Yubikey only at Vanguard now possible.

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Grasshopper
Posts: 1209
Joined: Sat Oct 09, 2010 3:52 pm

Re: Yubikey only at Vanguard now possible.

Post by Grasshopper »

On the website VG login if the box is checked public computer, even on my home laptop the Yubikey is always required.

My Google account including Gmail is secured by my YubiKey, but I am sure there is a workaround without the YK, using codes, trusted device or whatever.
User avatar
cowdogman
Posts: 2070
Joined: Sat Dec 16, 2017 6:44 pm
Location: Washington State

Re: Yubikey only at Vanguard now possible.

Post by cowdogman »

ThereAreNoGurus wrote: Wed Jul 21, 2021 12:41 pm I'm less considered about these problems than whether VG has overlooked or neglected security procedures elsewhere that would leave their systems and databases vulnerable to attacks. So yeah, these simple and persisting screw-ups are quite disconcerting. (I'm sure you're thinking same.)
Exactly.
User avatar
Tubes
Posts: 1881
Joined: Wed Apr 22, 2020 6:33 am

Re: Yubikey only at Vanguard now possible.

Post by Tubes »

OK, I'm completely new to keys. I promised I'd report my experience.

I just registered both my Yubicos and disabled SMS security codes. Yes, I had a "Disable" link.

The Yubicos work great. From a web perspective, all looks cool. But the discussion on the previous page about allowing SMS recovery of any number via the mobile app is extremely concerning. I mean, by disabling SMS, did I actually make the mobile entry easier for a hacker?

I don't know. I have no need for mobile and never used it. But I realize someone could pose as me if they knew my username. I wish I could just have a setting saying "no mobile access."

I'm finding all these reports very disconcerting.
User avatar
cowdogman
Posts: 2070
Joined: Sat Dec 16, 2017 6:44 pm
Location: Washington State

Re: Yubikey only at Vanguard now possible.

Post by cowdogman »

Tubes wrote: Wed Jul 21, 2021 2:24 pm OK, I'm completely new to keys. I promised I'd report my experience.

I just registered both my Yubicos and disabled SMS security codes. Yes, I had a "Disable" link.

The Yubicos work great. From a web perspective, all looks cool. But the discussion on the previous page about allowing SMS recovery of any number via the mobile app is extremely concerning. I mean, by disabling SMS, did I actually make the mobile entry easier for a hacker?

I don't know. I have no need for mobile and never used it. But I realize someone could pose as me if they knew my username. I wish I could just have a setting saying "no mobile access."

I'm finding all these reports very disconcerting.
I have some accounts at Fidelity, but not much money there. I signed up yesterday to use the Symantec VIP authenticator app at Fidelity. After sign up, there was no option to use SMS for web access. And I was able to disable SMS.

And I downloaded/tried the Fidelity mobile app today. It asked for the authenticator code and did not give me any other options (e.g., SMS) to log in.

Symantec VIP also has a token I can buy (e.g., on Amazon) rather than using the phone app. I'm pretty sure this would work with Fidelity too. https://www.amazon.com/Symantec-VIP-Har ... 876&sr=8-1

Nice!
User avatar
Marmot
Posts: 592
Joined: Sun Oct 10, 2010 1:44 pm
Location: Phoenix, AZ

Re: Yubikey only at Vanguard now possible.

Post by Marmot »

How does a Token work?
Marty....don't go to the year 2020....Dr. Emmett Brown
User avatar
cowdogman
Posts: 2070
Joined: Sat Dec 16, 2017 6:44 pm
Location: Washington State

Re: Yubikey only at Vanguard now possible.

Post by cowdogman »

Marmot wrote: Wed Jul 21, 2021 4:03 pm How does a Token work?
Same as the phone app. There is a ID number identifying the token (as there is for the app--each download of the app has its own ID number) that you register with Fidelity and the token provides a new code every 30 (I believe) seconds (just like the app). See photos on the amazon link.

More secure than a phone, especially if you use only at home. I would just leave it in my desk.

In the old days (10+ years ago) I used a token for VPN access. The battery runs for a very long time (years), and then you buy a new one.

P.S., I'm guessing this would work at Fidelity, but am not 100% sure. There is also a credit card size version. https://www.amazon.com/FEITIAN-Technolo ... G4H1&psc=1
nifty-thrifty
Posts: 69
Joined: Wed Mar 18, 2020 4:59 pm

Re: Yubikey only at Vanguard now possible.

Post by nifty-thrifty »

Tubes wrote: Wed Jul 21, 2021 2:24 pm OK, I'm completely new to keys. I promised I'd report my experience.

I just registered both my Yubicos and disabled SMS security codes. Yes, I had a "Disable" link.

The Yubicos work great. From a web perspective, all looks cool. But the discussion on the previous page about allowing SMS recovery of any number via the mobile app is extremely concerning. I mean, by disabling SMS, did I actually make the mobile entry easier for a hacker?

I don't know. I have no need for mobile and never used it. But I realize someone could pose as me if they knew my username. I wish I could just have a setting saying "no mobile access."

I'm finding all these reports very disconcerting.
I'm not seeing a disable SMS link. Would I need to unregister keys and re-register ?

Thank you.
User avatar
cowdogman
Posts: 2070
Joined: Sat Dec 16, 2017 6:44 pm
Location: Washington State

Re: Yubikey only at Vanguard now possible.

Post by cowdogman »

nifty-thrifty wrote: Wed Jul 21, 2021 4:53 pm
I'm not seeing a disable SMS link. Would I need to unregister keys and re-register ?

Thank you.
From the various messages above the conclusion is that you will either see "disable" or a lock icon. If you see a lock icon you cannot disable SMS codes without disabling the key(s). And you can't re-register the keys without turning on SMS codes.

It's unclear why some see "Disable" and some don't. See above for details.
nifty-thrifty
Posts: 69
Joined: Wed Mar 18, 2020 4:59 pm

Re: Yubikey only at Vanguard now possible.

Post by nifty-thrifty »

cowdogman wrote: Wed Jul 21, 2021 5:59 pm
nifty-thrifty wrote: Wed Jul 21, 2021 4:53 pm
I'm not seeing a disable SMS link. Would I need to unregister keys and re-register ?

Thank you.
From the various messages above the conclusion is that you will either see "disable" or a lock icon. If you see a lock icon you cannot disable SMS codes without disabling the key(s). And you can't re-register the keys without turning on SMS codes.

It's unclear why some see "Disable" and some don't. See above for details.
Thank you, I got excited for a second when I saw posts from other people and ran for my keys to delete and reinstall but got
the same experience as you and others (round and round). No Go!!. That's too bad that Vanguard can't see the vulnerability
here.
criticalmass
Posts: 2843
Joined: Wed Feb 12, 2014 9:58 pm

Re: Yubikey only at Vanguard now possible.

Post by criticalmass »

Silence Dogood wrote: Wed Jul 21, 2021 11:49 am
criticalmass wrote: Tue Jul 20, 2021 11:34 pm
Silence Dogood wrote: Tue Jul 20, 2021 6:27 pm
criticalmass wrote: Sun Jul 18, 2021 4:16 pm
On the second point, isn't that the main issue discussed in this thread? Is Vanguard allowing users to turn off SMS codes and gain website access by a key alone? Or is Vanguard continuing to give the user (or a hacker) the ability to use/reactivate SMS codes without needing the key to do so? If it's the latter, then the key is worthless--why even bother with a key? That's the issue being discussed in this thread.
Yes, Vanguard allows you to disable SMS validation codes. Yes, Vanguard allows Yubikey enrolled accounts to get SMS re-enabled WITHOUT logging in via the Yubikey, e.g. by downloading the mobile app or just requesting to enable SMS validation because the Yubikey isn't available at the moment, etc. That is the loophole which destroys Vanguard's secure token/Yubikey authentication model.
criticalmass,

To clarify, some of us (myself included) are now able to disable security codes (SMS) completely.

(As in, the loophole has been, thankfully, closed for us.)
Sounds good. I can also disable security codes completely, but attempts to login again provide an option re-enable the SMS verification codes.
If you attempt to login with the Vanguard mobile app after disabling SMS verification codes, does it allow you re-enable SMS verification like it does for me?
When I sign in using a web browser, I do not see any option to use a security code (SMS) as a backup (I looked carefully for it).

However, I just downloaded the mobile app to test this out...

Disappointingly, when I attempt to sign in, it prompts me to re-enable security codes. There is a drop-down menu that shows my phone number and another option that actually allows me to enter a new phone number to send a security code to. I did not actually go ahead and test that out, but presumably an attacker could actually enter any phone number and use that to get in. :shock:

In summary, the website works as expected/desired, but the mobile app has a serious security flaw. Ideally, the mobile apps would work with security keys, but in the meantime, the apps should simply not allow sign in at all (similar to how one can restrict access to recognized devices only).

Also, a feature that is missing for the security keys is the ability to require a security key with every log in - regardless of whether or not the device is recognized. This is currently a feature for the security codes (found under the "frequency" option).
Interestingly, I am always posted for the security key on a browser. I didn’t know that it might not if the browser is “recognized,” but I will see if there is a way to force it to recognize. If there is, that is not good……a security key is more secure than a browser cookie to “remember” you logged in before….hopefully.
User avatar
HomerJ
Posts: 21281
Joined: Fri Jun 06, 2008 12:50 pm

Re: Yubikey only at Vanguard now possible.

Post by HomerJ »

So how secure is the option for "only allow login from a recognized device"?
"The best tools available to us are shovels, not scalpels. Don't get carried away." - vanBogle59
Silence Dogood
Posts: 1660
Joined: Tue Feb 01, 2011 8:22 pm

Re: Yubikey only at Vanguard now possible.

Post by Silence Dogood »

criticalmass wrote: Wed Jul 21, 2021 11:07 pm
Silence Dogood wrote: Wed Jul 21, 2021 11:49 am Also, a feature that is missing for the security keys is the ability to require a security key with every log in - regardless of whether or not the device is recognized. This is currently a feature for the security codes (found under the "frequency" option).
Interestingly, I am always posted for the security key on a browser. I didn’t know that it might not if the browser is “recognized,” but I will see if there is a way to force it to recognize. If there is, that is not good……a security key is more secure than a browser cookie to “remember” you logged in before….hopefully.
Apparently the security key is required every time - which is good news.

For some reason, Vanguard asks if the device is private/public, but the answer has no effect.

See this thread:
Tubes wrote: Wed Jul 21, 2021 6:10 pm
Silence Dogood wrote: Wed Jul 21, 2021 3:54 pm
Tubes wrote: Wed Jul 21, 2021 3:39 pm I cleared the pop up and changed it to "remember", and regardless, the next log in it ignored my "remember" and made me use the key. I guess that's what I mean.
Just to make sure that I understand this correctly, now when you sign in from your recognized device, you are no longer asked whether or not you are using a private/public device, yet you are still required to use the security key?

If so, that's good.

(But then why does Vanguard bother to ask whether the device is private/public in the first place..?)
It provides the two choices, but has no effect! No matter my answer, it requires me to use the key.
User avatar
Marmot
Posts: 592
Joined: Sun Oct 10, 2010 1:44 pm
Location: Phoenix, AZ

Re: Yubikey only at Vanguard now possible.

Post by Marmot »

cowdogman wrote: Wed Jul 21, 2021 4:10 pm
Marmot wrote: Wed Jul 21, 2021 4:03 pm How does a Token work?
Same as the phone app. There is a ID number identifying the token (as there is for the app--each download of the app has its own ID number) that you register with Fidelity and the token provides a new code every 30 (I believe) seconds (just like the app). See photos on the amazon link.

More secure than a phone, especially if you use only at home. I would just leave it in my desk.

In the old days (10+ years ago) I used a token for VPN access. The battery runs for a very long time (years), and then you buy a new one.

P.S., I'm guessing this would work at Fidelity, but am not 100% sure. There is also a credit card size version. https://www.amazon.com/FEITIAN-Technolo ... G4H1&psc=1
Thank you very much for the reply. I am trying to figure out if Yubikeys work on the Chase Bank site. They refer to "Tokens".
Marty....don't go to the year 2020....Dr. Emmett Brown
Silence Dogood
Posts: 1660
Joined: Tue Feb 01, 2011 8:22 pm

Re: Yubikey only at Vanguard now possible.

Post by Silence Dogood »

cowdogman wrote: Wed Jul 21, 2021 12:06 pm Does someone want to call Vanguard to see whether progress can be made on this Yubikey issue? See the summary of my call with Vanguard above.
I have made Vanguard aware of this thread.

Hopefully they will be able to use the feedback here to make improvements.
User avatar
HomerJ
Posts: 21281
Joined: Fri Jun 06, 2008 12:50 pm

Re: Yubikey only at Vanguard now possible.

Post by HomerJ »

If the mobile app just lets you pick a new phone number to send SMS texts to...

Holy cow...

I am seriously thinking about moving our money. Not joking.

How is Fidelity? What about T Rowe Price?
"The best tools available to us are shovels, not scalpels. Don't get carried away." - vanBogle59
User avatar
LadyGeek
Site Admin
Posts: 95686
Joined: Sat Dec 20, 2008 4:34 pm
Location: Philadelphia
Contact:

Re: Yubikey only at Vanguard now possible.

Post by LadyGeek »

If you're serious, not bad. Vanguard isn't all that competitive any more. See the wiki:

-Mutual funds for Bogleheads
-ETFs for Bogleheads

If you do this for real, wait a few days to remove emotion from the equation and think about it in detail. For example, be sure you don't trigger any taxable events due to the transfer. If you still want to proceed, then go for it.

(I don't have any experience with Yubikey. I'm just commenting on the financial part.)
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
User avatar
ThereAreNoGurus
Posts: 970
Joined: Fri Jan 24, 2014 10:41 pm

Re: Yubikey only at Vanguard now possible.

Post by ThereAreNoGurus »

Silence Dogood wrote: Fri Jul 23, 2021 5:10 pm
cowdogman wrote: Wed Jul 21, 2021 12:06 pm Does someone want to call Vanguard to see whether progress can be made on this Yubikey issue? See the summary of my call with Vanguard above.
I have made Vanguard aware of this thread.

Hopefully they will be able to use the feedback here to make improvements.
Thanks. Hopefully this thread gets to somebody who cares, understands, and can do something about it... posting here would be great! (Just dreaming)
Trade the news and you will lose.
User avatar
HomerJ
Posts: 21281
Joined: Fri Jun 06, 2008 12:50 pm

Re: Yubikey only at Vanguard now possible.

Post by HomerJ »

LadyGeek wrote: Fri Jul 23, 2021 8:45 pm If you do this for real, wait a few days to remove emotion from the equation and think about it in detail.
Always good advice from you.. thanks...

No, I would move stuff carefully.
"The best tools available to us are shovels, not scalpels. Don't get carried away." - vanBogle59
User avatar
cowdogman
Posts: 2070
Joined: Sat Dec 16, 2017 6:44 pm
Location: Washington State

Re: Yubikey only at Vanguard now possible.

Post by cowdogman »

HomerJ wrote: Fri Jul 23, 2021 9:52 pm
LadyGeek wrote: Fri Jul 23, 2021 8:45 pm If you do this for real, wait a few days to remove emotion from the equation and think about it in detail.
Always good advice from you.. thanks...

No, I would move stuff carefully.
Totally agree, altho I'm already in discussions with Fidelity--and have already discussed making sure there are no taxable events in the transfer. I plan to move slowly tho.

See my post on Fidelity security above.
Silence Dogood
Posts: 1660
Joined: Tue Feb 01, 2011 8:22 pm

Re: Yubikey only at Vanguard now possible.

Post by Silence Dogood »

cowdogman wrote: Sun Jul 18, 2021 10:24 am On my account, after registering the key, on the SMS codes page instead of a "disable" link there was a lock icon with a hover message saying I needed to remove the security key before I could disable SMS codes.

On my wife's account, after registering the key, there was a "disable" link on the SMS codes page--as the OP reported--and the disable link worked.
Out of curiosity, has this changed for you?
User avatar
cowdogman
Posts: 2070
Joined: Sat Dec 16, 2017 6:44 pm
Location: Washington State

Re: Yubikey only at Vanguard now possible.

Post by cowdogman »

Silence Dogood wrote: Mon Aug 02, 2021 6:38 pm
cowdogman wrote: Sun Jul 18, 2021 10:24 am On my account, after registering the key, on the SMS codes page instead of a "disable" link there was a lock icon with a hover message saying I needed to remove the security key before I could disable SMS codes.

On my wife's account, after registering the key, there was a "disable" link on the SMS codes page--as the OP reported--and the disable link worked.
Out of curiosity, has this changed for you?
No, just checked. Same. Why do you ask?
Silence Dogood
Posts: 1660
Joined: Tue Feb 01, 2011 8:22 pm

Re: Yubikey only at Vanguard now possible.

Post by Silence Dogood »

cowdogman wrote: Mon Aug 02, 2021 6:44 pm
Silence Dogood wrote: Mon Aug 02, 2021 6:38 pm
cowdogman wrote: Sun Jul 18, 2021 10:24 am On my account, after registering the key, on the SMS codes page instead of a "disable" link there was a lock icon with a hover message saying I needed to remove the security key before I could disable SMS codes.

On my wife's account, after registering the key, there was a "disable" link on the SMS codes page--as the OP reported--and the disable link worked.
Out of curiosity, has this changed for you?
No, just checked. Same. Why do you ask?
Thank you for taking the time to check.

I was just curious to see if any changes/improvements were made.
rgs
Posts: 164
Joined: Sun Mar 24, 2019 7:30 pm

Re: Yubikey only at Vanguard now possible.

Post by rgs »

As has been noted here, I just discovered as well that getting the Yubikey is not useful at all (not much better than the SMS based 2FA). For one, Safari is not supported for the Secure Key. It almost feels easier to move than have all the (user initiated) workarounds to get Vanguard security to work correctly.

Also, this article refers to the user discontent with Vanguard - not clear if anyone with any level of authority at Vanguard reads or cares about these. Unfortunate really

https://www.inquirer.com/business/vangu ... 10821.html
User avatar
LadyGeek
Site Admin
Posts: 95686
Joined: Sat Dec 20, 2008 4:34 pm
Location: Philadelphia
Contact:

Re: Yubikey only at Vanguard now possible.

Post by LadyGeek »

^^^ Comments on that article are in: [Vanguard may remove secure messages, members transitioning out of Vanguard]

Let's stick to Yubikey here.
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
fatcharlie
Posts: 66
Joined: Wed Aug 06, 2014 11:25 am

Re: Yubikey only at Vanguard now possible.

Post by fatcharlie »

kevinf wrote: Thu May 27, 2021 4:29 pm Good to hear, but my SMS account is a hardware token protected (different from the one used at Vanguard) Google Voice account, so I don't mind keeping that as a backup. Great news for everyone vulnerable to SMS hijacking though!
Is that secure against number porting attacks through the phone system?
absolute zero
Posts: 1244
Joined: Thu Dec 29, 2016 3:59 pm

Re: Yubikey only at Vanguard now possible.

Post by absolute zero »

fatcharlie wrote: Mon Aug 23, 2021 4:36 pm
kevinf wrote: Thu May 27, 2021 4:29 pm Good to hear, but my SMS account is a hardware token protected (different from the one used at Vanguard) Google Voice account, so I don't mind keeping that as a backup. Great news for everyone vulnerable to SMS hijacking though!
Is that secure against number porting attacks through the phone system?
I'm no security expert, but my understanding (and I'm sure this has been discussed throughout this thread) is that Google Voice is not susceptible to number porting. It's as solid as your google account itself, which can be made secure through use of a Yubikey or authenticator app.

If the Google account is kept secure, the only vulnerability when it comes to Google Voice for 2FA is phishing. Which is why usage of a physical token i.e. Yubikey is still slightly advantageous compared to Google Voice. Supposedly there are lots of smart people out there who have still fallen prey to phishing attacks.
Silence Dogood
Posts: 1660
Joined: Tue Feb 01, 2011 8:22 pm

Re: Yubikey only at Vanguard now possible.

Post by Silence Dogood »

rgs wrote: Mon Aug 23, 2021 3:29 pm As has been noted here, I just discovered as well that getting the Yubikey is not useful at all (not much better than the SMS based 2FA). For one, Safari is not supported for the Secure Key. It almost feels easier to move than have all the (user initiated) workarounds to get Vanguard security to work correctly.
Can you elaborate on your experience?

Did you try using Firefox? After registering your security keys, were you able to disable SMS?

Regarding Vanguard, I'm not looking to make excuses - but I'm also not looking for excuses to complain.
User avatar
cowdogman
Posts: 2070
Joined: Sat Dec 16, 2017 6:44 pm
Location: Washington State

Re: Yubikey only at Vanguard now possible.

Post by cowdogman »

FYI I set up a Google voice account today and secured it with Google Authenticator, and disabled SMS for 2FA on the Google Voice account. I then changed my 2FA SMS phone number at Vanguard to the new Google voice number.

So now when I log into Vanguard I enter my username and password and then use my Yubikey. If for some reason I choose the option to not use the Yubikey but to use SMS (which option I am NOT able to disable on my Vanguard account) then the SMS message goes to Google Voice, which automatically sends me an email with the SMS message (that is, the SMS code). My email is secure--it requires an authenticator to get in.

Does the above effectively deal with the SIM swapping concern?
User avatar
ThereAreNoGurus
Posts: 970
Joined: Fri Jan 24, 2014 10:41 pm

Re: Yubikey only at Vanguard now possible.

Post by ThereAreNoGurus »

absolute zero wrote: Mon Aug 23, 2021 4:54 pm
fatcharlie wrote: Mon Aug 23, 2021 4:36 pm
kevinf wrote: Thu May 27, 2021 4:29 pm Good to hear, but my SMS account is a hardware token protected (different from the one used at Vanguard) Google Voice account, so I don't mind keeping that as a backup. Great news for everyone vulnerable to SMS hijacking though!
Is that secure against number porting attacks through the phone system?
I'm no security expert, but my understanding (and I'm sure this has been discussed throughout this thread) is that Google Voice is not susceptible to number porting. It's as solid as your google account itself, which can be made secure through use of a Yubikey or authenticator app.

If the Google account is kept secure, the only vulnerability when it comes to Google Voice for 2FA is phishing. Which is why usage of a physical token i.e. Yubikey is still slightly advantageous compared to Google Voice. Supposedly there are lots of smart people out there who have still fallen prey to phishing attacks.
I got a Google Voice number a while ago, but never made use of it. However, after the T-Mobile debacle and the suggestion here to change the VG Mobile number to a Google Voice number, I will probably do it.

For activity alerts did you switch off all text alerts or do you keep those as a back-up? I realize with Google Voice the text alerts will be delivered to Google voice. Just wondering if there's any advantages or disadvantages, of keeping text alerts, I'm missing, other than possible back-up to email.
Trade the news and you will lose.
absolute zero
Posts: 1244
Joined: Thu Dec 29, 2016 3:59 pm

Re: Yubikey only at Vanguard now possible.

Post by absolute zero »

ThereAreNoGurus wrote: Mon Aug 23, 2021 8:20 pm I got a Google Voice number a while ago, but never made use of it. However, after the T-Mobile debacle and the suggestion here to change the VG Mobile number to a Google Voice number, I will probably do it.

For activity alerts did you switch off all text alerts or do you keep those as a back-up? I realize with Google Voice the text alerts will be delivered to Google voice. Just wondering if there's any advantages or disadvantages, of keeping text alerts, I'm missing, other than possible back-up to email.
I get text alerts to Google Voice number. I don’t really see any need to though, assuming you already get email alerts and you check your email regularly. I’ve probably just never been bothered enough to turn off text alerts, since I make transactions pretty infrequently.
User avatar
ThereAreNoGurus
Posts: 970
Joined: Fri Jan 24, 2014 10:41 pm

Re: Yubikey only at Vanguard now possible.

Post by ThereAreNoGurus »

absolute zero wrote: Mon Aug 23, 2021 9:21 pm
ThereAreNoGurus wrote: Mon Aug 23, 2021 8:20 pm I got a Google Voice number a while ago, but never made use of it. However, after the T-Mobile debacle and the suggestion here to change the VG Mobile number to a Google Voice number, I will probably do it.

For activity alerts did you switch off all text alerts or do you keep those as a back-up? I realize with Google Voice the text alerts will be delivered to Google voice. Just wondering if there's any advantages or disadvantages, of keeping text alerts, I'm missing, other than possible back-up to email.
I get text alerts to Google Voice number. I don’t really see any need to though, assuming you already get email alerts and you check your email regularly. I’ve probably just never been bothered enough to turn off text alerts, since I make transactions pretty infrequently.
Thanks. I was just wondering whether I was overlooking anything. I seldom have any transactions, but of course we want the alerts in case the account is tampered with. So I guess the text alerts can act as backup if for some reason email is not working... Murphy's Law and all that. :D
Trade the news and you will lose.
david9117
Posts: 151
Joined: Tue Dec 25, 2007 7:00 pm
Location: San Diego, Ca

Re: Yubikey only at Vanguard now possible.

Post by david9117 »

Google voice is doing away with text forwarding soon. If you get a new google voice text forwarding is disabled by default. Everything will be sent to your gmail.
User avatar
ThereAreNoGurus
Posts: 970
Joined: Fri Jan 24, 2014 10:41 pm

Re: Yubikey only at Vanguard now possible.

Post by ThereAreNoGurus »

david9117 wrote: Mon Aug 23, 2021 9:43 pm Google voice is doing away with text forwarding soon. If you get a new google voice text forwarding is disabled by default. Everything will be sent to your gmail.
Thx. That's good to know.
Trade the news and you will lose.
User avatar
HomerJ
Posts: 21281
Joined: Fri Jun 06, 2008 12:50 pm

Re: Yubikey only at Vanguard now possible.

Post by HomerJ »

cowdogman wrote: Mon Aug 23, 2021 7:52 pm FYI I set up a Google voice account today and secured it with Google Authenticator, and disabled SMS for 2FA on the Google Voice account. I then changed my 2FA SMS phone number at Vanguard to the new Google voice number.

So now when I log into Vanguard I enter my username and password and then use my Yubikey. If for some reason I choose the option to not use the Yubikey but to use SMS (which option I am NOT able to disable on my Vanguard account) then the SMS message goes to Google Voice, which automatically sends me an email with the SMS message (that is, the SMS code). My email is secure--it requires an authenticator to get in.

Does the above effectively deal with the SIM swapping concern?
I like it... Can you use the Yubikey for your Google account instead of Google Authenticator?
"The best tools available to us are shovels, not scalpels. Don't get carried away." - vanBogle59
User avatar
ThereAreNoGurus
Posts: 970
Joined: Fri Jan 24, 2014 10:41 pm

Re: Yubikey only at Vanguard now possible.

Post by ThereAreNoGurus »

HomerJ wrote: Tue Aug 24, 2021 12:32 am
cowdogman wrote: Mon Aug 23, 2021 7:52 pm FYI I set up a Google voice account today and secured it with Google Authenticator, and disabled SMS for 2FA on the Google Voice account. I then changed my 2FA SMS phone number at Vanguard to the new Google voice number.

So now when I log into Vanguard I enter my username and password and then use my Yubikey. If for some reason I choose the option to not use the Yubikey but to use SMS (which option I am NOT able to disable on my Vanguard account) then the SMS message goes to Google Voice, which automatically sends me an email with the SMS message (that is, the SMS code). My email is secure--it requires an authenticator to get in.

Does the above effectively deal with the SIM swapping concern?
I like it... Can you use the Yubikey for your Google account instead of Google Authenticator?
https://www.yubico.com/works-with-yubik ... -accounts/
Trade the news and you will lose.
cacophony
Posts: 1363
Joined: Tue Oct 16, 2007 9:12 pm

Re: Yubikey only at Vanguard now possible.

Post by cacophony »

david9117 wrote: Mon Aug 23, 2021 9:43 pm Google voice is doing away with text forwarding soon. If you get a new google voice text forwarding is disabled by default. Everything will be sent to your gmail.
Or you could just install the Google Voice app on your phone and all incoming texts will show up like a text message. Not sure I understand the point in forwarding texts to a different number. The Google Voice app is great.
rgs
Posts: 164
Joined: Sun Mar 24, 2019 7:30 pm

Re: Yubikey only at Vanguard now possible.

Post by rgs »

Silence Dogood wrote: Mon Aug 23, 2021 7:39 pm
rgs wrote: Mon Aug 23, 2021 3:29 pm As has been noted here, I just discovered as well that getting the Yubikey is not useful at all (not much better than the SMS based 2FA). For one, Safari is not supported for the Secure Key. It almost feels easier to move than have all the (user initiated) workarounds to get Vanguard security to work correctly.
Can you elaborate on your experience?

Did you try using Firefox? After registering your security keys, were you able to disable SMS?

Regarding Vanguard, I'm not looking to make excuses - but I'm also not looking for excuses to complain.
Yes, tried it with Firefox and that works (as one would expect). Have not attempted to disable SMS yet, need to setup the backup first.

Re I'm also not looking for excuses to complain - I am not why you get the impression that any of us are looking "for excuses to complain". Most if not all of the comments here have been objective and personally I have been with VG for over 20 years. I have liked them as a company and their products have been (and continue to be) great and has served us well. But that said, when there are deficiencies (esp where security is concerned) it behooves us to point this out.
User avatar
cowdogman
Posts: 2070
Joined: Sat Dec 16, 2017 6:44 pm
Location: Washington State

Re: Yubikey only at Vanguard now possible.

Post by cowdogman »

HomerJ wrote: Tue Aug 24, 2021 12:32 am
cowdogman wrote: Mon Aug 23, 2021 7:52 pm FYI I set up a Google voice account today and secured it with Google Authenticator, and disabled SMS for 2FA on the Google Voice account. I then changed my 2FA SMS phone number at Vanguard to the new Google voice number.

So now when I log into Vanguard I enter my username and password and then use my Yubikey. If for some reason I choose the option to not use the Yubikey but to use SMS (which option I am NOT able to disable on my Vanguard account) then the SMS message goes to Google Voice, which automatically sends me an email with the SMS message (that is, the SMS code). My email is secure--it requires an authenticator to get in.

Does the above effectively deal with the SIM swapping concern?
I like it... Can you use the Yubikey for your Google account instead of Google Authenticator?
Yes, I believe so, but I chose the authenticator in case I need to access Google Voice away from home or over my phone.
User avatar
cowdogman
Posts: 2070
Joined: Sat Dec 16, 2017 6:44 pm
Location: Washington State

Re: Yubikey only at Vanguard now possible.

Post by cowdogman »

david9117 wrote: Mon Aug 23, 2021 9:43 pm Google voice is doing away with text forwarding soon. If you get a new google voice text forwarding is disabled by default. Everything will be sent to your gmail.
Not necessarily Gmail. You can set up a Google account with a non-Gmail email address. You can't use Gmail with a non-Gmail email address (of course) but you can use the other Google services, like Google Voice.

I used a non-Gmail address for my Google account, so all Google Voice texts get sent to my non-Gmail email.
User avatar
ThereAreNoGurus
Posts: 970
Joined: Fri Jan 24, 2014 10:41 pm

Re: Yubikey only at Vanguard now possible.

Post by ThereAreNoGurus »

cowdogman wrote: Tue Aug 24, 2021 10:13 am
david9117 wrote: Mon Aug 23, 2021 9:43 pm Google voice is doing away with text forwarding soon. If you get a new google voice text forwarding is disabled by default. Everything will be sent to your gmail.
Not necessarily Gmail. You can set up a Google account with a non-Gmail email address. You can't use Gmail with a non-Gmail email address (of course) but you can use the other Google services, like Google Voice.

I used a non-Gmail address for my Google account, so all Google Voice texts get sent to my non-Gmail email.
Before doing a search, I noticed the only way to change one's email associated with Google Voice (within Google Voice) is to click the Legacy option and do it from there. However GV Legacy is supposedly going to be discontinued some day.

After doing a search, I learned, within one's Gmail account, one can create a filter and then forward only those messages that meet the filter's criteria.
Trade the news and you will lose.
User avatar
Rowan Oak
Posts: 851
Joined: Mon May 09, 2016 2:11 pm
Location: Yoknapatawpha

Re: Yubikey only at Vanguard now possible.

Post by Rowan Oak »

cowdogman wrote: Mon Aug 23, 2021 7:52 pm FYI I set up a Google voice account today and secured it with Google Authenticator, and disabled SMS for 2FA on the Google Voice account. I then changed my 2FA SMS phone number at Vanguard to the new Google voice number.

So now when I log into Vanguard I enter my username and password and then use my Yubikey. If for some reason I choose the option to not use the Yubikey but to use SMS (which option I am NOT able to disable on my Vanguard account) then the SMS message goes to Google Voice, which automatically sends me an email with the SMS message (that is, the SMS code). My email is secure--it requires an authenticator to get in.

Does the above effectively deal with the SIM swapping concern?
Yes. This is the way.

I would only add that you should remove any "recovery email" address you have allowed for the gmail account you're using with the google voice number unless you also control the recovery email address with an authenticator code as the only 2-step verification option.
“If you can get good at destroying your own wrong ideas, that is a great gift.” – Charlie Munger
User avatar
HomerJ
Posts: 21281
Joined: Fri Jun 06, 2008 12:50 pm

Re: Yubikey only at Vanguard now possible.

Post by HomerJ »

Rowan Oak wrote: Tue Aug 24, 2021 1:34 pm
cowdogman wrote: Mon Aug 23, 2021 7:52 pm FYI I set up a Google voice account today and secured it with Google Authenticator, and disabled SMS for 2FA on the Google Voice account. I then changed my 2FA SMS phone number at Vanguard to the new Google voice number.

So now when I log into Vanguard I enter my username and password and then use my Yubikey. If for some reason I choose the option to not use the Yubikey but to use SMS (which option I am NOT able to disable on my Vanguard account) then the SMS message goes to Google Voice, which automatically sends me an email with the SMS message (that is, the SMS code). My email is secure--it requires an authenticator to get in.

Does the above effectively deal with the SIM swapping concern?
Yes. This is the way.

I would only add that you should remove any "recovery email" address you have allowed for the gmail account you're using with the google voice number unless you also control the recovery email address with an authenticator code as the only 2-step verification option.
How do you handle recovery then? If your phone breaks or you lose it for instance?
"The best tools available to us are shovels, not scalpels. Don't get carried away." - vanBogle59
User avatar
Rowan Oak
Posts: 851
Joined: Mon May 09, 2016 2:11 pm
Location: Yoknapatawpha

Re: Yubikey only at Vanguard now possible.

Post by Rowan Oak »

HomerJ wrote: Tue Aug 24, 2021 2:23 pm
Rowan Oak wrote: Tue Aug 24, 2021 1:34 pm
cowdogman wrote: Mon Aug 23, 2021 7:52 pm FYI I set up a Google voice account today and secured it with Google Authenticator, and disabled SMS for 2FA on the Google Voice account. I then changed my 2FA SMS phone number at Vanguard to the new Google voice number.

So now when I log into Vanguard I enter my username and password and then use my Yubikey. If for some reason I choose the option to not use the Yubikey but to use SMS (which option I am NOT able to disable on my Vanguard account) then the SMS message goes to Google Voice, which automatically sends me an email with the SMS message (that is, the SMS code). My email is secure--it requires an authenticator to get in.

Does the above effectively deal with the SIM swapping concern?
Yes. This is the way.

I would only add that you should remove any "recovery email" address you have allowed for the gmail account you're using with the google voice number unless you also control the recovery email address with an authenticator code as the only 2-step verification option.
How do you handle recovery then? If your phone breaks or you lose it for instance?
You can take a screenshot of the QR code and/or print it out then you can scan that QR code from the saved screenshot or the printed copy anytime you need to setup an authenticator app again on a new device or the same device for any reason.

You can also save the text version of the QR code which will allow you to manually setup an authenticator app without scanning the QR code.

Gmail also has the option to use a set of "backup codes". These can only be used once each and I think there are 10 (you can generate new codes when necessary). These can be printed or downloaded and you can use these codes to get back into your gmail account to reset the authenticator codes with a new QR code.

I choose to print a few copies and keep them in different locations. I also handwrite the backup codes and the text version of the QR code. I never save passwords, QR codes, etc. to a computer or online backup service.
“If you can get good at destroying your own wrong ideas, that is a great gift.” – Charlie Munger
User avatar
ThereAreNoGurus
Posts: 970
Joined: Fri Jan 24, 2014 10:41 pm

Re: Yubikey only at Vanguard now possible.

Post by ThereAreNoGurus »

Rowan Oak wrote: Tue Aug 24, 2021 3:41 pm
Gmail also has the option to use a set of "backup codes". These can only be used once each and I think there are 10 (you can generate new codes when necessary). These can be printed or downloaded and you can use these codes to get back into your gmail account to reset the authenticator codes with a new QR code.

I choose to print a few copies and keep them in different locations. I also handwrite the backup codes and the text version of the QR code. I never save passwords, QR codes, etc. to a computer or online backup service.
I use backup codes and store them encrypted on flash-drives. No hacker will get to them. Also, when getting the backup codes form Google, they provide a URL you can visit to get more codes if you want.
Trade the news and you will lose.
RubyTuesday
Posts: 2241
Joined: Fri Oct 19, 2012 11:24 am

Re: Yubikey only at Vanguard now possible.

Post by RubyTuesday »

It’s not clear to me whether some are forwarding their GV sms messages to a different mobile number to receive the 2fa codes, but that would largely defeat the purpose of using GV. If you forward to a device that could be SIM swapped, you’ve not really protected yourself.

Either log into google and see the text using a browser or use the GV app.

As for recovery, I have the TOTP qr code scanner into 1password as well as in google Authenticator so i can generate codes if needed.
“Doing nothing is better than being busy doing nothing.” – Lao Tzu
danaht
Posts: 816
Joined: Sun Oct 18, 2015 11:28 am

Re: Yubikey only at Vanguard now possible.

Post by danaht »

I use google voice for most of my 2fa. Only issue with google voice is that there are a few services that don't support sending SMS to a goole voice number.
Silence Dogood
Posts: 1660
Joined: Tue Feb 01, 2011 8:22 pm

Re: Yubikey only at Vanguard now possible.

Post by Silence Dogood »

rgs wrote: Tue Aug 24, 2021 7:22 am
Silence Dogood wrote: Mon Aug 23, 2021 7:39 pm Regarding Vanguard, I'm not looking to make excuses - but I'm also not looking for excuses to complain.
I'm also not looking for excuses to complain...
Please do not take offense. My statement was meant as a clarification (of the course I hope for this thread to stay on - constructive criticism) rather than as an accusation.
rgs wrote: Tue Aug 24, 2021 7:22 am ...when there are deficiencies (esp where security is concerned) it behooves us to point this out.
I agree. As I mentioned earlier, I've made Vanguard aware of this thread. Hopefully they will use the feedback in this thread to make improvements.
rgs
Posts: 164
Joined: Sun Mar 24, 2019 7:30 pm

Re: Yubikey only at Vanguard now possible.

Post by rgs »

danaht wrote: Tue Aug 24, 2021 4:39 pm I use google voice for most of my 2fa. Only issue with google voice is that there are a few services that don't support sending SMS to a goole voice number.
Perhaps because I have 2x gmail accounts, I can't get GV to initialize. I keep getting "something went wrong" error. I tried deleting one of the gmail accounts from my iPhone to no avail.

A google search on this topic wasn't particularly helpful either. If any of you have seen this error and have managed to resolve it, I would be curious on the steps taken. Thanks
rgs
Posts: 164
Joined: Sun Mar 24, 2019 7:30 pm

Re: Yubikey only at Vanguard now possible.

Post by rgs »

Silence Dogood wrote: Tue Aug 24, 2021 4:46 pm
rgs wrote: Tue Aug 24, 2021 7:22 am
Silence Dogood wrote: Mon Aug 23, 2021 7:39 pm Regarding Vanguard, I'm not looking to make excuses - but I'm also not looking for excuses to complain.
I'm also not looking for excuses to complain...
Please do not take offense. My statement was meant as a clarification (of the course I hope for this thread to stay on - constructive criticism) rather than as an accusation.
rgs wrote: Tue Aug 24, 2021 7:22 am ...when there are deficiencies (esp where security is concerned) it behooves us to point this out.
I agree. As I mentioned earlier, I've made Vanguard aware of this thread. Hopefully they will use the feedback in this thread to make improvements.
No, all good - none taken :-). BTW once I enable the Key, the code is "locked". Been struggling to get GV to work.
Silence Dogood
Posts: 1660
Joined: Tue Feb 01, 2011 8:22 pm

Re: Yubikey only at Vanguard now possible.

Post by Silence Dogood »

Here are the things that Vanguard should fix:

1. Allow all clients to disable SMS after registering their security keys.

Some of us (including myself) are able to do this now.

As I noted earlier in this thread, I think it would be smart for Vanguard to require at least two security keys to be registered before allowing SMS to be disabled.

2. Longer term, the mobile apps should be made to work with security keys. In the meantime, the mobile apps should be disabled for those who've disabled SMS.

This could work in a similar way to how the "restrict access to recognized devices" option currently works.

3. Require the security key for every log in - but stop asking whether or not the device should be recognized.

Apparently Vanguard does require the security key to be used with every log in - which is best practice. However, for whatever reason, Vanguard continues to ask whether or not the device being used is private or public. Whichever option is chosen seems to not have any effect. This is a lower priority issue, since it's more of a design/aesthetic issue, but it should still be fixed.
Post Reply