneously remove other methods of authentication, especially SMS.
Sure, but Vanguard does not allow that, unless it has changed in the near past.
Index fund investor since 1987.

Northern Flicker
Posts: 4918
Joined: Fri Apr 10, 2015 12:29 am

Re: Urge Vanguard to support better two-factor authentication

Post by Northern Flicker » Wed Dec 04, 2019 7:11 pm


Here is why...if you use your security key to log in, as opposed to getting a code by SMS, you can be assured that you are not being "phished" and you are actually accessing the Vanguard site and not some other site pretending to be Vanguard because the security key is communicating with Vanguard and will only allow access if it verifies the site as the genuine Vanguard site.
It is more than that. By having the yubikey generate a key pair and communicate the public key in advance to Vanguard, the session is encrypted end-to-end even if an SSL certificate authority is compromised or malicious, which not only prevents Trojan horses (referred to as phishing in the quoted text) but also prevents man-in-the-middle attacks.
Index fund investor since 1987.

User avatar
Wiggums
Posts: 1922
Joined: Thu Jan 31, 2019 8:02 am

Re: Urge Vanguard to support better two-factor authentication

Post by Wiggums » Wed Dec 04, 2019 7:23 pm

grok87 wrote:
Thu Nov 28, 2019 8:09 am
zlandar wrote:
Wed Nov 27, 2019 11:21 am
Katie wrote:
Wed Nov 27, 2019 11:10 am
I feel sort of dumb here, but I have no idea how these other authentication methods work although I guess I'd figure it out if I had to do so.
You download an app to your smartphone. You link your app to your online bank/email/etc account. When you log in you enter a 6 digit code on the app that changes every 30 seconds.

Criminals are tricking cellular providers into transferring phone numbers to a phone in their hands. Once that occurs they can cause all kinds of havoc, especially if your main email account also uses text messages to recover a lost password. They can reset your email and brokerage accounts, lock you out, and steal your money doing this.

With the app it doesn't matter if criminals hijack your phone number. That's why it's better to disable text messages as a way to recover your email/brokerage accounts.
this just happened to a friend of mine. his cellphone was hijacked and they used to the 2 factor authentication to clean out his bank accounts etc.
apparently the way they hijacked his phone was they somehow got access to his account at cellphone provider- tricked their customer service or something. then they "ported" the phone to another cell phone provider.

so one suggestion is that you can lock down your phone so it can't be ported? has anyone done this?
Krebs has an article on this.

https://krebsonsecurity.com/2018/02/how ... out-scams/

Hardware tokens are more secure and costly.

User avatar
walletless
Posts: 933
Joined: Fri Aug 15, 2014 4:55 pm

Re: Urge Vanguard to support better two-factor authentication

Post by walletless » Thu Dec 05, 2019 12:36 am

grok87 wrote:
Thu Nov 28, 2019 8:09 am
so one suggestion is that you can lock down your phone so it can't be ported? has anyone done this?
I use Google voice number for most bank accounts. These are harder to Port, and the account is protected using a long random password and 2FA (app based, not phone based). It's not fool-proof, but this shouldn't be a caje walk for someone to hack either.

jkrm
Posts: 82
Joined: Wed Oct 08, 2008 8:20 am

Re: Urge Vanguard to support better two-factor authentication

Post by jkrm » Thu Dec 05, 2019 9:33 am

mptfan wrote:
Wed Dec 04, 2019 4:31 pm
jkrm wrote:
Wed Dec 04, 2019 3:35 pm
I have sent numerous messages to my Vanguard rep urging Vanguard to remove the SMS fallback to the Yubikey - the SMS fallback just makes a Yubikey no more secure than if you only had SMS.
That's not quite true. I agree that having an SMS backup option greatly reduces the security of using a security key, and I wish Vanguard would give users the option to disable that option, but I would not go so far as to say that makes the security key no more secure than SMS. Here is why...if you use your security key to log in, as opposed to getting a code by SMS, you can be assured that you are not being "phished" and you are actually accessing the Vanguard site and not some other site pretending to be Vanguard because the security key is communicating with Vanguard and will only allow access if it verifies the site as the genuine Vanguard site.

Bluquark, another Boglehead, explained it this way...the key still protects you against phishing. If you never use security codes, you cannot be tricked into inputting a security code on a fake Vanguard page mocked up to look exactly like the real one. The key will refuse to cooperate with any website other than the authentic vanguard.com. Phishing is the method used for the majority of account compromises -- hacking your phone, intercepting the SMS or porting your phone number is much higher-effort -- so I consider it still worth turning this feature on.
I think you are right - I had not been thinking about this sort of attack (I think it's a man-in-the-middle attack). But I think a "bad guy" could put up a fake Vanguard site, use it to grab a user name and password, and then redirect you to a real Vanguard page saying the password was entered incorrectly. You'd just think you fat-fingered the password, log in again (successfully), and be none the wiser. In the meantime the bad guy executes a SIM swap and gets into your account a bit later. This would be more work and harder, but still something to beware of. (I use a password manager so I likely would not think I fat fingered the password, but I don't know if I would think to change my password after that. Or maybe I would now that I've thought about it!)

Let me know if I am missing something. In the meantime thanks for the correction. It's good to know that even with SMS as a weak link, the Yubikey DOES add additional security.

jkrm
Posts: 82
Joined: Wed Oct 08, 2008 8:20 am

Re: Urge Vanguard to support better two-factor authentication

Post by jkrm » Thu Dec 05, 2019 9:36 am

Northern Flicker wrote:
Wed Dec 04, 2019 7:11 pm

Here is why...if you use your security key to log in, as opposed to getting a code by SMS, you can be assured that you are not being "phished" and you are actually accessing the Vanguard site and not some other site pretending to be Vanguard because the security key is communicating with Vanguard and will only allow access if it verifies the site as the genuine Vanguard site.
It is more than that. By having the yubikey generate a key pair and communicate the public key in advance to Vanguard, the session is encrypted end-to-end even if an SSL certificate authority is compromised or malicious, which not only prevents Trojan horses (referred to as phishing in the quoted text) but also prevents man-in-the-middle attacks.
I'm not sure I quite understand this, but does this address the attack I described in my response to mptfan, above? If so that would be great.

User avatar
Wiggums
Posts: 1922
Joined: Thu Jan 31, 2019 8:02 am

Re: Urge Vanguard to support better two-factor authentication

Post by Wiggums » Thu Dec 05, 2019 9:53 am

With more and more massive data breaches of hugely-popular companies recorded each month, 2FA authentication is fast becoming standard procedure. And even though there are ways to get around 2FA, it is still safer than just using the old-fashioned username and password combo. To bypass 2FA, the attacker would still have to break two authentication cycles, vs. just one for usernames and passwords.

Passwords should never be reused across multiple sites because cyber criminals are commonly doing a password stuffing attack. This attack entails taking credentials stolen from one or more breaches in the past and re-using the valid credentials from the breached site against another non-breached site. It’s a very effective tactic since the majority of internet users re-use the same username and password combinations across multiple sites.

Reusing passwords is very risky in today’s internet landscape. Let’s say you reuse the same password across multiple sites. When a web forum for your personal hobby neglects to patch their website and gets hacked, cyber criminals now have the password not only to your forum but also potentially have access to your social network sites, email, and bank accounts.

For the people still using account aggregators, it’s a horrible idea from a security perspective.

It’s a good idea to enable alerts for changes to your account such as email address changes, password changes,etc.
Last edited by Wiggums on Thu Dec 05, 2019 10:04 am, edited 3 times in total.

mptfan
Posts: 5637
Joined: Mon Mar 05, 2007 9:58 am

Re: Urge Vanguard to support better two-factor authentication

Post by mptfan » Thu Dec 05, 2019 9:57 am

jkrm wrote:
Thu Dec 05, 2019 9:33 am
Let me know if I am missing something. In the meantime thanks for the correction. It's good to know that even with SMS as a weak link, the Yubikey DOES add additional security.
No, you are not missing anything, using a yubikey does add additional security even with the SMS backup so long as you always use the yubikey and do not use the SMS backup option. If so, then you can be assured that you are not being phished.
Last edited by mptfan on Thu Dec 05, 2019 9:59 am, edited 1 time in total.

User avatar
changingtimes
Posts: 219
Joined: Mon Jul 24, 2017 9:28 am

Re: Urge Vanguard to support better two-factor authentication

Post by changingtimes » Thu Dec 05, 2019 9:58 am

I did set up the extra security option for my cell with AT&T through the web site, and it was easy, so I'd definitely suggest that for anyone who remains nervous about this.

User avatar
Ketawa
Posts: 2192
Joined: Mon Aug 22, 2011 1:11 am
Location: DC

Re: Urge Vanguard to support better two-factor authentication

Post by Ketawa » Thu Dec 05, 2019 10:55 am

tuningfork wrote:
Wed Nov 27, 2019 11:00 pm
I currently use Google Authenticator wherever possible, but I'm contemplating switching to Authy. My understanding is that Authy will store your authentication tokens in the cloud, encrypted with a password only you know, so if you lose or trade in your phone, you can easily associate your next phone with Authy and have access to all your tokens. Anybody else here using Authy and can confirm it's easy to switch phones?

I really detest those recovery codes, which I don't have for all the sites I use GA on. I'm assuming if I switch to Authy then I never have to bother with recovery codes, as long as I have access to at least one device with Authy.
sfmdk240 wrote:
Thu Nov 28, 2019 1:37 am
I was considering switching to Authy as well but I've read a couple of posts on the internet expressing concern that the Authy app is susceptible to the same SIM-swap vulnerability as an SMS 2FA system, if within the Authy app the multiple devices feature is turned on, since your phone number essentially functions as your username. This is definitely into the weeds of 2FA and beyond my expertise, but something to think about. Anyone with more experience, feel free to chime in. I use DUO at work and it's good as well. Basically the same as Google Authenticator.

https://support.authy.com/hc/en-us/arti ... SIM-Swap-
https://www.reddit.com/r/Bitcoin/commen ... _a_hacker/
I use Authy and really like it. I used to use Google Authenticator.

I keep an old Nexus 5 with a cracked screen at home solely as a second/backup device. Without a simple and secure way to backup the initial QR codes, buying a new phone was a royal PITA to set up, needing to redo every account's code.

Authy backs up to the cloud using your phone number as, effectively, user name/account number, and the codes encrypted with a password. With multi-device turned on, adding a new device requires using one of your original devices to authenticate a new device through a prompt in the app. With it turned off, the only way to add a new device, if you do not have access to a device to re-enable multi-device, is to go through the recovery process, which takes at least 24 hours.

In my opinion, disabling multi-device is plenty good enough. Even with it turned on, adding a new device requires access to one of the original devices. If a SIM swap is effective, the account recovery process and my randomly generated password will secure the codes.

User avatar
Wiggums
Posts: 1922
Joined: Thu Jan 31, 2019 8:02 am

Re: Urge Vanguard to support better two-factor authentication

Post by Wiggums » Thu Dec 05, 2019 11:08 am

I backup my cell phone weekly to an encrypted backup. When I get a new phone, I apply the backup image to the new phone. I never had to rescan the QR code’s or anything like that.

As a side note: It is important to know that the reliability of authentication is affected not only the number of factors involved but also how they are implemented. In each category, the choices made for authentication rules greatly affect the security of each factor. Poor or absent password rules, for example, can result in the creation of passwords like “guest,” which completely defeats the value of using a password. Best practices include requiring inherently strong passwords that are updated regularly. Facial recognition systems can in some cases be defeated by holding up a picture. More effective systems may require a blink or even a wink to register. Lax rules and implementations result in weaker security; alternatively, better rules can yield better security per factor and better security overall for multifactor authentication systems

ARoseByAnyOtherName
Posts: 322
Joined: Wed Apr 26, 2017 12:03 am

Re: Urge Vanguard to support better two-factor authentication

Post by ARoseByAnyOtherName » Thu Dec 05, 2019 9:38 pm

Broken Man 1999 wrote:
Fri Nov 29, 2019 3:39 pm
ARoseByAnyOtherName wrote:
Fri Nov 29, 2019 3:20 pm
Broken Man 1999 wrote:
Fri Nov 29, 2019 1:32 pm
So far as any cell phone issue, any would-be crook would find slim pickings if they stole my cell phone. I have ZERO permanent financial apps on it, and the only email address is a burner one, gmail, which receives ZERO emails from any of our financial entities. I do download the app for my credit union, but after I deposit a check (only use of the app) I immediately remove the app.
Do you have a PIN code set on your cell phone?

(I hope you have a PIN code set on your cell phone.)
Nope. Why?
Well... why don't you?

Having a PIN code on your cellphone is the most basic thing you can do to secure it and yourself. Today's fingerprint and face sensors make it almost as convenient as not having a PIN code at all.

Anyone who steals your phone gets access to your burner email account. Is that account associated with any of your online (non-financial) accounts? If so, said person can probably gain control of those accounts using "Forgot your password".

If not... are you sure? Really sure?

Not to mention the potential social engineering attacks opened up by having access to your contacts, calendars, and any of the other data stored on your phone.

Why wouldn't you have a PIN code set on your cell phone?

Honestly it would be much more secure, and much more convenient, for you to set a strong PIN code, enable fingerprint or face unlock, have a strong password for your credit union app, and keep in on your phone without deleting it.

Northern Flicker
Posts: 4918
Joined: Fri Apr 10, 2015 12:29 am

Re: Urge Vanguard to support better two-factor authentication

Post by Northern Flicker » Fri Dec 06, 2019 12:22 am

Using yubikey narrows the vulnerability to man-in-the-middle attacks or trojan horse web sites from all sessions to just the session where you register the yubikey token. Once you make a clean connection and register the yubikey, using it will ensure you are communicating with Vanguard, and nobody is filtering the traffic in the middle (assuming a best practice deployment configuration by Vanguard).

I believe that Google Authenticator uses time interval cryptohashes and depends on clock syncronization between the Authenticator and the service. It likely is not as effective as a yubikey for preventing MITM attacks or connections to trojan horses.

The problem is that there needs to be a process for re-establishing robust authentication if a yubikey is lost or stops functioning. Google lets you configure multiple 2FA methods to your account, but unlike vanguard does not force the 2nd to be an SMS code. You can have two different yubikeys configured, one as a backup for instance. You also can generate one-time-use passcodes to squirrel away somewhere safe and use as a 2nd factor in an emergency. If you only logged in say 4 times a year to some service, one-time-use passcodes would actually be a reasonable option for 2FA. But they would be a major inconvenience for regular login (other than as the emergency backup). A weakness of the one-time passcodes is they can be compromised without you knowing it.

Some or all Google brand chromebooks have 1 yubikey builtin and the power button functions as the yubikey button.
Index fund investor since 1987.

ARoseByAnyOtherName
Posts: 322
Joined: Wed Apr 26, 2017 12:03 am

Re: Urge Vanguard to support better two-factor authentication

Post by ARoseByAnyOtherName » Fri Dec 06, 2019 6:32 am

Northern Flicker wrote:
Fri Dec 06, 2019 12:22 am
I believe that Google Authenticator uses time interval cryptohashes and depends on clock syncronization between the Authenticator and the service. It likely is not as effective as a yubikey for preventing MITM attacks or connections to trojan horses.
Google Authenticator/OTP is definitely not effective against MITM attacks or connections to trojan horses.
Northern Flicker wrote:
Fri Dec 06, 2019 12:22 am
Google lets you configure multiple 2FA methods to your account, but unlike vanguard does not force the 2nd to be an SMS code. You can have two different yubikeys configured, one as a backup for instance.
If you enroll your Google account in their Advanced Protection program you must use a Yubikey-like hardware key to log into your account. You can also have more than two hardware keys configured.

User avatar
changingtimes
Posts: 219
Joined: Mon Jul 24, 2017 9:28 am

Re: Urge Vanguard to support better two-factor authentication

Post by changingtimes » Fri Dec 06, 2019 8:42 am

And if you have a Pixel phone, it can actually be set to be one of your Google security keys. I have at least four different backup methods with Google, none of which are SMS. (two Yubikeys, Pixel, backup codes)

Also, the fingerprint reader on the back of a Pixel phone is The Greatest Thing Ever. Pick up the phone with your finger on the reader, and it unlocks. Heck, if the Vanguard Android app could just work with THAT, as so many other financial institutions do, that'd be a not-perfect-but-still-nicer way to go than SMS, especially since the Android app won't work with an NFC Yubikey.

mptfan
Posts: 5637
Joined: Mon Mar 05, 2007 9:58 am

Re: Urge Vanguard to support better two-factor authentication

Post by mptfan » Fri Dec 06, 2019 8:57 am

Northern Flicker wrote:
Fri Dec 06, 2019 12:22 am
Some or all Google brand chromebooks have 1 yubikey builtin and the power button functions as the yubikey button.
I think that only works with the Pixelbook.

User avatar
changingtimes
Posts: 219
Joined: Mon Jul 24, 2017 9:28 am

Re: Urge Vanguard to support better two-factor authentication

Post by changingtimes » Fri Dec 06, 2019 1:14 pm

changingtimes wrote:
Fri Dec 06, 2019 8:42 am
And if you have a Pixel phone, it can actually be set to be one of your Google security keys. I have at least four different backup methods with Google, none of which are SMS. (two Yubikeys, Pixel, backup codes) (UPDATE: Actually, five. Google Authenticator, of course)

Also, the fingerprint reader on the back of a Pixel phone is The Greatest Thing Ever. Pick up the phone with your finger on the reader, and it unlocks. Heck, if the Vanguard Android app could just work with THAT, as so many other financial institutions do, that'd be a not-perfect-but-still-nicer way to go than SMS, especially since the Android app won't work with an NFC Yubikey.

Northern Flicker
Posts: 4918
Joined: Fri Apr 10, 2015 12:29 am

Re: Urge Vanguard to support better two-factor authentication

Post by Northern Flicker » Fri Dec 06, 2019 6:25 pm

Google Authenticator/OTP is definitely not effective against MITM attacks or connections to trojan horses.
My previous wording was suboptimal. Time interval cryptohashes can avoid Trojan horse web sites if, after successful authentication, the service sends back the next time interval hash from the sequence that the client user can verify against their time interval hash generator. I guess Google did not implement that. MITM attacks can only really be prevented by end-to-end encryption with keys previously exchanged in a trustworthy manner.
Index fund investor since 1987.

Post Reply