Yubikey only at Vanguard now possible.
-
- Posts: 1209
- Joined: Sat Oct 09, 2010 3:52 pm
Re: Yubikey only at Vanguard now possible.
On the website VG login if the box is checked public computer, even on my home laptop the Yubikey is always required.
My Google account including Gmail is secured by my YubiKey, but I am sure there is a workaround without the YK, using codes, trusted device or whatever.
My Google account including Gmail is secured by my YubiKey, but I am sure there is a workaround without the YK, using codes, trusted device or whatever.
Re: Yubikey only at Vanguard now possible.
Exactly.ThereAreNoGurus wrote: ↑Wed Jul 21, 2021 12:41 pm I'm less considered about these problems than whether VG has overlooked or neglected security procedures elsewhere that would leave their systems and databases vulnerable to attacks. So yeah, these simple and persisting screw-ups are quite disconcerting. (I'm sure you're thinking same.)
Re: Yubikey only at Vanguard now possible.
OK, I'm completely new to keys. I promised I'd report my experience.
I just registered both my Yubicos and disabled SMS security codes. Yes, I had a "Disable" link.
The Yubicos work great. From a web perspective, all looks cool. But the discussion on the previous page about allowing SMS recovery of any number via the mobile app is extremely concerning. I mean, by disabling SMS, did I actually make the mobile entry easier for a hacker?
I don't know. I have no need for mobile and never used it. But I realize someone could pose as me if they knew my username. I wish I could just have a setting saying "no mobile access."
I'm finding all these reports very disconcerting.
I just registered both my Yubicos and disabled SMS security codes. Yes, I had a "Disable" link.
The Yubicos work great. From a web perspective, all looks cool. But the discussion on the previous page about allowing SMS recovery of any number via the mobile app is extremely concerning. I mean, by disabling SMS, did I actually make the mobile entry easier for a hacker?
I don't know. I have no need for mobile and never used it. But I realize someone could pose as me if they knew my username. I wish I could just have a setting saying "no mobile access."
I'm finding all these reports very disconcerting.
Re: Yubikey only at Vanguard now possible.
I have some accounts at Fidelity, but not much money there. I signed up yesterday to use the Symantec VIP authenticator app at Fidelity. After sign up, there was no option to use SMS for web access. And I was able to disable SMS.Tubes wrote: ↑Wed Jul 21, 2021 2:24 pm OK, I'm completely new to keys. I promised I'd report my experience.
I just registered both my Yubicos and disabled SMS security codes. Yes, I had a "Disable" link.
The Yubicos work great. From a web perspective, all looks cool. But the discussion on the previous page about allowing SMS recovery of any number via the mobile app is extremely concerning. I mean, by disabling SMS, did I actually make the mobile entry easier for a hacker?
I don't know. I have no need for mobile and never used it. But I realize someone could pose as me if they knew my username. I wish I could just have a setting saying "no mobile access."
I'm finding all these reports very disconcerting.
And I downloaded/tried the Fidelity mobile app today. It asked for the authenticator code and did not give me any other options (e.g., SMS) to log in.
Symantec VIP also has a token I can buy (e.g., on Amazon) rather than using the phone app. I'm pretty sure this would work with Fidelity too. https://www.amazon.com/Symantec-VIP-Har ... 876&sr=8-1
Nice!
Re: Yubikey only at Vanguard now possible.
How does a Token work?
Marty....don't go to the year 2020....Dr. Emmett Brown
Re: Yubikey only at Vanguard now possible.
Same as the phone app. There is a ID number identifying the token (as there is for the app--each download of the app has its own ID number) that you register with Fidelity and the token provides a new code every 30 (I believe) seconds (just like the app). See photos on the amazon link.
More secure than a phone, especially if you use only at home. I would just leave it in my desk.
In the old days (10+ years ago) I used a token for VPN access. The battery runs for a very long time (years), and then you buy a new one.
P.S., I'm guessing this would work at Fidelity, but am not 100% sure. There is also a credit card size version. https://www.amazon.com/FEITIAN-Technolo ... G4H1&psc=1
-
- Posts: 69
- Joined: Wed Mar 18, 2020 4:59 pm
Re: Yubikey only at Vanguard now possible.
I'm not seeing a disable SMS link. Would I need to unregister keys and re-register ?Tubes wrote: ↑Wed Jul 21, 2021 2:24 pm OK, I'm completely new to keys. I promised I'd report my experience.
I just registered both my Yubicos and disabled SMS security codes. Yes, I had a "Disable" link.
The Yubicos work great. From a web perspective, all looks cool. But the discussion on the previous page about allowing SMS recovery of any number via the mobile app is extremely concerning. I mean, by disabling SMS, did I actually make the mobile entry easier for a hacker?
I don't know. I have no need for mobile and never used it. But I realize someone could pose as me if they knew my username. I wish I could just have a setting saying "no mobile access."
I'm finding all these reports very disconcerting.
Thank you.
Re: Yubikey only at Vanguard now possible.
From the various messages above the conclusion is that you will either see "disable" or a lock icon. If you see a lock icon you cannot disable SMS codes without disabling the key(s). And you can't re-register the keys without turning on SMS codes.nifty-thrifty wrote: ↑Wed Jul 21, 2021 4:53 pm
I'm not seeing a disable SMS link. Would I need to unregister keys and re-register ?
Thank you.
It's unclear why some see "Disable" and some don't. See above for details.
-
- Posts: 69
- Joined: Wed Mar 18, 2020 4:59 pm
Re: Yubikey only at Vanguard now possible.
Thank you, I got excited for a second when I saw posts from other people and ran for my keys to delete and reinstall but gotcowdogman wrote: ↑Wed Jul 21, 2021 5:59 pmFrom the various messages above the conclusion is that you will either see "disable" or a lock icon. If you see a lock icon you cannot disable SMS codes without disabling the key(s). And you can't re-register the keys without turning on SMS codes.nifty-thrifty wrote: ↑Wed Jul 21, 2021 4:53 pm
I'm not seeing a disable SMS link. Would I need to unregister keys and re-register ?
Thank you.
It's unclear why some see "Disable" and some don't. See above for details.
the same experience as you and others (round and round). No Go!!. That's too bad that Vanguard can't see the vulnerability
here.
-
- Posts: 2843
- Joined: Wed Feb 12, 2014 9:58 pm
Re: Yubikey only at Vanguard now possible.
Interestingly, I am always posted for the security key on a browser. I didn’t know that it might not if the browser is “recognized,” but I will see if there is a way to force it to recognize. If there is, that is not good……a security key is more secure than a browser cookie to “remember” you logged in before….hopefully.Silence Dogood wrote: ↑Wed Jul 21, 2021 11:49 amWhen I sign in using a web browser, I do not see any option to use a security code (SMS) as a backup (I looked carefully for it).criticalmass wrote: ↑Tue Jul 20, 2021 11:34 pmSounds good. I can also disable security codes completely, but attempts to login again provide an option re-enable the SMS verification codes.Silence Dogood wrote: ↑Tue Jul 20, 2021 6:27 pmcriticalmass,criticalmass wrote: ↑Sun Jul 18, 2021 4:16 pmYes, Vanguard allows you to disable SMS validation codes. Yes, Vanguard allows Yubikey enrolled accounts to get SMS re-enabled WITHOUT logging in via the Yubikey, e.g. by downloading the mobile app or just requesting to enable SMS validation because the Yubikey isn't available at the moment, etc. That is the loophole which destroys Vanguard's secure token/Yubikey authentication model.On the second point, isn't that the main issue discussed in this thread? Is Vanguard allowing users to turn off SMS codes and gain website access by a key alone? Or is Vanguard continuing to give the user (or a hacker) the ability to use/reactivate SMS codes without needing the key to do so? If it's the latter, then the key is worthless--why even bother with a key? That's the issue being discussed in this thread.
To clarify, some of us (myself included) are now able to disable security codes (SMS) completely.
(As in, the loophole has been, thankfully, closed for us.)
If you attempt to login with the Vanguard mobile app after disabling SMS verification codes, does it allow you re-enable SMS verification like it does for me?
However, I just downloaded the mobile app to test this out...
Disappointingly, when I attempt to sign in, it prompts me to re-enable security codes. There is a drop-down menu that shows my phone number and another option that actually allows me to enter a new phone number to send a security code to. I did not actually go ahead and test that out, but presumably an attacker could actually enter any phone number and use that to get in.
In summary, the website works as expected/desired, but the mobile app has a serious security flaw. Ideally, the mobile apps would work with security keys, but in the meantime, the apps should simply not allow sign in at all (similar to how one can restrict access to recognized devices only).
Also, a feature that is missing for the security keys is the ability to require a security key with every log in - regardless of whether or not the device is recognized. This is currently a feature for the security codes (found under the "frequency" option).
Re: Yubikey only at Vanguard now possible.
So how secure is the option for "only allow login from a recognized device"?
"The best tools available to us are shovels, not scalpels. Don't get carried away." - vanBogle59
-
- Posts: 1660
- Joined: Tue Feb 01, 2011 8:22 pm
Re: Yubikey only at Vanguard now possible.
Apparently the security key is required every time - which is good news.criticalmass wrote: ↑Wed Jul 21, 2021 11:07 pmInterestingly, I am always posted for the security key on a browser. I didn’t know that it might not if the browser is “recognized,” but I will see if there is a way to force it to recognize. If there is, that is not good……a security key is more secure than a browser cookie to “remember” you logged in before….hopefully.Silence Dogood wrote: ↑Wed Jul 21, 2021 11:49 am Also, a feature that is missing for the security keys is the ability to require a security key with every log in - regardless of whether or not the device is recognized. This is currently a feature for the security codes (found under the "frequency" option).
For some reason, Vanguard asks if the device is private/public, but the answer has no effect.
See this thread:
Tubes wrote: ↑Wed Jul 21, 2021 6:10 pmIt provides the two choices, but has no effect! No matter my answer, it requires me to use the key.Silence Dogood wrote: ↑Wed Jul 21, 2021 3:54 pmJust to make sure that I understand this correctly, now when you sign in from your recognized device, you are no longer asked whether or not you are using a private/public device, yet you are still required to use the security key?
If so, that's good.
(But then why does Vanguard bother to ask whether the device is private/public in the first place..?)
Re: Yubikey only at Vanguard now possible.
Thank you very much for the reply. I am trying to figure out if Yubikeys work on the Chase Bank site. They refer to "Tokens".cowdogman wrote: ↑Wed Jul 21, 2021 4:10 pmSame as the phone app. There is a ID number identifying the token (as there is for the app--each download of the app has its own ID number) that you register with Fidelity and the token provides a new code every 30 (I believe) seconds (just like the app). See photos on the amazon link.
More secure than a phone, especially if you use only at home. I would just leave it in my desk.
In the old days (10+ years ago) I used a token for VPN access. The battery runs for a very long time (years), and then you buy a new one.
P.S., I'm guessing this would work at Fidelity, but am not 100% sure. There is also a credit card size version. https://www.amazon.com/FEITIAN-Technolo ... G4H1&psc=1
Marty....don't go to the year 2020....Dr. Emmett Brown
-
- Posts: 1660
- Joined: Tue Feb 01, 2011 8:22 pm
Re: Yubikey only at Vanguard now possible.
I have made Vanguard aware of this thread.
Hopefully they will be able to use the feedback here to make improvements.
Re: Yubikey only at Vanguard now possible.
If the mobile app just lets you pick a new phone number to send SMS texts to...
Holy cow...
I am seriously thinking about moving our money. Not joking.
How is Fidelity? What about T Rowe Price?
Holy cow...
I am seriously thinking about moving our money. Not joking.
How is Fidelity? What about T Rowe Price?
"The best tools available to us are shovels, not scalpels. Don't get carried away." - vanBogle59
Re: Yubikey only at Vanguard now possible.
If you're serious, not bad. Vanguard isn't all that competitive any more. See the wiki:
-Mutual funds for Bogleheads
-ETFs for Bogleheads
If you do this for real, wait a few days to remove emotion from the equation and think about it in detail. For example, be sure you don't trigger any taxable events due to the transfer. If you still want to proceed, then go for it.
(I don't have any experience with Yubikey. I'm just commenting on the financial part.)
-Mutual funds for Bogleheads
-ETFs for Bogleheads
If you do this for real, wait a few days to remove emotion from the equation and think about it in detail. For example, be sure you don't trigger any taxable events due to the transfer. If you still want to proceed, then go for it.
(I don't have any experience with Yubikey. I'm just commenting on the financial part.)
- ThereAreNoGurus
- Posts: 970
- Joined: Fri Jan 24, 2014 10:41 pm
Re: Yubikey only at Vanguard now possible.
Thanks. Hopefully this thread gets to somebody who cares, understands, and can do something about it... posting here would be great! (Just dreaming)Silence Dogood wrote: ↑Fri Jul 23, 2021 5:10 pmI have made Vanguard aware of this thread.
Hopefully they will be able to use the feedback here to make improvements.
Trade the news and you will lose.
Re: Yubikey only at Vanguard now possible.
Always good advice from you.. thanks...
No, I would move stuff carefully.
"The best tools available to us are shovels, not scalpels. Don't get carried away." - vanBogle59
Re: Yubikey only at Vanguard now possible.
Totally agree, altho I'm already in discussions with Fidelity--and have already discussed making sure there are no taxable events in the transfer. I plan to move slowly tho.
See my post on Fidelity security above.
-
- Posts: 1660
- Joined: Tue Feb 01, 2011 8:22 pm
Re: Yubikey only at Vanguard now possible.
Out of curiosity, has this changed for you?cowdogman wrote: ↑Sun Jul 18, 2021 10:24 am On my account, after registering the key, on the SMS codes page instead of a "disable" link there was a lock icon with a hover message saying I needed to remove the security key before I could disable SMS codes.
On my wife's account, after registering the key, there was a "disable" link on the SMS codes page--as the OP reported--and the disable link worked.
Re: Yubikey only at Vanguard now possible.
No, just checked. Same. Why do you ask?Silence Dogood wrote: ↑Mon Aug 02, 2021 6:38 pmOut of curiosity, has this changed for you?cowdogman wrote: ↑Sun Jul 18, 2021 10:24 am On my account, after registering the key, on the SMS codes page instead of a "disable" link there was a lock icon with a hover message saying I needed to remove the security key before I could disable SMS codes.
On my wife's account, after registering the key, there was a "disable" link on the SMS codes page--as the OP reported--and the disable link worked.
-
- Posts: 1660
- Joined: Tue Feb 01, 2011 8:22 pm
Re: Yubikey only at Vanguard now possible.
Thank you for taking the time to check.cowdogman wrote: ↑Mon Aug 02, 2021 6:44 pmNo, just checked. Same. Why do you ask?Silence Dogood wrote: ↑Mon Aug 02, 2021 6:38 pmOut of curiosity, has this changed for you?cowdogman wrote: ↑Sun Jul 18, 2021 10:24 am On my account, after registering the key, on the SMS codes page instead of a "disable" link there was a lock icon with a hover message saying I needed to remove the security key before I could disable SMS codes.
On my wife's account, after registering the key, there was a "disable" link on the SMS codes page--as the OP reported--and the disable link worked.
I was just curious to see if any changes/improvements were made.
Re: Yubikey only at Vanguard now possible.
As has been noted here, I just discovered as well that getting the Yubikey is not useful at all (not much better than the SMS based 2FA). For one, Safari is not supported for the Secure Key. It almost feels easier to move than have all the (user initiated) workarounds to get Vanguard security to work correctly.
Also, this article refers to the user discontent with Vanguard - not clear if anyone with any level of authority at Vanguard reads or cares about these. Unfortunate really
https://www.inquirer.com/business/vangu ... 10821.html
Also, this article refers to the user discontent with Vanguard - not clear if anyone with any level of authority at Vanguard reads or cares about these. Unfortunate really
https://www.inquirer.com/business/vangu ... 10821.html
Re: Yubikey only at Vanguard now possible.
^^^ Comments on that article are in: [Vanguard may remove secure messages, members transitioning out of Vanguard]
Let's stick to Yubikey here.
Let's stick to Yubikey here.
-
- Posts: 66
- Joined: Wed Aug 06, 2014 11:25 am
Re: Yubikey only at Vanguard now possible.
Is that secure against number porting attacks through the phone system?
-
- Posts: 1244
- Joined: Thu Dec 29, 2016 3:59 pm
Re: Yubikey only at Vanguard now possible.
I'm no security expert, but my understanding (and I'm sure this has been discussed throughout this thread) is that Google Voice is not susceptible to number porting. It's as solid as your google account itself, which can be made secure through use of a Yubikey or authenticator app.fatcharlie wrote: ↑Mon Aug 23, 2021 4:36 pmIs that secure against number porting attacks through the phone system?
If the Google account is kept secure, the only vulnerability when it comes to Google Voice for 2FA is phishing. Which is why usage of a physical token i.e. Yubikey is still slightly advantageous compared to Google Voice. Supposedly there are lots of smart people out there who have still fallen prey to phishing attacks.
-
- Posts: 1660
- Joined: Tue Feb 01, 2011 8:22 pm
Re: Yubikey only at Vanguard now possible.
Can you elaborate on your experience?rgs wrote: ↑Mon Aug 23, 2021 3:29 pm As has been noted here, I just discovered as well that getting the Yubikey is not useful at all (not much better than the SMS based 2FA). For one, Safari is not supported for the Secure Key. It almost feels easier to move than have all the (user initiated) workarounds to get Vanguard security to work correctly.
Did you try using Firefox? After registering your security keys, were you able to disable SMS?
Regarding Vanguard, I'm not looking to make excuses - but I'm also not looking for excuses to complain.
Re: Yubikey only at Vanguard now possible.
FYI I set up a Google voice account today and secured it with Google Authenticator, and disabled SMS for 2FA on the Google Voice account. I then changed my 2FA SMS phone number at Vanguard to the new Google voice number.
So now when I log into Vanguard I enter my username and password and then use my Yubikey. If for some reason I choose the option to not use the Yubikey but to use SMS (which option I am NOT able to disable on my Vanguard account) then the SMS message goes to Google Voice, which automatically sends me an email with the SMS message (that is, the SMS code). My email is secure--it requires an authenticator to get in.
Does the above effectively deal with the SIM swapping concern?
So now when I log into Vanguard I enter my username and password and then use my Yubikey. If for some reason I choose the option to not use the Yubikey but to use SMS (which option I am NOT able to disable on my Vanguard account) then the SMS message goes to Google Voice, which automatically sends me an email with the SMS message (that is, the SMS code). My email is secure--it requires an authenticator to get in.
Does the above effectively deal with the SIM swapping concern?
- ThereAreNoGurus
- Posts: 970
- Joined: Fri Jan 24, 2014 10:41 pm
Re: Yubikey only at Vanguard now possible.
I got a Google Voice number a while ago, but never made use of it. However, after the T-Mobile debacle and the suggestion here to change the VG Mobile number to a Google Voice number, I will probably do it.absolute zero wrote: ↑Mon Aug 23, 2021 4:54 pmI'm no security expert, but my understanding (and I'm sure this has been discussed throughout this thread) is that Google Voice is not susceptible to number porting. It's as solid as your google account itself, which can be made secure through use of a Yubikey or authenticator app.fatcharlie wrote: ↑Mon Aug 23, 2021 4:36 pmIs that secure against number porting attacks through the phone system?
If the Google account is kept secure, the only vulnerability when it comes to Google Voice for 2FA is phishing. Which is why usage of a physical token i.e. Yubikey is still slightly advantageous compared to Google Voice. Supposedly there are lots of smart people out there who have still fallen prey to phishing attacks.
For activity alerts did you switch off all text alerts or do you keep those as a back-up? I realize with Google Voice the text alerts will be delivered to Google voice. Just wondering if there's any advantages or disadvantages, of keeping text alerts, I'm missing, other than possible back-up to email.
Trade the news and you will lose.
-
- Posts: 1244
- Joined: Thu Dec 29, 2016 3:59 pm
Re: Yubikey only at Vanguard now possible.
I get text alerts to Google Voice number. I don’t really see any need to though, assuming you already get email alerts and you check your email regularly. I’ve probably just never been bothered enough to turn off text alerts, since I make transactions pretty infrequently.ThereAreNoGurus wrote: ↑Mon Aug 23, 2021 8:20 pm I got a Google Voice number a while ago, but never made use of it. However, after the T-Mobile debacle and the suggestion here to change the VG Mobile number to a Google Voice number, I will probably do it.
For activity alerts did you switch off all text alerts or do you keep those as a back-up? I realize with Google Voice the text alerts will be delivered to Google voice. Just wondering if there's any advantages or disadvantages, of keeping text alerts, I'm missing, other than possible back-up to email.
- ThereAreNoGurus
- Posts: 970
- Joined: Fri Jan 24, 2014 10:41 pm
Re: Yubikey only at Vanguard now possible.
Thanks. I was just wondering whether I was overlooking anything. I seldom have any transactions, but of course we want the alerts in case the account is tampered with. So I guess the text alerts can act as backup if for some reason email is not working... Murphy's Law and all that.absolute zero wrote: ↑Mon Aug 23, 2021 9:21 pmI get text alerts to Google Voice number. I don’t really see any need to though, assuming you already get email alerts and you check your email regularly. I’ve probably just never been bothered enough to turn off text alerts, since I make transactions pretty infrequently.ThereAreNoGurus wrote: ↑Mon Aug 23, 2021 8:20 pm I got a Google Voice number a while ago, but never made use of it. However, after the T-Mobile debacle and the suggestion here to change the VG Mobile number to a Google Voice number, I will probably do it.
For activity alerts did you switch off all text alerts or do you keep those as a back-up? I realize with Google Voice the text alerts will be delivered to Google voice. Just wondering if there's any advantages or disadvantages, of keeping text alerts, I'm missing, other than possible back-up to email.
Trade the news and you will lose.
Re: Yubikey only at Vanguard now possible.
Google voice is doing away with text forwarding soon. If you get a new google voice text forwarding is disabled by default. Everything will be sent to your gmail.
- ThereAreNoGurus
- Posts: 970
- Joined: Fri Jan 24, 2014 10:41 pm
Re: Yubikey only at Vanguard now possible.
Thx. That's good to know.
Trade the news and you will lose.
Re: Yubikey only at Vanguard now possible.
I like it... Can you use the Yubikey for your Google account instead of Google Authenticator?cowdogman wrote: ↑Mon Aug 23, 2021 7:52 pm FYI I set up a Google voice account today and secured it with Google Authenticator, and disabled SMS for 2FA on the Google Voice account. I then changed my 2FA SMS phone number at Vanguard to the new Google voice number.
So now when I log into Vanguard I enter my username and password and then use my Yubikey. If for some reason I choose the option to not use the Yubikey but to use SMS (which option I am NOT able to disable on my Vanguard account) then the SMS message goes to Google Voice, which automatically sends me an email with the SMS message (that is, the SMS code). My email is secure--it requires an authenticator to get in.
Does the above effectively deal with the SIM swapping concern?
"The best tools available to us are shovels, not scalpels. Don't get carried away." - vanBogle59
- ThereAreNoGurus
- Posts: 970
- Joined: Fri Jan 24, 2014 10:41 pm
Re: Yubikey only at Vanguard now possible.
https://www.yubico.com/works-with-yubik ... -accounts/HomerJ wrote: ↑Tue Aug 24, 2021 12:32 amI like it... Can you use the Yubikey for your Google account instead of Google Authenticator?cowdogman wrote: ↑Mon Aug 23, 2021 7:52 pm FYI I set up a Google voice account today and secured it with Google Authenticator, and disabled SMS for 2FA on the Google Voice account. I then changed my 2FA SMS phone number at Vanguard to the new Google voice number.
So now when I log into Vanguard I enter my username and password and then use my Yubikey. If for some reason I choose the option to not use the Yubikey but to use SMS (which option I am NOT able to disable on my Vanguard account) then the SMS message goes to Google Voice, which automatically sends me an email with the SMS message (that is, the SMS code). My email is secure--it requires an authenticator to get in.
Does the above effectively deal with the SIM swapping concern?
Trade the news and you will lose.
Re: Yubikey only at Vanguard now possible.
Or you could just install the Google Voice app on your phone and all incoming texts will show up like a text message. Not sure I understand the point in forwarding texts to a different number. The Google Voice app is great.
Re: Yubikey only at Vanguard now possible.
Yes, tried it with Firefox and that works (as one would expect). Have not attempted to disable SMS yet, need to setup the backup first.Silence Dogood wrote: ↑Mon Aug 23, 2021 7:39 pmCan you elaborate on your experience?rgs wrote: ↑Mon Aug 23, 2021 3:29 pm As has been noted here, I just discovered as well that getting the Yubikey is not useful at all (not much better than the SMS based 2FA). For one, Safari is not supported for the Secure Key. It almost feels easier to move than have all the (user initiated) workarounds to get Vanguard security to work correctly.
Did you try using Firefox? After registering your security keys, were you able to disable SMS?
Regarding Vanguard, I'm not looking to make excuses - but I'm also not looking for excuses to complain.
Re I'm also not looking for excuses to complain - I am not why you get the impression that any of us are looking "for excuses to complain". Most if not all of the comments here have been objective and personally I have been with VG for over 20 years. I have liked them as a company and their products have been (and continue to be) great and has served us well. But that said, when there are deficiencies (esp where security is concerned) it behooves us to point this out.
Re: Yubikey only at Vanguard now possible.
Yes, I believe so, but I chose the authenticator in case I need to access Google Voice away from home or over my phone.HomerJ wrote: ↑Tue Aug 24, 2021 12:32 amI like it... Can you use the Yubikey for your Google account instead of Google Authenticator?cowdogman wrote: ↑Mon Aug 23, 2021 7:52 pm FYI I set up a Google voice account today and secured it with Google Authenticator, and disabled SMS for 2FA on the Google Voice account. I then changed my 2FA SMS phone number at Vanguard to the new Google voice number.
So now when I log into Vanguard I enter my username and password and then use my Yubikey. If for some reason I choose the option to not use the Yubikey but to use SMS (which option I am NOT able to disable on my Vanguard account) then the SMS message goes to Google Voice, which automatically sends me an email with the SMS message (that is, the SMS code). My email is secure--it requires an authenticator to get in.
Does the above effectively deal with the SIM swapping concern?
Re: Yubikey only at Vanguard now possible.
Not necessarily Gmail. You can set up a Google account with a non-Gmail email address. You can't use Gmail with a non-Gmail email address (of course) but you can use the other Google services, like Google Voice.
I used a non-Gmail address for my Google account, so all Google Voice texts get sent to my non-Gmail email.
- ThereAreNoGurus
- Posts: 970
- Joined: Fri Jan 24, 2014 10:41 pm
Re: Yubikey only at Vanguard now possible.
Before doing a search, I noticed the only way to change one's email associated with Google Voice (within Google Voice) is to click the Legacy option and do it from there. However GV Legacy is supposedly going to be discontinued some day.cowdogman wrote: ↑Tue Aug 24, 2021 10:13 amNot necessarily Gmail. You can set up a Google account with a non-Gmail email address. You can't use Gmail with a non-Gmail email address (of course) but you can use the other Google services, like Google Voice.
I used a non-Gmail address for my Google account, so all Google Voice texts get sent to my non-Gmail email.
After doing a search, I learned, within one's Gmail account, one can create a filter and then forward only those messages that meet the filter's criteria.
Trade the news and you will lose.
Re: Yubikey only at Vanguard now possible.
Yes. This is the way.cowdogman wrote: ↑Mon Aug 23, 2021 7:52 pm FYI I set up a Google voice account today and secured it with Google Authenticator, and disabled SMS for 2FA on the Google Voice account. I then changed my 2FA SMS phone number at Vanguard to the new Google voice number.
So now when I log into Vanguard I enter my username and password and then use my Yubikey. If for some reason I choose the option to not use the Yubikey but to use SMS (which option I am NOT able to disable on my Vanguard account) then the SMS message goes to Google Voice, which automatically sends me an email with the SMS message (that is, the SMS code). My email is secure--it requires an authenticator to get in.
Does the above effectively deal with the SIM swapping concern?
I would only add that you should remove any "recovery email" address you have allowed for the gmail account you're using with the google voice number unless you also control the recovery email address with an authenticator code as the only 2-step verification option.
“If you can get good at destroying your own wrong ideas, that is a great gift.” – Charlie Munger
Re: Yubikey only at Vanguard now possible.
How do you handle recovery then? If your phone breaks or you lose it for instance?Rowan Oak wrote: ↑Tue Aug 24, 2021 1:34 pmYes. This is the way.cowdogman wrote: ↑Mon Aug 23, 2021 7:52 pm FYI I set up a Google voice account today and secured it with Google Authenticator, and disabled SMS for 2FA on the Google Voice account. I then changed my 2FA SMS phone number at Vanguard to the new Google voice number.
So now when I log into Vanguard I enter my username and password and then use my Yubikey. If for some reason I choose the option to not use the Yubikey but to use SMS (which option I am NOT able to disable on my Vanguard account) then the SMS message goes to Google Voice, which automatically sends me an email with the SMS message (that is, the SMS code). My email is secure--it requires an authenticator to get in.
Does the above effectively deal with the SIM swapping concern?
I would only add that you should remove any "recovery email" address you have allowed for the gmail account you're using with the google voice number unless you also control the recovery email address with an authenticator code as the only 2-step verification option.
"The best tools available to us are shovels, not scalpels. Don't get carried away." - vanBogle59
Re: Yubikey only at Vanguard now possible.
You can take a screenshot of the QR code and/or print it out then you can scan that QR code from the saved screenshot or the printed copy anytime you need to setup an authenticator app again on a new device or the same device for any reason.HomerJ wrote: ↑Tue Aug 24, 2021 2:23 pmHow do you handle recovery then? If your phone breaks or you lose it for instance?Rowan Oak wrote: ↑Tue Aug 24, 2021 1:34 pmYes. This is the way.cowdogman wrote: ↑Mon Aug 23, 2021 7:52 pm FYI I set up a Google voice account today and secured it with Google Authenticator, and disabled SMS for 2FA on the Google Voice account. I then changed my 2FA SMS phone number at Vanguard to the new Google voice number.
So now when I log into Vanguard I enter my username and password and then use my Yubikey. If for some reason I choose the option to not use the Yubikey but to use SMS (which option I am NOT able to disable on my Vanguard account) then the SMS message goes to Google Voice, which automatically sends me an email with the SMS message (that is, the SMS code). My email is secure--it requires an authenticator to get in.
Does the above effectively deal with the SIM swapping concern?
I would only add that you should remove any "recovery email" address you have allowed for the gmail account you're using with the google voice number unless you also control the recovery email address with an authenticator code as the only 2-step verification option.
You can also save the text version of the QR code which will allow you to manually setup an authenticator app without scanning the QR code.
Gmail also has the option to use a set of "backup codes". These can only be used once each and I think there are 10 (you can generate new codes when necessary). These can be printed or downloaded and you can use these codes to get back into your gmail account to reset the authenticator codes with a new QR code.
I choose to print a few copies and keep them in different locations. I also handwrite the backup codes and the text version of the QR code. I never save passwords, QR codes, etc. to a computer or online backup service.
“If you can get good at destroying your own wrong ideas, that is a great gift.” – Charlie Munger
- ThereAreNoGurus
- Posts: 970
- Joined: Fri Jan 24, 2014 10:41 pm
Re: Yubikey only at Vanguard now possible.
I use backup codes and store them encrypted on flash-drives. No hacker will get to them. Also, when getting the backup codes form Google, they provide a URL you can visit to get more codes if you want.Rowan Oak wrote: ↑Tue Aug 24, 2021 3:41 pm
Gmail also has the option to use a set of "backup codes". These can only be used once each and I think there are 10 (you can generate new codes when necessary). These can be printed or downloaded and you can use these codes to get back into your gmail account to reset the authenticator codes with a new QR code.
I choose to print a few copies and keep them in different locations. I also handwrite the backup codes and the text version of the QR code. I never save passwords, QR codes, etc. to a computer or online backup service.
Trade the news and you will lose.
-
- Posts: 2241
- Joined: Fri Oct 19, 2012 11:24 am
Re: Yubikey only at Vanguard now possible.
It’s not clear to me whether some are forwarding their GV sms messages to a different mobile number to receive the 2fa codes, but that would largely defeat the purpose of using GV. If you forward to a device that could be SIM swapped, you’ve not really protected yourself.
Either log into google and see the text using a browser or use the GV app.
As for recovery, I have the TOTP qr code scanner into 1password as well as in google Authenticator so i can generate codes if needed.
Either log into google and see the text using a browser or use the GV app.
As for recovery, I have the TOTP qr code scanner into 1password as well as in google Authenticator so i can generate codes if needed.
“Doing nothing is better than being busy doing nothing.” – Lao Tzu
Re: Yubikey only at Vanguard now possible.
I use google voice for most of my 2fa. Only issue with google voice is that there are a few services that don't support sending SMS to a goole voice number.
-
- Posts: 1660
- Joined: Tue Feb 01, 2011 8:22 pm
Re: Yubikey only at Vanguard now possible.
Please do not take offense. My statement was meant as a clarification (of the course I hope for this thread to stay on - constructive criticism) rather than as an accusation.rgs wrote: ↑Tue Aug 24, 2021 7:22 amI'm also not looking for excuses to complain...Silence Dogood wrote: ↑Mon Aug 23, 2021 7:39 pm Regarding Vanguard, I'm not looking to make excuses - but I'm also not looking for excuses to complain.
I agree. As I mentioned earlier, I've made Vanguard aware of this thread. Hopefully they will use the feedback in this thread to make improvements.
Re: Yubikey only at Vanguard now possible.
Perhaps because I have 2x gmail accounts, I can't get GV to initialize. I keep getting "something went wrong" error. I tried deleting one of the gmail accounts from my iPhone to no avail.
A google search on this topic wasn't particularly helpful either. If any of you have seen this error and have managed to resolve it, I would be curious on the steps taken. Thanks
Re: Yubikey only at Vanguard now possible.
No, all good - none taken . BTW once I enable the Key, the code is "locked". Been struggling to get GV to work.Silence Dogood wrote: ↑Tue Aug 24, 2021 4:46 pmPlease do not take offense. My statement was meant as a clarification (of the course I hope for this thread to stay on - constructive criticism) rather than as an accusation.rgs wrote: ↑Tue Aug 24, 2021 7:22 amI'm also not looking for excuses to complain...Silence Dogood wrote: ↑Mon Aug 23, 2021 7:39 pm Regarding Vanguard, I'm not looking to make excuses - but I'm also not looking for excuses to complain.
I agree. As I mentioned earlier, I've made Vanguard aware of this thread. Hopefully they will use the feedback in this thread to make improvements.
-
- Posts: 1660
- Joined: Tue Feb 01, 2011 8:22 pm
Re: Yubikey only at Vanguard now possible.
Here are the things that Vanguard should fix:
1. Allow all clients to disable SMS after registering their security keys.
Some of us (including myself) are able to do this now.
As I noted earlier in this thread, I think it would be smart for Vanguard to require at least two security keys to be registered before allowing SMS to be disabled.
2. Longer term, the mobile apps should be made to work with security keys. In the meantime, the mobile apps should be disabled for those who've disabled SMS.
This could work in a similar way to how the "restrict access to recognized devices" option currently works.
3. Require the security key for every log in - but stop asking whether or not the device should be recognized.
Apparently Vanguard does require the security key to be used with every log in - which is best practice. However, for whatever reason, Vanguard continues to ask whether or not the device being used is private or public. Whichever option is chosen seems to not have any effect. This is a lower priority issue, since it's more of a design/aesthetic issue, but it should still be fixed.
1. Allow all clients to disable SMS after registering their security keys.
Some of us (including myself) are able to do this now.
As I noted earlier in this thread, I think it would be smart for Vanguard to require at least two security keys to be registered before allowing SMS to be disabled.
2. Longer term, the mobile apps should be made to work with security keys. In the meantime, the mobile apps should be disabled for those who've disabled SMS.
This could work in a similar way to how the "restrict access to recognized devices" option currently works.
3. Require the security key for every log in - but stop asking whether or not the device should be recognized.
Apparently Vanguard does require the security key to be used with every log in - which is best practice. However, for whatever reason, Vanguard continues to ask whether or not the device being used is private or public. Whichever option is chosen seems to not have any effect. This is a lower priority issue, since it's more of a design/aesthetic issue, but it should still be fixed.