Yubikey only at Vanguard now possible.

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
criticalmass
Posts: 2843
Joined: Wed Feb 12, 2014 9:58 pm

Re: Yubikey only at Vanguard now possible.

Post by criticalmass »

absolute zero wrote: Sun Sep 26, 2021 8:51 pm
anon_investor wrote: Sun Sep 26, 2021 8:42 pm
absolute zero wrote: Sun Sep 26, 2021 8:39 pm
anon_investor wrote: Sun Sep 26, 2021 8:29 pm
cuda74360 wrote: Sun Sep 26, 2021 8:01 pm If SMS authentication is still required if you use a Yubikey, is it really worth buying the device and settings this up? Seems like a waste of money if it's that easy to bypass. I really wish Vanguard would give us an option to use TOTP like everyone else does.
Probably. To make my Vanguard account more secure, I am using a Google Voice number for 2FA. The Gmail account that number is tied to is secured by Google Authenticator app. I am considering geting a Yubikey to secure the Gmail account AND Vanguard, so I have a way to immediately access both accounts in case I lose my phone.
You may already be aware of this, but you can set things up such that if you lose your phone, you will face no issues with respect to authenticator app. I have the exact same setup that you just described (SMS for vanguard linked to GV number, google account backed up by authenticator app). If I lost my phone, then I would go pull a piece of paper out of my safe that has long backup codes written on it (one for gmail, one for Paypal, etc). These codes will allow me to get a new authenticator app "up and running" again. I can enter the gmail code into my new phone's authenticator app (or my spouse's phone/app if I'm in a hurry to access my account before buying a new phone) and the app will start displaying the same 6 digit codes that it did before. I can then log-in to gmail with no issues.
Good point, I also have a print out of the back up codes in my safe. :sharebeer

This is one reason I have no spent any money on Yubikeys yet. Though if there is a good black friday sale, I might buy a couple of of them.
Yeah I’ve half-considered it for awhile too, but not yet pulled the trigger. I guess there’s a very small chance that a Yubikey could save my bacon, but
really the only risk that it would eliminate is phishing.

Maybe I will feel paranoid enough to get a couple Yubikeys in a few years when my account balances are (hopefully) a little bigger.
:happy
Every now and then Wired Magazine and Yubikey have a promotion. During the promotion, $5 gets you a year's subscription to Wired and a Yubikey.
User avatar
cowdogman
Posts: 2072
Joined: Sat Dec 16, 2017 6:44 pm
Location: Washington State

Re: Yubikey only at Vanguard now possible.

Post by cowdogman »

anon_investor wrote: Sun Sep 26, 2021 8:37 pm
cowdogman wrote: Sun Sep 26, 2021 8:35 pm
cuda74360 wrote: Sun Sep 26, 2021 8:01 pm If SMS authentication is still required if you use a Yubikey, is it really worth buying the device and settings this up? Seems like a waste of money if it's that easy to bypass. I really wish Vanguard would give us an option to use TOTP like everyone else does.
I got a couple Yubikeys because of this thread. Wish I had done so long ago. I use them everywhere now, including LastPass, LogIn.gov (for SSA and other things), my email and Vanguard.
Which ones did you buy? I am wondering if the $25 blue one is good enough.
The Yubikey site has a key selector app. Just work thru the questions and it will tell you what you need. I then bought mine on Amazon.
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: Yubikey only at Vanguard now possible.

Post by anon_investor »

cowdogman wrote: Mon Sep 27, 2021 9:20 am
anon_investor wrote: Sun Sep 26, 2021 8:37 pm
cowdogman wrote: Sun Sep 26, 2021 8:35 pm
cuda74360 wrote: Sun Sep 26, 2021 8:01 pm If SMS authentication is still required if you use a Yubikey, is it really worth buying the device and settings this up? Seems like a waste of money if it's that easy to bypass. I really wish Vanguard would give us an option to use TOTP like everyone else does.
I got a couple Yubikeys because of this thread. Wish I had done so long ago. I use them everywhere now, including LastPass, LogIn.gov (for SSA and other things), my email and Vanguard.
Which ones did you buy? I am wondering if the $25 blue one is good enough.
The Yubikey site has a key selector app. Just work thru the questions and it will tell you what you need. I then bought mine on Amazon.
Thanks, it looks like the $24.50 blue colored key works for everything I need. I am going to wait for potential black friday deals. I am still on the fence if a yubikey is even necessary, since I have already shifted my Vanguard 2FA to my google voice number, and my google account is secured by google authenticator and back up codes (not SMS).
Nicolas
Posts: 4923
Joined: Wed Aug 22, 2012 7:41 am

Re: Yubikey only at Vanguard now possible.

Post by Nicolas »

I bought my Yubikeys directly from Yubico as someone here warned it was a possible security risk to go through an intermediary like Amazon. They claimed that it’s more secure to get them directly from the source. (I’m glad I did as I was able to apply a $10 coupon I found online that I could not have used through Amazon). Also Yubico advertises that they manufacture their keys only in the USA and Sweden, avoiding any Chinese manufacturers, something other key vendors don’t do.
User avatar
cowdogman
Posts: 2072
Joined: Sat Dec 16, 2017 6:44 pm
Location: Washington State

Re: Yubikey only at Vanguard now possible.

Post by cowdogman »

Nicolas wrote: Mon Sep 27, 2021 6:51 pm I bought my Yubikeys directly from Yubico as someone here warned it was a possible security risk to go through an intermediary like Amazon. They claimed that it’s more secure to get them directly from the source. (I’m glad I did as I was able to apply a $10 coupon I found online that I could not have used through Amazon). Also Yubico advertises that they manufacture their keys only in the USA and Sweden, avoiding any Chinese manufacturers, something other key vendors don’t do.
FWIW the seller on Amazon is Yubico--Fulfilled by Amazon.
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: Yubikey only at Vanguard now possible.

Post by anon_investor »

Nicolas wrote: Mon Sep 27, 2021 6:51 pm I bought my Yubikeys directly from Yubico as someone here warned it was a possible security risk to go through an intermediary like Amazon. They claimed that it’s more secure to get them directly from the source. (I’m glad I did as I was able to apply a $10 coupon I found online that I could not have used through Amazon). Also Yubico advertises that they manufacture their keys only in the USA and Sweden, avoiding any Chinese manufacturers, something other key vendors don’t do.
That is funny, the Yubico website has a link to buy from Amazon...
User avatar
cowdogman
Posts: 2072
Joined: Sat Dec 16, 2017 6:44 pm
Location: Washington State

Re: Yubikey only at Vanguard now possible.

Post by cowdogman »

anon_investor wrote: Mon Sep 27, 2021 8:13 pm
Nicolas wrote: Mon Sep 27, 2021 6:51 pm I bought my Yubikeys directly from Yubico as someone here warned it was a possible security risk to go through an intermediary like Amazon. They claimed that it’s more secure to get them directly from the source. (I’m glad I did as I was able to apply a $10 coupon I found online that I could not have used through Amazon). Also Yubico advertises that they manufacture their keys only in the USA and Sweden, avoiding any Chinese manufacturers, something other key vendors don’t do.
That is funny, the Yubico website has a link to buy from Amazon...
Amazon is everywhere...but that's ok now that I heard that William Shatner is on the next Blue Origin flight. Space, the final frontier!
cbeck
Posts: 640
Joined: Sun Jun 24, 2012 1:28 am

Re: Yubikey only at Vanguard now possible.

Post by cbeck »

Does anyone know of any data about just how much using a hardware authentication device reduces your risk of having your account hacked is? Companies that flog their devices like yubikey naturally stress the worst case scenario, i.e. you lose all your money. It's not at all irrational to protect against a worst case outcome, but the expected case is relevant, too. My guess is that using a hardware authentication device reduces our risk of loss by comparison with other 2FA methods infinitesimally. I think the emphasis on such devices by endusers like ourselves is an example of the endowment effect. We see the login process again and again and naturally overemphasize it as a source of risk, ignoring the invisible risks which are almost certainly greater, such as intrusion into the brokerage company's systems.

[Off topic troll removed by Moderator Misenplace.]
Silence Dogood
Posts: 1660
Joined: Tue Feb 01, 2011 8:22 pm

Re: Yubikey only at Vanguard now possible.

Post by Silence Dogood »

cbeck wrote: Mon Sep 27, 2021 9:18 pm Does anyone know of any data about just how much using a hardware authentication device reduces your risk of having your account hacked is?
For many reasons, I think that data would be very difficult to produce.

You could possibly conduct a test, sending out fake phishing attempts, but since so few people actually own/use physical security keys, it would be difficult to know how many were thwarted for that reason alone.
cbeck wrote: Mon Sep 27, 2021 9:18 pm Companies that flog their devices like yubikey naturally stress the worst case scenario, i.e. you lose all your money. It's not at all irrational to protect against a worst case outcome, but the expected case is relevant, too. My guess is that using a hardware authentication device reduces our risk of loss by comparison with other 2FA methods infinitesimally.
I think that the expected case is a phishing attempt (most of the major hacks that you hear about are due to phishing). The main vulnerability with other two-factor authentication methods is that they don't protect against phishing attempts.

With properly implemented hardware-based two-factor authentication, the important takeaway is that an attacker would need to be in physical possession of the security key in order to gain access to the account.
User avatar
cowdogman
Posts: 2072
Joined: Sat Dec 16, 2017 6:44 pm
Location: Washington State

Re: Yubikey only at Vanguard now possible.

Post by cowdogman »

Silence Dogood wrote: Sat Oct 09, 2021 2:12 pm
cbeck wrote: Mon Sep 27, 2021 9:18 pm Does anyone know of any data about just how much using a hardware authentication device reduces your risk of having your account hacked is?
For many reasons, I think that data would be very difficult to produce.

You could possibly conduct a test, sending out fake phishing attempts, but since so few people actually own/use physical security keys, it would be difficult to know how many were thwarted for that reason alone.
cbeck wrote: Mon Sep 27, 2021 9:18 pm Companies that flog their devices like yubikey naturally stress the worst case scenario, i.e. you lose all your money. It's not at all irrational to protect against a worst case outcome, but the expected case is relevant, too. My guess is that using a hardware authentication device reduces our risk of loss by comparison with other 2FA methods infinitesimally.
I think that the expected case is a phishing attempt (most of the major hacks that you hear about are due to phishing). The main vulnerability with other two-factor authentication methods is that they don't protect against phishing attempts.

With properly implemented hardware-based two-factor authentication, the important takeaway is that an attacker would need to be in physical possession of the security key in order to gain access to the account.
I agree with Silence Dogood but I look at the security issue in a slightly different way.

The internet is becoming a more dangerous and less secure place than it used to be. In a better world internet security would be increasing, but instead it's going the other way and the scale of hacks is becoming scarier.

So I want the most secure setup I can reasonably use*. So if there is an added security measure that doesn't cost much and is not a hassle to use, I'm going to use it even if the incremental security protection is minimal. (I may even upgrade to the new bio keys from Yubico.)

Plus I have found the use of a physical key to be less of a hassle than SMS or authenticators.

* Not using the internet is not reasonable--and I'm not sure it's even more secure--being able to monitor accounts in real time adds to security.
HawkeyePierce
Posts: 2351
Joined: Tue Mar 05, 2019 9:29 pm
Location: Colorado

Re: Yubikey only at Vanguard now possible.

Post by HawkeyePierce »

cbeck wrote: Mon Sep 27, 2021 9:18 pm Does anyone know of any data about just how much using a hardware authentication device reduces your risk of having your account hacked is? Companies that flog their devices like yubikey naturally stress the worst case scenario, i.e. you lose all your money. It's not at all irrational to protect against a worst case outcome, but the expected case is relevant, too. My guess is that using a hardware authentication device reduces our risk of loss by comparison with other 2FA methods infinitesimally. I think the emphasis on such devices by endusers like ourselves is an example of the endowment effect. We see the login process again and again and naturally overemphasize it as a source of risk, ignoring the invisible risks which are almost certainly greater, such as intrusion into the brokerage company's systems.

[Off topic troll removed by Moderator Misenplace.]
Google was only able to completely eliminate phishing attacks against their 85,000+ workforce by requiring hardware keys.

https://krebsonsecurity.com/2018/07/goo ... -phishing/
squirm
Posts: 4239
Joined: Sat Mar 19, 2011 11:53 am

Re: Yubikey only at Vanguard now possible.

Post by squirm »

Why put the code in a safe? Nobody knows what it's for. I have mine taped behind as cabinet door with a bunch of tuna recipes mixed in, it looks like the printer printed junk in the middle of a tuna salad. Nobody has a clue.
Nicolas
Posts: 4923
Joined: Wed Aug 22, 2012 7:41 am

Re: Yubikey only at Vanguard now possible.

Post by Nicolas »

squirm wrote: Sat Oct 09, 2021 3:34 pm Why put the code in a safe? Nobody knows what it's for. I have mine taped behind as cabinet door with a bunch of tuna recipes mixed in, it looks like the printer printed junk in the middle of a tuna salad. Nobody has a clue.
This reminds me of what my coworker told me in 1980 during the silver boom. He said he was going to buy a big brick of silver as an investment and then paint it some other color and use it as a doorstop. The ultimate security, hiding in plain sight. I don’t know if he ever followed through (and he’s dead now). It would’ve been a poor investment anyway, silver hit a peak then of $50/ounce (in 1980 dollars) and of course paid no dividends.
squirm
Posts: 4239
Joined: Sat Mar 19, 2011 11:53 am

Re: Yubikey only at Vanguard now possible.

Post by squirm »

Nicolas wrote: Sat Oct 09, 2021 4:32 pm
squirm wrote: Sat Oct 09, 2021 3:34 pm Why put the code in a safe? Nobody knows what it's for. I have mine taped behind as cabinet door with a bunch of tuna recipes mixed in, it looks like the printer printed junk in the middle of a tuna salad. Nobody has a clue.
This reminds me of what my coworker told me in 1980 during the silver boom. He said he was going to buy a big brick of silver as an investment and then paint it some other color and use it as a doorstop. The ultimate security, hiding in plain sight. I don’t know if he ever followed through (and he’s dead now). It would’ve been a poor investment anyway, silver hit a peak then of $50/ounce (in 1980 dollars) and of course paid no dividends.
My important backups on the external USB drive is in the tampon box in the bathroom closet.
cbeck
Posts: 640
Joined: Sun Jun 24, 2012 1:28 am

Re: Yubikey only at Vanguard now possible.

Post by cbeck »

Silence Dogood wrote: Sat Oct 09, 2021 2:12 pm
cbeck wrote: Mon Sep 27, 2021 9:18 pm Does anyone know of any data about just how much using a hardware authentication device reduces your risk of having your account hacked is?
For many reasons, I think that data would be very difficult to produce.

You could possibly conduct a test, sending out fake phishing attempts, but since so few people actually own/use physical security keys, it would be difficult to know how many were thwarted for that reason alone.
cbeck wrote: Mon Sep 27, 2021 9:18 pm Companies that flog their devices like yubikey naturally stress the worst case scenario, i.e. you lose all your money. It's not at all irrational to protect against a worst case outcome, but the expected case is relevant, too. My guess is that using a hardware authentication device reduces our risk of loss by comparison with other 2FA methods infinitesimally.
I think that the expected case is a phishing attempt (most of the major hacks that you hear about are due to phishing). The main vulnerability with other two-factor authentication methods is that they don't protect against phishing attempts.

With properly implemented hardware-based two-factor authentication, the important takeaway is that an attacker would need to be in physical possession of the security key in order to gain access to the account.
That's interesting. I don't worry about phishing attempts. If phishing is the risk then a yubikey protects me from stupidly reading out to a phisher the six-digit 2FA code that I received in my email? Do you feel the need to protect yourself from this particular attack?

The downside of a yubikey type device is that now there is something else I would have to carry with me and can lose. Also, when I cross a border it can be demanded of me by the border police, which I may not legally be able to refuse. So, I lose deniability.

The security gain from yubikeys still looks infinitesimal to me.
mptfan
Posts: 7218
Joined: Mon Mar 05, 2007 8:58 am

Re: Yubikey only at Vanguard now possible.

Post by mptfan »

cbeck wrote: Sat Oct 09, 2021 5:15 pm The security gain from yubikeys still looks infinitesimal to me.
No matter how it looks to you, the security gain is more than infinitesimal, it is significant.
cbeck
Posts: 640
Joined: Sun Jun 24, 2012 1:28 am

Re: Yubikey only at Vanguard now possible.

Post by cbeck »

mptfan wrote: Sat Oct 09, 2021 5:24 pm
cbeck wrote: Sat Oct 09, 2021 5:15 pm The security gain from yubikeys still looks infinitesimal to me.
No matter how it looks to you, the security gain is more than infinitesimal, it is significant.
In the absence of any data to support that claim how is that not faith-based reasoning?
mptfan
Posts: 7218
Joined: Mon Mar 05, 2007 8:58 am

Re: Yubikey only at Vanguard now possible.

Post by mptfan »

cbeck wrote: Sat Oct 09, 2021 5:31 pm In the absence of any data to support that claim how is that not faith-based reasoning?
There is data to support that claim.
cbeck
Posts: 640
Joined: Sun Jun 24, 2012 1:28 am

Re: Yubikey only at Vanguard now possible.

Post by cbeck »

HawkeyePierce wrote: Sat Oct 09, 2021 3:33 pm
cbeck wrote: Mon Sep 27, 2021 9:18 pm Does anyone know of any data about just how much using a hardware authentication device reduces your risk of having your account hacked is? Companies that flog their devices like yubikey naturally stress the worst case scenario, i.e. you lose all your money. It's not at all irrational to protect against a worst case outcome, but the expected case is relevant, too. My guess is that using a hardware authentication device reduces our risk of loss by comparison with other 2FA methods infinitesimally. I think the emphasis on such devices by endusers like ourselves is an example of the endowment effect. We see the login process again and again and naturally overemphasize it as a source of risk, ignoring the invisible risks which are almost certainly greater, such as intrusion into the brokerage company's systems.

[Off topic troll removed by Moderator Misenplace.]
Google was only able to completely eliminate phishing attacks against their 85,000+ workforce by requiring hardware keys.

https://krebsonsecurity.com/2018/07/goo ... -phishing/
That's an interesting article. However, notice that the only statistic cited is that since requiring yubikeys they have had no successful phishing attacks against their employees. So, the number of such attacks went to zero. But how many were there before the yubikeys? The article doesn't say. So, we have don't know how much risk the yubkeys eliminated. This is a good case of the dishonest use of statistics by the writer of that article.

But assuming that Google actually did have a significant pre-yubikey problem. How is that relevant to you and me? Google employees are contacted by the public to do such things as unlock accounts, sometimes fraudulently. You and I are not fielding calls from untrusted persons. For instance, when I login to ssa.gov, I get a 2FA code by email which together with my loginid and strong password admits me to my account. Where is the opportunity for some swindler to talk me into providing all my credentials? If I can't complete the login for some reason I might call tech support at ssa.gov. So, then I know at least that I am talking to a government employee since he didn't call me. But I am still not going to give him my credentials under any circumstances. So, I don't see the risk reduction from preventing myself from giving away my own credentials.
Second Round
Posts: 240
Joined: Thu Sep 30, 2021 8:16 am

Re: Yubikey only at Vanguard now possible.

Post by Second Round »

In the news this week was that Google is going to move 150 million accounts to mandatory 2FA:

https://www.theregister.com/2021/10/06/ ... ntication/

That's a start - and they chose accounts for which the second factor was already registered. I would expect Google intends to move everyone to it.

This seems like a good idea for security, except that I really don't wish to have to generate a 2nd factor code every time I check email. I can see how Google might like me to just stay logged in all day ... I don't want that. Even if it's just an extra click (assuming my key is inserted in a usb port), then I'm liable to wear the key or port out by having to plug it in and take it out multiple times of day as I come and go from my home office desk.

I would be fine with this if it were just for banking/investment sites. I don't quite log into those daily, and certainly not multiple times a day. But just email? Ugh. I hope not.
squirm
Posts: 4239
Joined: Sat Mar 19, 2011 11:53 am

Re: Yubikey only at Vanguard now possible.

Post by squirm »

Second Round wrote: Sat Oct 09, 2021 8:28 pm In the news this week was that Google is going to move 150 million accounts to mandatory 2FA:

https://www.theregister.com/2021/10/06/ ... ntication/

That's a start - and they chose accounts for which the second factor was already registered. I would expect Google intends to move everyone to it.

This seems like a good idea for security, except that I really don't wish to have to generate a 2nd factor code every time I check email. I can see how Google might like me to just stay logged in all day ... I don't want that. Even if it's just an extra click (assuming my key is inserted in a usb port), then I'm liable to wear the key or port out by having to plug it in and take it out multiple times of day as I come and go from my home office desk.

I would be fine with this if it were just for banking/investment sites. I don't quite log into those daily, and certainly not multiple times a day. But just email? Ugh. I hope not.
I would think Google will allow you to trust the device, just like others like Microsoft do.
Second Round
Posts: 240
Joined: Thu Sep 30, 2021 8:16 am

Re: Yubikey only at Vanguard now possible.

Post by Second Round »

squirm wrote: Sat Oct 09, 2021 8:35 pm I would think Google will allow you to trust the device, just like others like Microsoft do.
Maybe, maybe not. I often have to "enable less secure app access" to use an email client with Linux, rather than getting mail through a Google app or via their web browser. I'm inclined to view this as a self-serving scare tactic on their part rather than a fair assessment. Why should using a stored username + password combo on a desktop PC (doesn't leave the house; has user account password), connecting via ethernet, be considered less secure than an Android/Google phone that has those things remembered, DOES leave the house, connected by wifi or mobile data, and is protected by a lock screen handful of digits?

Here's what they have on the "security checkup" if I log into my Google account:
1 Recommendation

Turn off less secure app access
Your account is vulnerable to malicious activity because you’re allowing apps & devices that use less secure sign-in technology to access your account. You should turn off this type of access. Google will automatically turn this setting OFF if it’s not being used. Learn more
mptfan
Posts: 7218
Joined: Mon Mar 05, 2007 8:58 am

Re: Yubikey only at Vanguard now possible.

Post by mptfan »

cbeck wrote: Sat Oct 09, 2021 6:13 pm But assuming that Google actually did have a significant pre-yubikey problem. How is that relevant to you and me?
I think it's safe to assume, and reasonable to infer, that Google had a significant pre-yubikey problem, and that is why they required the use of security keys. And it's relevant because it's safe to assume that Google employees are among the most sophisticated tech users, and yet they were vulnerable to phishing, so the average person is much more likely to be a victim, and security keys eliminate that threat.

Security keys also eliminate the threat of being tricked by a spoofed website because the security key will not validate a fake site.

Security keys also eliminate the threat of a man-in-the-middle attack.

Security keys do not require access to phone service (as does SMS codes).

Security keys do not have batteries and do not lose power (as does smartphones which would prevent access to SMS and Authenticator codes).

I also find them to be very convenient...once your device is recognized then you can automatically log in, and even in those cases where you need to use the security key for authentication, you just touch it and you'rein... no more looking for your phone and opening the right app to get a code and then typing in the code and hoping you did not make a mistake.
HawkeyePierce
Posts: 2351
Joined: Tue Mar 05, 2019 9:29 pm
Location: Colorado

Re: Yubikey only at Vanguard now possible.

Post by HawkeyePierce »

Second Round wrote: Sat Oct 09, 2021 9:02 pm
squirm wrote: Sat Oct 09, 2021 8:35 pm I would think Google will allow you to trust the device, just like others like Microsoft do.
Maybe, maybe not. I often have to "enable less secure app access" to use an email client with Linux, rather than getting mail through a Google app or via their web browser. I'm inclined to view this as a self-serving scare tactic on their part rather than a fair assessment. Why should using a stored username + password combo on a desktop PC (doesn't leave the house; has user account password), connecting via ethernet, be considered less secure than an Android/Google phone that has those things remembered, DOES leave the house, connected by wifi or mobile data, and is protected by a lock screen handful of digits?

Here's what they have on the "security checkup" if I log into my Google account:
1 Recommendation

Turn off less secure app access
Your account is vulnerable to malicious activity because you’re allowing apps & devices that use less secure sign-in technology to access your account. You should turn off this type of access. Google will automatically turn this setting OFF if it’s not being used. Learn more
A mobile phone is far more secure than a PC.

Google only requires you to redo 2FA every 30 days.
cbeck
Posts: 640
Joined: Sun Jun 24, 2012 1:28 am

Re: Yubikey only at Vanguard now possible.

Post by cbeck »

mptfan wrote: Sat Oct 09, 2021 10:00 pm
cbeck wrote: Sat Oct 09, 2021 6:13 pm But assuming that Google actually did have a significant pre-yubikey problem. How is that relevant to you and me?
I think it's safe to assume, and reasonable to infer, that Google had a significant pre-yubikey problem, and that is why they required the use of security keys. And it's relevant because it's safe to assume that Google employees are among the most sophisticated tech users, and yet they were vulnerable to phishing, so the average person is much more likely to be a victim, and security keys eliminate that threat.

Security keys also eliminate the threat of being tricked by a spoofed website because the security key will not validate a fake site.

Security keys also eliminate the threat of a man-in-the-middle attack.

Security keys do not require access to phone service (as does SMS codes).

Security keys do not have batteries and do not lose power (as does smartphones which would prevent access to SMS and Authenticator codes).

I also find them to be very convenient...once your device is recognized then you can automatically log in, and even in those cases where you need to use the security key for authentication, you just touch it and you'rein... no more looking for your phone and opening the right app to get a code and then typing in the code and hoping you did not make a mistake.
Well, that's clearly the inference that the writer of that article intended us to draw, but without supporting data, it's just another vacuous opinion.

Nor do I find evidence to support the claims you are making at least in a quick search. Lists of best practices to protect against MITM attacks don't mention yubikey-type devices. Neither do recommendations against spoofing, although they do recommend generic 2FA.

So, I don't see the benefit.
User avatar
Tubes
Posts: 1881
Joined: Wed Apr 22, 2020 6:33 am

Re: Yubikey only at Vanguard now possible.

Post by Tubes »

mptfan wrote: Sat Oct 09, 2021 10:00 pm
cbeck wrote: Sat Oct 09, 2021 6:13 pm But assuming that Google actually did have a significant pre-yubikey problem. How is that relevant to you and me?
I think it's safe to assume, and reasonable to infer, that Google had a significant pre-yubikey problem, and that is why they required the use of security keys. And it's relevant because it's safe to assume that Google employees are among the most sophisticated tech users, and yet they were vulnerable to phishing, so the average person is much more likely to be a victim, and security keys eliminate that threat.
I worked for a different sophisticated tech firm. I worked with some of the smartest people I knew. Our security people used to occasionally intentionally phish the employee population as a little test and training exercise. Routinely, 20% or so of the population bought the phish.
Silence Dogood
Posts: 1660
Joined: Tue Feb 01, 2011 8:22 pm

Re: Yubikey only at Vanguard now possible.

Post by Silence Dogood »

cbeck wrote: Sat Oct 09, 2021 5:15 pm If phishing is the risk then a yubikey protects me from stupidly reading out to a phisher the six-digit 2FA code that I received in my email?
cbeck wrote: Sat Oct 09, 2021 6:13 pm You and I are not fielding calls from untrusted persons. For instance, when I login to ssa.gov, I get a 2FA code by email which together with my loginid and strong password admits me to my account. Where is the opportunity for some swindler to talk me into providing all my credentials? If I can't complete the login for some reason I might call tech support at ssa.gov. So, then I know at least that I am talking to a government employee since he didn't call me. But I am still not going to give him my credentials under any circumstances. So, I don't see the risk reduction from preventing myself from giving away my own credentials.
Are you under the impression that a successful phishing attack requires you to speak to someone over the phone?
Silence Dogood
Posts: 1660
Joined: Tue Feb 01, 2011 8:22 pm

Re: Yubikey only at Vanguard now possible.

Post by Silence Dogood »

cowdogman wrote: Sat Oct 09, 2021 2:44 pm Plus I have found the use of a physical key to be less of a hassle than SMS or authenticators.
+1

Absolutely.
Second Round
Posts: 240
Joined: Thu Sep 30, 2021 8:16 am

Re: Yubikey only at Vanguard now possible.

Post by Second Round »

HawkeyePierce wrote: Sat Oct 09, 2021 10:44 pm A mobile phone is far more secure than a PC.
That's pretty much the opposite of my understanding.

How hard is it to lose a desktop PC?
How strong are lock screen passwords on phones versus user account passwords on PCs?
How many times have malicious apps been discovered in one app store or another? Or apps that take great liberty with permissions (from mic and camera to GPS, clipboard, and address book)
Are not phones by nature subject to wifi sniffing and bluetooth vulnerabilities? [Laptops are too of course, but not necessarily desktop PCs using ethernet]
User control of background processes (or even knowledge of them)?

On average, I really don't think it's a contest either, but I think it goes the other way. But there is no doubt some overlap - some may be able to lock down their phone well and others may run their PCs as passwordless root all the time. But that's not the typical case.

I'm curious - what features on a desktop PC do you think are less secure than a phone?
User avatar
kevinf
Posts: 848
Joined: Mon Aug 05, 2019 11:35 pm

Re: Yubikey only at Vanguard now possible.

Post by kevinf »

Phones are encrypted usually with a dedicated encryption module, can be tracked and remotely locked or wiped, can take video/photo and audio of their surroundings, and can require 2 factor to login.

Desktop PCs frequently do very few of these on the assumption that they are not going to be stolen... Sometimes they are configured not to require a password at all.

Your typical phone is likely much more secure than the typical PC given physical access.
mptfan
Posts: 7218
Joined: Mon Mar 05, 2007 8:58 am

Re: Yubikey only at Vanguard now possible.

Post by mptfan »

cbeck wrote: Sat Oct 09, 2021 11:59 pm Well, that's clearly the inference that the writer of that article intended us to draw, but without supporting data, it's just another vacuous opinion.

Nor do I find evidence to support the claims you are making at least in a quick search. Lists of best practices to protect against MITM attacks don't mention yubikey-type devices. Neither do recommendations against spoofing, although they do recommend generic 2FA.

So, I don't see the benefit.
I have not offered vacuous opinions, I have researched this issue extensively and have done much more than just a "quick search," and all of the things I wrote are true and backed up by data and expert opinion.
cbeck
Posts: 640
Joined: Sun Jun 24, 2012 1:28 am

Re: Yubikey only at Vanguard now possible.

Post by cbeck »

Silence Dogood wrote: Sun Oct 10, 2021 9:34 am
cbeck wrote: Sat Oct 09, 2021 5:15 pm If phishing is the risk then a yubikey protects me from stupidly reading out to a phisher the six-digit 2FA code that I received in my email?
cbeck wrote: Sat Oct 09, 2021 6:13 pm You and I are not fielding calls from untrusted persons. For instance, when I login to ssa.gov, I get a 2FA code by email which together with my loginid and strong password admits me to my account. Where is the opportunity for some swindler to talk me into providing all my credentials? If I can't complete the login for some reason I might call tech support at ssa.gov. So, then I know at least that I am talking to a government employee since he didn't call me. But I am still not going to give him my credentials under any circumstances. So, I don't see the risk reduction from preventing myself from giving away my own credentials.
Are you under the impression that a successful phishing attack requires you to speak to someone over the phone?
Have you bought a yubikey to prevent yourself from logging into your money account via a link in an email?
cbeck
Posts: 640
Joined: Sun Jun 24, 2012 1:28 am

Re: Yubikey only at Vanguard now possible.

Post by cbeck »

Tubes wrote: Sun Oct 10, 2021 6:43 am
mptfan wrote: Sat Oct 09, 2021 10:00 pm
cbeck wrote: Sat Oct 09, 2021 6:13 pm But assuming that Google actually did have a significant pre-yubikey problem. How is that relevant to you and me?
I think it's safe to assume, and reasonable to infer, that Google had a significant pre-yubikey problem, and that is why they required the use of security keys. And it's relevant because it's safe to assume that Google employees are among the most sophisticated tech users, and yet they were vulnerable to phishing, so the average person is much more likely to be a victim, and security keys eliminate that threat.
I worked for a different sophisticated tech firm. I worked with some of the smartest people I knew. Our security people used to occasionally intentionally phish the employee population as a little test and training exercise. Routinely, 20% or so of the population bought the phish.
Probably the same percentage of smart endusers who still have easily crackable passwords. That doesn't include you, though, does it?
Silence Dogood
Posts: 1660
Joined: Tue Feb 01, 2011 8:22 pm

Re: Yubikey only at Vanguard now possible.

Post by Silence Dogood »

cbeck wrote: Sun Oct 10, 2021 4:31 pm Have you bought a yubikey to prevent yourself from logging into your money account via a link in an email?
"Are you still upset about the button covers?"

As I wrote earlier in this thread:
Silence Dogood wrote: Wed Jul 14, 2021 8:13 pm Hardware-based two-factor authentication is significantly more secure than SMS-based two-factor authentication. In order to successfully access your account, an attacker would need to have physical possession of your security key. That is not the case for SMS (phishing, SIM-swap, MITM).

(It's also more convenient than SMS - no fussing with codes.)

It stinks that it's yet another cost (purchasing a few Yubikeys), but I just consider it to be an unfortunate reality of the world that we live in. It would be nice if door locks weren't necessary either (and compared to a typical door lock, a Yubikey is like Fort Knox).
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: Yubikey only at Vanguard now possible.

Post by anon_investor »

Does the new Vanguard mobile app still basically bypass Yubikey authentication?

I am waiting for a Black Friday deal on Yubikeys before I buy anything, but if the mobile app basically doesn't require Yubikey, then really what is the point?
hudson
Posts: 7119
Joined: Fri Apr 06, 2007 9:15 am

Re: Yubikey only at Vanguard now possible.

Post by hudson »

anon_investor wrote: Mon Oct 11, 2021 8:22 am Does the new Vanguard mobile app still basically bypass Yubikey authentication?

I am waiting for a Black Friday deal on Yubikeys before I buy anything, but if the mobile app basically doesn't require Yubikey, then really what is the point?
How can a hacker use a mobile app to get into one’s account?
For my phone, he would need my face or my code.
For my phone number for 2FA, I use a Google Voice number which sometimes works and sometimes does not. Since I mostly use a computer with a Yubikey, I never use 2FA.
User avatar
riverant
Posts: 1073
Joined: Tue May 04, 2021 6:51 am

Re: Yubikey only at Vanguard now possible.

Post by riverant »

hudson wrote: Mon Oct 11, 2021 8:51 am
anon_investor wrote: Mon Oct 11, 2021 8:22 am Does the new Vanguard mobile app still basically bypass Yubikey authentication?

I am waiting for a Black Friday deal on Yubikeys before I buy anything, but if the mobile app basically doesn't require Yubikey, then really what is the point?
How can a hacker use a mobile app to get into one’s account?
For my phone, he would need my face or my code.
For my phone number for 2FA, I use a Google Voice number which sometimes works and sometimes does not. Since I mostly use a computer with a Yubikey, I never use 2FA.
All my iOS apps let me bypass the yubikey by default if FaceID is enabled. It's possible on Vanguard to disable faceID and require a password and yubikey with every login. Perhaps some would find it ideal to allow faceID but still require a yubikey.

I think it comes down what you're protecting against. If it's online phishing schemes, faceID seems like it would prevent those. If you're protecting against a mugger stealing your phone, restraining you, and logging in with your face...maybe a yubikey or memorized password would help. My guess is if that extremely unlikely event got that far, you'd be persuaded to log in yourself. If you want upmost security, I'd only access financial accounts from a home computer with a yubikey.
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: Yubikey only at Vanguard now possible.

Post by anon_investor »

hudson wrote: Mon Oct 11, 2021 8:51 am How can a hacker use a mobile app to get into one’s account?
For my phone, he would need my face or my code.
For my phone number for 2FA, I use a Google Voice number which sometimes works and sometimes does not. Since I mostly use a computer with a Yubikey, I never use 2FA.
TJat wrote: Mon Oct 11, 2021 9:26 am All my iOS apps let me bypass the yubikey by default if FaceID is enabled. It's possible on Vanguard to disable faceID and require a password and yubikey with every login. Perhaps some would find it ideal to allow faceID but still require a yubikey.

I think it comes down what you're protecting against. If it's online phishing schemes, faceID seems like it would prevent those. If you're protecting against a mugger stealing your phone, restraining you, and logging in with your face...maybe a yubikey or memorized password would help. My guess is if that extremely unlikely event got that far, you'd be persuaded to log in yourself. If you want upmost security, I'd only access financial accounts from a home computer with a yubikey.
This issue is a non-issue if only a secured Google Voice number is used for 2FA (I have this in place), instead of a cell phone. At least with the prior iterations of the Vanguard mobile app, someone trying to access your vanguard account with user name/password (for example stolen via phishing scam, etc.) on an unrecognized mobile device would be prompted with only the SMS 2FA (even if the account was secured by a Yubikey). This has nothing to do with how you would secure your own Vanguard mobile app via biometrics (finger print or faceID).

This "bug" of defaulting to SMS 2FA for the Vanguard mobile app, essentially renders the protection of Yubikey irrelenvant. I know that Vanguard mobile app (at least on Android) has been recently update to a new UI, I am wondering if it works the same way.
mptfan
Posts: 7218
Joined: Mon Mar 05, 2007 8:58 am

Re: Yubikey only at Vanguard now possible.

Post by mptfan »

anon_investor wrote: Mon Oct 11, 2021 9:54 am This "bug" of defaulting to SMS 2FA for the Vanguard mobile app, essentially renders the protection of Yubikey irrelenvant.
Not true. It's true that defaulting to SMS does significantly weaken the protection, but it's not irrelevant because a security key still protects you from logging in to a fake site.
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: Yubikey only at Vanguard now possible.

Post by anon_investor »

mptfan wrote: Mon Oct 11, 2021 2:18 pm
anon_investor wrote: Mon Oct 11, 2021 9:54 am This "bug" of defaulting to SMS 2FA for the Vanguard mobile app, essentially renders the protection of Yubikey irrelenvant.
Not true. It's true that defaulting to SMS does significantly weaken the protection, but it's not irrelevant because a security key still protects you from logging in to a fake site.
I guess there is that, but it seems like incomplete protection, like locking your front door with a deadbolt but only using a flimsy door knob lock on your backdoor...
davebo
Posts: 1133
Joined: Tue Dec 16, 2008 11:02 pm

Re: Yubikey only at Vanguard now possible.

Post by davebo »

Is a Yubikey significantly more secure than using something like Google Authenticator?

I typically use Super Strong Password (generated by Lastpass) + Google Authenticator on any site that allows it.
User avatar
riverant
Posts: 1073
Joined: Tue May 04, 2021 6:51 am

Re: Yubikey only at Vanguard now possible.

Post by riverant »

davebo wrote: Mon Oct 11, 2021 5:17 pm Is a Yubikey significantly more secure than using something like Google Authenticator?

I typically use Super Strong Password (generated by Lastpass) + Google Authenticator on any site that allows it.
It protects against a man in the middle attack. For instance, you click on a vanguard link in your email that brings you to a fake but realistic looking vanguard page. Type in your credentials (script types it in at vanguard), fake site asks for google code, vanguard asks phisher for google code. You type it in, they automatically type it in and voila, are logged in.

That’s considered impossible to happen with a security key.
mptfan
Posts: 7218
Joined: Mon Mar 05, 2007 8:58 am

Re: Yubikey only at Vanguard now possible.

Post by mptfan »

davebo wrote: Mon Oct 11, 2021 5:17 pm Is a Yubikey significantly more secure than using something like Google Authenticator?
Yes.
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: Yubikey only at Vanguard now possible.

Post by anon_investor »

TJat wrote: Mon Oct 11, 2021 6:28 pm
davebo wrote: Mon Oct 11, 2021 5:17 pm Is a Yubikey significantly more secure than using something like Google Authenticator?

I typically use Super Strong Password (generated by Lastpass) + Google Authenticator on any site that allows it.
It protects against a man in the middle attack. For instance, you click on a vanguard link in your email that brings you to a fake but realistic looking vanguard page. Type in your credentials (script types it in at vanguard), fake site asks for google code, vanguard asks phisher for google code. You type it in, they automatically type it in and voila, are logged in.

That’s considered impossible to happen with a security key.
What about one of those apps that only work when the website pings the app and you have to acknowledge the attempted login.
HawkeyePierce
Posts: 2351
Joined: Tue Mar 05, 2019 9:29 pm
Location: Colorado

Re: Yubikey only at Vanguard now possible.

Post by HawkeyePierce »

Second Round wrote: Sun Oct 10, 2021 10:34 am
HawkeyePierce wrote: Sat Oct 09, 2021 10:44 pm A mobile phone is far more secure than a PC.
That's pretty much the opposite of my understanding.

How hard is it to lose a desktop PC?
How strong are lock screen passwords on phones versus user account passwords on PCs?
How many times have malicious apps been discovered in one app store or another? Or apps that take great liberty with permissions (from mic and camera to GPS, clipboard, and address book)
Are not phones by nature subject to wifi sniffing and bluetooth vulnerabilities? [Laptops are too of course, but not necessarily desktop PCs using ethernet]
User control of background processes (or even knowledge of them)?

On average, I really don't think it's a contest either, but I think it goes the other way. But there is no doubt some overlap - some may be able to lock down their phone well and others may run their PCs as passwordless root all the time. But that's not the typical case.

I'm curious - what features on a desktop PC do you think are less secure than a phone?
Phones—at least any modern Android or iPhone—are fully encrypted. Losing the device does not risk your data.

Cracking an iOS passcode is nearly impossible unless you have NSA-level resources.

Apps abusing device privileges does not risk your data in another app.

Wifi sniffing doesn't matter, the connection between your app and Vanguard is encrypted end-to-end.

As for PCs...

Windows does not encrypt disks by default. Apple only started doing so a few years ago.

PC browsers are generally less secure than mobile browsers, due to the shady nature of browser extensions.

Application sandboxing is far, far weaker in either Windows or Mac OS than either Android or iOS, though improvements have been made.
User avatar
cflannagan
Posts: 1208
Joined: Sun Oct 21, 2007 11:44 am
Location: Working Remotely

Re: Yubikey only at Vanguard now possible.

Post by cflannagan »

HawkeyePierce wrote: Mon Oct 11, 2021 6:47 pm Phones—at least any modern Android or iPhone—are fully encrypted. Losing the device does not risk your data.

Cracking an iOS passcode is nearly impossible unless you have NSA-level resources.

Apps abusing device privileges does not risk your data in another app.

Wifi sniffing doesn't matter, the connection between your app and Vanguard is encrypted end-to-end.
I know you're strictly comparing phones and PCs but phones also are at risk of a sim-swapping hack https://en.wikipedia.org/wiki/SIM_swap_scam

If a person is targeted by sim-swapping hack, Yubikey would be useless for accounts where 2FA with Yubikey is enabled, but 2FA with SMS cannot be disabled.
HawkeyePierce
Posts: 2351
Joined: Tue Mar 05, 2019 9:29 pm
Location: Colorado

Re: Yubikey only at Vanguard now possible.

Post by HawkeyePierce »

cflannagan wrote: Mon Oct 11, 2021 7:00 pm
HawkeyePierce wrote: Mon Oct 11, 2021 6:47 pm Phones—at least any modern Android or iPhone—are fully encrypted. Losing the device does not risk your data.

Cracking an iOS passcode is nearly impossible unless you have NSA-level resources.

Apps abusing device privileges does not risk your data in another app.

Wifi sniffing doesn't matter, the connection between your app and Vanguard is encrypted end-to-end.
I know you're strictly comparing phones and PCs but phones also are at risk of a sim-swapping hack https://en.wikipedia.org/wiki/SIM_swap_scam

If a person is targeted by sim-swapping hack, Yubikey would be useless for accounts where 2FA with Yubikey is enabled, but 2FA with SMS cannot be disabled.
That is true, but has nothing to do with the security of the phone. Nothing on the device is at risk due to sim swapping.
gdl9988
Posts: 2
Joined: Mon Jan 08, 2018 1:36 pm

Re: Yubikey only at Vanguard now possible.

Post by gdl9988 »

I tried to disable SMS at Vanguard after installing 2 Yubikeys but was not able too. In addition to several IRAs and a taxable account I have a Vanguard linked 401k. Unfortunately I was told any account with a linked non-retail account such as a 401K cannot disable SMS.

Gary
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: Yubikey only at Vanguard now possible.

Post by anon_investor »

Does anyone know if this new USB C Yubikey works with Vanguard?

Yubico FIDO Security Key C NFC:
https://www.amazon.com/dp/B09HJBL6F3
User avatar
riverant
Posts: 1073
Joined: Tue May 04, 2021 6:51 am

Re: Yubikey only at Vanguard now possible.

Post by riverant »

anon_investor wrote: Sat Nov 06, 2021 7:36 am Does anyone know if this new USB C Yubikey works with Vanguard?

Yubico FIDO Security Key C NFC:
https://www.amazon.com/dp/B09HJBL6F3
It does. I have that one and the nano usb. To my knowledge, the only modern yubikey that vanguard does not support is the 5CI. They claim it’s because that is a “mobile” key.
Post Reply