Vanguard issue with Yubikey : Won't support U2F API soon?

Discuss all general (i.e. non-personal) investing questions and issues, investing news, and theory.
Topic Author
cacophony
Posts: 1363
Joined: Tue Oct 16, 2007 9:12 pm

Re: Vanguard issue with Yubikey : Won't support U2F API soon?

Post by cacophony »

gavinsiu wrote: Tue Jan 04, 2022 3:14 pm
cacophony wrote: Tue Jan 04, 2022 2:06 pm
Managed to steal the login/pass for what? The bitcoin account?

How could they perform an SMS hijack if they don't know what phone number the Google Voice account is redirecting to?
Accounts are stolen through a number of means. Either through website hacks, dictionary attacks, phishing, etc. Once they have your personal information, they could probably look up your mobile cell number. Most people give out their cell phone number to vendors and friend and may even be on the public directories. Most hackers will assume that you are using SMS as a 2fa. If you forward your google voice text to your mobile number, you are no more protected than if you just use our mobile number for 2FA.
Ok. I was assuming it was like my setup:

I had my cell phone number ported to Google Voice and calls are redirected to whatever random cell number I happened to get with my current cell plan. Nobody has that actual cell plan number because I only ever give out the Google number. Not that I'm forwarding SMS as there would be no point. But if I was I don't think it would put me in much danger of an SMS attack.
LeftCoastIV
Posts: 1030
Joined: Wed May 01, 2019 7:19 pm

Re: Vanguard issue with Yubikey : Won't support U2F API soon?

Post by LeftCoastIV »

gavinsiu wrote: Tue Jan 04, 2022 3:07 pm
Shift4 wrote: Tue Jan 04, 2022 12:55 pm Gotcha. So I think this is obvious but just to make sure: if one simply installs the google voice app on one's phone to receive 2fa messages sent to one's google voice number, an SMS hijack of said mobile phone's number couldn't compromise 2fa messages sent to said google voice number? (And assuming there's no call forwarding setup on the google voice number that is also 2fa'd with a Yubikey.)
You are right on the dot. If someone performs a sim hijack, they will just switch the phone number to a new phone, they won't get access to your phone content. You google voice will continue to work on your phone, but your sms will not. If you forward your google voice message to sms, you will essentially defeat your effort to avoid giving away your sms. This is why I suggest you should not forward your SMS or voice.

One reason to be vigilant is that a lot of people don't think about this when they forward their google voice. Even if you think about it, google constantly want you to attached a number to the google voice by prompting you when you login. You may accidentally add it if you are not careful.
Of course your Google account itself could be compromised, so you’ll want MFA such as Google Authenticator to protect it.

If you use an actual mobile number for MFA you should be able to prevent SIM swapping by setting up a PIN with your wireless carrier that must be entered/provided before your number can be ported to a new SIM. I suppose somebody could physically steal your SIM if you lost your phone as well. A SIM PIN can prevent this.
gavinsiu
Posts: 4543
Joined: Sun Nov 14, 2021 11:42 am

Re: Vanguard issue with Yubikey : Won't support U2F API soon?

Post by gavinsiu »

cacophony wrote: Tue Jan 04, 2022 3:21 pm
Ok. I was assuming it was like my setup:

I had my cell phone number ported to Google Voice and calls are redirected to whatever random cell number I happened to get with my current cell plan. Nobody has that actual cell plan number because I only ever give out the Google number. Not that I'm forwarding SMS as there would be no point. But if I was I don't think it would put me in much danger of an SMS attack.
Do you still have a cell phone number separate from the google voice. If so, you could still be vulnerable, though less vulnerable than people who list their mobile everywhere.

Keep in mind that cellphone company apparently sell your information, so it may be possible to still get your info, but I am not entirely certain.

https://techcrunch.com/2019/01/09/us-ce ... tion-data/
gavinsiu
Posts: 4543
Joined: Sun Nov 14, 2021 11:42 am

Re: Vanguard issue with Yubikey : Won't support U2F API soon?

Post by gavinsiu »

LeftCoastIV wrote: Tue Jan 04, 2022 3:23 pm Of course your Google account itself could be compromised, so you’ll want MFA such as Google Authenticator to protect it.

If you use an actual mobile number for MFA you should be able to prevent SIM swapping by setting up a PIN with your wireless carrier that must be entered/provided before your number can be ported to a new SIM. I suppose somebody could physically steal your SIM if you lost your phone as well. A SIM PIN can prevent this.
Yes, you would be surprise how many people don't secure their google account and get hacked.

For SIM Pin, be aware that it's not 100% secure. There have been numerous people who had a PIN and got hacked. The reason is that the system the mobile provider use are poorly designed. If design properly, the tech should not be able to access your SIM info without a PIN and it would require the user to jump through some hoops (provide a ID, plus some other ID info). Instead, it appears that in many systems, the tech can just override the PIN, which makes them subject to Hackers' social engineering. Having a PIN is better than no PIN, but having a PIN may not protect you completely from sim hijack.
gavinsiu
Posts: 4543
Joined: Sun Nov 14, 2021 11:42 am

Re: Vanguard issue with Yubikey : Won't support U2F API soon?

Post by gavinsiu »

OK,
Vanguard has not return my messages nor return my call. However, it's been less than a week, so I will revisit after a week.

In the mean time, I have tried to remove the two security key, remove the security code and then try adding the keys back. What I have notice is that it won't let you add hardware key until you add the security code, but after you add the security key, it won't let you turn off the security code. Arrgh!

I did poke around and notice this post:
https://www.reddit.com/r/personalfinanc ... tykeyonly/

However, the post list a new vulnerability. If you have hardware key only, and you add a new mobile app, it will prompt you for the security question. If you know the security question and the login, the hacker can add their own phone as SMS and bypass 2fa.
gavinsiu
Posts: 4543
Joined: Sun Nov 14, 2021 11:42 am

Re: Vanguard issue with Yubikey : Won't support U2F API soon?

Post by gavinsiu »

Vanguard has responded in regards to the U2f issue:

Dear Mr. Siu,

Thank you for your email. We apologize for any inconvenience the warning
message may have caused you.

Vanguard is aware of the warning message you received and will have the
issue resolved by February 2022. You can continue to use your security key
as you always have by clicking “Allow” on the warning.

For technical assistance on vanguard.com and our mobile app, please call
your service team at 800-345-1344 and ask to speak with a Web Technical
Support Services specialist. Our specialists are available Monday through
Friday between the hours of 8 a.m. and 7 p.m., Eastern time.

For individuals with speech or hearing limitations, we can also be reached
at 800-749-7273.

Sincerely,

Libby Robinson
Support Specialist
Vanguard Web Technical Support Services

At least it appears u2f issue is likely to be resolved.
User avatar
NoRoboGuy
Posts: 882
Joined: Fri Apr 01, 2011 11:07 pm
Location: Alabama
Contact:

Re: Vanguard issue with Yubikey : Won't support U2F API soon?

Post by NoRoboGuy »

Thanks for posting this update.
There is no free lunch.
hudson
Posts: 7119
Joined: Fri Apr 06, 2007 9:15 am

Re: Vanguard issue with Yubikey : Won't support U2F API soon?

Post by hudson »

Thanks gavinsiu!
Useful info!
My Vanguard two factor setup:
3 Yubikeys, Vanguard app on my phone, and a google voice number.
The newest is a YubiKey 5 NFC https://www.yubico.com/product/yubikey-5c-nfc/
It's USB-C and is also wireless.

Off the subject but...
My newest USB-C Yubikey fit very tightly into a female USB-C port. I contacted Yubikey support; they are sending me a replacement.

(USB-C is the what Apple is using in some of its newer products like the Macbook Air. My Windows desktop has a USB-C port.)
americanClassic
Posts: 2
Joined: Mon Jan 03, 2022 7:28 pm

Re: Vanguard issue with Yubikey : Won't support U2F API soon?

Post by americanClassic »

I got a very good response from my report. A section:
Our security key service was built using code compatible with common
browsers like Google Chrome and Microsoft Edge. Google has replaced a
portion of their code base, which has the potential to impact the future
functionality of security keys. We will be making updates well in advance
of this changeover to ensure that all security features and functions
continue working as normal.

Although Google’s code base was originally scheduled to retire in February
2022, the steps our Technical Team is taking will ensure functionality
beyond that date.
usefulbacon
Posts: 1
Joined: Fri Jan 14, 2022 7:01 pm

Re: Vanguard issue with Yubikey : Won't support U2F API soon?

Post by usefulbacon »

Chrome 98 is now out in beta, which disables the U2F API.

https://developer.chrome.com/blog/deps- ... ryptotoken
"Chrome 98 - Beta expected in early January 2022, stable in February. The U2F API will be disabled by default."

I noticed because my browser just updated to Chrome 98 and is no longer showing the pop-up window that the U2F API is being deprecated - and instead just simply no longer works -- the Vanguard login page just sits there waiting. Fortunately I was able to fall back to SMS & was able to complete the login process that way.

Would recommend - for anyone here that is using Chrome and has SMS fallback disabled - re-enable SMS until this gets fixed.
User avatar
dougger5
Posts: 480
Joined: Fri Nov 27, 2015 10:58 am
Location: Not far from Malvern

Re: Vanguard issue with Yubikey : Won't support U2F API soon?

Post by dougger5 »

I'm using Waterfox until it gets fixed.

...or until Waterfox breaks it.
"I've been ionized, but I'm okay now." -Buckaroo Banzai
hudson
Posts: 7119
Joined: Fri Apr 06, 2007 9:15 am

Re: Vanguard issue with Yubikey : Won't support U2F API soon?

Post by hudson »

usefulbacon wrote: Fri Jan 14, 2022 7:08 pm Chrome 98 is now out in beta, which disables the U2F API.

https://developer.chrome.com/blog/deps- ... ryptotoken
"Chrome 98 - Beta expected in early January 2022, stable in February. The U2F API will be disabled by default."

I noticed because my browser just updated to Chrome 98 and is no longer showing the pop-up window that the U2F API is being deprecated - and instead just simply no longer works -- the Vanguard login page just sits there waiting. Fortunately I was able to fall back to SMS & was able to complete the login process that way.

Would recommend - for anyone here that is using Chrome and has SMS fallback disabled - re-enable SMS until this gets fixed.
Thanks usefulbacon!
It looks like you are using an advanced version of Chrome, not the current version that is pushed out to everybody.
I just checked my version:
Chrome is up to date
Version 97.0.4692.71 (Official Build) (64-bit)
Bottom Line: Your comments are meant for advanced Chrome users and not us mere mortals.

I speculate that regular users like me don't need to do anything and our Yubikeys will keep working.

Who owns the problem? The pocket protector folks in the back offices. I speculate that they will take care of it.
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: Vanguard issue with Yubikey : Won't support U2F API soon?

Post by anon_investor »

hudson wrote: Sat Jan 15, 2022 6:31 am
usefulbacon wrote: Fri Jan 14, 2022 7:08 pm Chrome 98 is now out in beta, which disables the U2F API.

https://developer.chrome.com/blog/deps- ... ryptotoken
"Chrome 98 - Beta expected in early January 2022, stable in February. The U2F API will be disabled by default."

I noticed because my browser just updated to Chrome 98 and is no longer showing the pop-up window that the U2F API is being deprecated - and instead just simply no longer works -- the Vanguard login page just sits there waiting. Fortunately I was able to fall back to SMS & was able to complete the login process that way.

Would recommend - for anyone here that is using Chrome and has SMS fallback disabled - re-enable SMS until this gets fixed.
Thanks usefulbacon!
It looks like you are using an advanced version of Chrome, not the current version that is pushed out to everybody.
I just checked my version:
Chrome is up to date
Version 97.0.4692.71 (Official Build) (64-bit)
Bottom Line: Your comments are meant for advanced Chrome users and not us mere mortals.

I speculate that regular users like me don't need to do anything and our Yubikeys will keep working.

Who owns the problem? The pocket protector folks in the back offices. I speculate that they will take care of it.
I thought Vanguard laid off all those "pocket protector folks" a while ago? :confused
sommerfeld
Posts: 1159
Joined: Fri Dec 12, 2008 7:02 pm

Re: Vanguard issue with Yubikey : Won't support U2F API soon?

Post by sommerfeld »

usefulbacon wrote: Fri Jan 14, 2022 7:08 pm Chrome 98 is now out in beta, which disables the U2F API.

https://developer.chrome.com/blog/deps- ... ryptotoken
"Chrome 98 - Beta expected in early January 2022, stable in February. The U2F API will be disabled by default."

I noticed because my browser just updated to Chrome 98 and is no longer showing the pop-up window that the U2F API is being deprecated - and instead just simply no longer works -- the Vanguard login page just sits there waiting. Fortunately I was able to fall back to SMS & was able to complete the login process that way.

Would recommend - for anyone here that is using Chrome and has SMS fallback disabled - re-enable SMS until this gets fixed.
U2F is disabled in 98 but not removed entirely. You can reach under the hood and reenable it for now via chrome://flags

Enter "u2f" in the "Search flags" box at the top of the page.

You should see two settings:

"Enable the U2F Security Key API"

and

"Enable a permission prompt for the U2F Security Key API"

Change both settings from "default" to "enabled" and restart your browser.
StrongMBS
Posts: 67
Joined: Sat Jan 14, 2017 1:38 pm

Re: Vanguard issue with Yubikey : Won't support U2F API soon?

Post by StrongMBS »

Lots of incorrect information, FUD, and trolling on this subject on this forum. So, what is happening?

Executive Summary: Google/Chrome is deprecating the “U2F API” since it has been replaced by the “WebAuthn API”. It is NOT deprecating U2F functionality since it is supported by the “WebAuthn API” just the “U2F API” some early adopters based their original deployment on.

Details:
First, we need to understand the technology and terms a little bit better. FIDO protocols, like most, has a layered approach and many options. The FIDO architecture has 3 components: Server, Client, Authenticator. Think of the Server as the service hosting the Web page (i.e., URL). The Client could be an app or browser. The Authenticator can be a FIDO security key.
When a browser is involved in the Client it communicates with the Server thru its top layer is referred as the “xxx API” (e.g., U2F API, WebAuthn API) and with the Authenticator (i.e., FIDO security key) with the bottom layer what is now called the Client to Authenticator Protocol (CTAP). This can be seen in the picture at the link below from the FIDO Alliance website. Please note this picture was the state of the FIDO Platform/Browser Support in 2020, something has changed since.

[url][/https://fidoalliance.org/fido2/fido2-we ... -webauthn/]

What is happening? Chrome is deprecating the U2F API. That is all. Services (e.g., Vanguard, Keeper Security) using U2F will still work with FIDO security keys but they must update to the new WebAuthn protocol since that is what the Clients (i.e., browsers) with be using.
https://developer.chrome.com/blog/deps- ... ryptotoken

Why did this happen? When U2F was developed and deployed it was state of the art and bleeding edge and supported by the U2F API in some browsers. The next development in this area with greater industry support was WebAuthn from the World Wide Web Consortium (W3C) which supported new options (CTAP2 sometimes referred to as FIDO2) along with the FIDO U2F. These services are supported by the WebAuthn API in browsers.

Why is Google/Chrome doing this? The U2F API project is no longer maintained and supported since WebAuthn is now the current state of the industry. This is a good thing, not Google “losing interest in things” but rather Google embracing the industry. Also, nobody should be using software not being supported so alerting us of this issue is a nice service.

Why are some websites having issue and other not? If you were an early support of U2F, like Vanguard and Keeper, then your original deployment was based on the U2F API. Late comers to the party had the advantage of starting with the WebAuthn API so there is no work to do. For instance, BoA started supported FDIO security keys, but I do not get this warning from their website.

Please note when trying to debug issues with FIDO security keys it is very important to understand what Platform (e.g., Windows, iOS, Android, macOS) the browser is being used on since not all functionality is supported on all Platforms for a browser.

I will repeat again: U2F is NOT being deprecating just the U2F API some early adopters based their original deployment on.

Will Vanguard and others get this done before the deadline? I do not know but one of the reasons they are in the position is they were an early adapter and although many of us think they did not implement it securely enough we should thank and support them for being on the edge.

Does Vanguard understand these issues? I have no idea, but I find it funny that we expect Vanguard’s customer support to have enough information to explain this to us when I am not sure many of us did either.

BTW FIDO2(WebAuthn/CTAP2 – passwordless) is a much more secure protocol then U2F and a “phish-proof” multi-factor authentication (MFA) technology. This is what Microsoft has been deploying.
Fremdon Ferndock
Posts: 1181
Joined: Fri Dec 24, 2021 11:26 am

Re: Vanguard issue with Yubikey : Won't support U2F API soon?

Post by Fremdon Ferndock »

StrongMBS wrote: Mon Jan 17, 2022 1:27 pm Lots of incorrect information, FUD, and trolling on this subject on this forum. So, what is happening?

Executive Summary: Google/Chrome is deprecating the “U2F API” since it has been replaced by the “WebAuthn API”. It is NOT deprecating U2F functionality since it is supported by the “WebAuthn API” just the “U2F API” some early adopters based their original deployment on.

Details:
First, we need to understand the technology and terms a little bit better. FIDO protocols, like most, has a layered approach and many options. The FIDO architecture has 3 components: Server, Client, Authenticator. Think of the Server as the service hosting the Web page (i.e., URL). The Client could be an app or browser. The Authenticator can be a FIDO security key.
When a browser is involved in the Client it communicates with the Server thru its top layer is referred as the “xxx API” (e.g., U2F API, WebAuthn API) and with the Authenticator (i.e., FIDO security key) with the bottom layer what is now called the Client to Authenticator Protocol (CTAP). This can be seen in the picture at the link below from the FIDO Alliance website. Please note this picture was the state of the FIDO Platform/Browser Support in 2020, something has changed since.

[url][/https://fidoalliance.org/fido2/fido2-we ... -webauthn/]

What is happening? Chrome is deprecating the U2F API. That is all. Services (e.g., Vanguard, Keeper Security) using U2F will still work with FIDO security keys but they must update to the new WebAuthn protocol since that is what the Clients (i.e., browsers) with be using.
https://developer.chrome.com/blog/deps- ... ryptotoken

Why did this happen? When U2F was developed and deployed it was state of the art and bleeding edge and supported by the U2F API in some browsers. The next development in this area with greater industry support was WebAuthn from the World Wide Web Consortium (W3C) which supported new options (CTAP2 sometimes referred to as FIDO2) along with the FIDO U2F. These services are supported by the WebAuthn API in browsers.

Why is Google/Chrome doing this? The U2F API project is no longer maintained and supported since WebAuthn is now the current state of the industry. This is a good thing, not Google “losing interest in things” but rather Google embracing the industry. Also, nobody should be using software not being supported so alerting us of this issue is a nice service.

Why are some websites having issue and other not? If you were an early support of U2F, like Vanguard and Keeper, then your original deployment was based on the U2F API. Late comers to the party had the advantage of starting with the WebAuthn API so there is no work to do. For instance, BoA started supported FDIO security keys, but I do not get this warning from their website.

Please note when trying to debug issues with FIDO security keys it is very important to understand what Platform (e.g., Windows, iOS, Android, macOS) the browser is being used on since not all functionality is supported on all Platforms for a browser.

I will repeat again: U2F is NOT being deprecating just the U2F API some early adopters based their original deployment on.

Will Vanguard and others get this done before the deadline? I do not know but one of the reasons they are in the position is they were an early adapter and although many of us think they did not implement it securely enough we should thank and support them for being on the edge.

Does Vanguard understand these issues? I have no idea, but I find it funny that we expect Vanguard’s customer support to have enough information to explain this to us when I am not sure many of us did either.

BTW FIDO2(WebAuthn/CTAP2 – passwordless) is a much more secure protocol then U2F and a “phish-proof” multi-factor authentication (MFA) technology. This is what Microsoft has been deploying.
Thanks for the detailed explanation. Now we can "wait and see" what happens with Vanguard and others who need to update.
"Risk is what’s left over when you think you’ve thought of everything." ~ Morgan Housel
hudson
Posts: 7119
Joined: Fri Apr 06, 2007 9:15 am

FIXED?

Post by hudson »

I logged onto Vanguard; the pop-up window is gone.
Fremdon Ferndock
Posts: 1181
Joined: Fri Dec 24, 2021 11:26 am

Re: Vanguard issue with Yubikey : Won't support U2F API soon?

Post by Fremdon Ferndock »

I just tried and it was gone for me too.
"Risk is what’s left over when you think you’ve thought of everything." ~ Morgan Housel
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: Vanguard issue with Yubikey : Won't support U2F API soon?

Post by anon_investor »

The popup no longer comes up for me too.
Topic Author
cacophony
Posts: 1363
Joined: Tue Oct 16, 2007 9:12 pm

Re: Vanguard issue with Yubikey : Won't support U2F API soon?

Post by cacophony »

Yes, it seems to have been resolved!
StrongMBS
Posts: 67
Joined: Sat Jan 14, 2017 1:38 pm

Re: Vanguard issue with Yubikey : Won't support U2F API soon?

Post by StrongMBS »

Not so fast.
They seem to have fixed the login page, but I still get this error if you try to register a new FIDO U2F key.
If anybody from Vanguard is listening, please fix this page and any others soon!
StrongMBS
Posts: 67
Joined: Sat Jan 14, 2017 1:38 pm

Re: Vanguard issue with Yubikey : Won't support U2F API soon?

Post by StrongMBS »

Looks like sometime this week they fixed the web page for registering new key, so this warning is no longer being displayed.
Now if we could get them to force a PIN entry if the key has one, this is a simple change but makes your account even more secure. Although ideally, they would start offering FIDO2(WebAuthn/CTAP2) passwordless with a PIN for phishing proof best in class cybersecurity.
Jason95357
Posts: 47
Joined: Mon Apr 27, 2020 12:01 pm

Re: Vanguard issue with Yubikey : Won't support U2F API soon?

Post by Jason95357 »

Argh - I know this is an older thread, but the topic is still correct.

I've very irritated at how Vanguard handled the Security Key changeover, and the way Security Codes work in general.

TLDR; When you go to register a Security Key with the new FIDO2 support, it wipes out all of your existing Security Keys.

I have two Security Keys registered, and Security Codes disabled (cell SMS is insecure). I logged in today to get my statements (last login was in May - I don't have much going on, I just have an automated DCA to max my Roth IRA right now), and I logged in with my normal Security Key. Then I'm told:
Let's upgrade you

We're enhancing your account security with FIDO2 specifications.
All existing keys need to register with the upgraded service or
deactivate by September 20th. It only takes a minute to enroll your
key(s) now to maintain your account access.

(Upgrade now) (Remind me later)
I figured I'd at least get my YubiKey I keep in my walled upgraded, and I'd do the others we have secured elsewhere later on.

Because I have Security Codes disabled, it prompted me saying I had to enable Security Codes to enable a Security Key. What I didn't know at this point is that they just deleted all of my Security Keys that I had registered. I registered my cell via SMS, but then was just taken to the main portal (glitch for sure!). I headed over to Profile & Account Settings -> Security Profile -> Security Key, and nothing was listed. I registered the key I keep in my wallet, but then realized I needed to get an retrieve my backup keys from their various secured locations (one of which is remote and not at my home). I at least registered a second key, and I'll have to do the third later on - but how annoying.

Once I had a second Security Key registered, I could then re-disable Security Codes.

Know that there is a security flaw that allows anyone with your username/password to enable Security Codes via the Vanguard smartphone app and completely bypass your Security Keys.
gavinsiu
Posts: 4543
Joined: Sun Nov 14, 2021 11:42 am

Re: Vanguard issue with Yubikey : Won't support U2F API soon?

Post by gavinsiu »

I logged in yesterday and had to re-register the 3 keys. I had to type in my pin during registration but I did not encouter any issues.
Post Reply