Yubikey only at Vanguard now possible.
-
- Posts: 31
- Joined: Sat Sep 10, 2016 8:46 pm
Yubikey only at Vanguard now possible.
Hello everyone,
Today I was able to disable security codes via SMS/Phone call while continuing to use the enrolled Yubikey security keys. It appears they listened to us. You can disable security codes by going to my accounts -> profile & settings -> security code and disabling there. Enjoy the increased security!
Edited to add:
Yubikeys are physical security keys that provide a second factor for login authentication similar to receiving a text message with a code. They connect via USB ports or NFC. Vanguard uses the universal second factor (FIDO U2F) function of the keys which is widely considered to represent the highest standard of 2-factor authentication. At Vanguard, one enters their username and password, and then inserts the yubikey into a USB port, touches the key, and is then logged in. Previously, one had to enroll in security codes via SMS or phone call as a backup to the security key option, which defeats the purpose of the higher security provided by the keys.
If anyone wants to explain further or correct me, please feel free since I am no expert.
pragmatist
Today I was able to disable security codes via SMS/Phone call while continuing to use the enrolled Yubikey security keys. It appears they listened to us. You can disable security codes by going to my accounts -> profile & settings -> security code and disabling there. Enjoy the increased security!
Edited to add:
Yubikeys are physical security keys that provide a second factor for login authentication similar to receiving a text message with a code. They connect via USB ports or NFC. Vanguard uses the universal second factor (FIDO U2F) function of the keys which is widely considered to represent the highest standard of 2-factor authentication. At Vanguard, one enters their username and password, and then inserts the yubikey into a USB port, touches the key, and is then logged in. Previously, one had to enroll in security codes via SMS or phone call as a backup to the security key option, which defeats the purpose of the higher security provided by the keys.
If anyone wants to explain further or correct me, please feel free since I am no expert.
pragmatist
Last edited by pragmatist on Thu May 27, 2021 7:02 am, edited 1 time in total.
Re: Yubikey only at Vanguard now possible.
thanks pragmatist.pragmatist wrote: ↑Thu May 27, 2021 6:38 am Hello everyone,
Today I was able to disable security codes via SMS/Phone call while continuing to use the enrolled Yubikey security keys. It appears they listened to us. You can disable security codes by going to my accounts -> profile & settings -> security code and disabling there. Enjoy the increased security!
pragmatist
perhaps you can do an ELI5 (explain it like i'm 5 years old) for everyone. What is a yubikey, how does it work at Vanguard (now).
cheers,
grok
RIP Mr. Bogle.
- RickBoglehead
- Posts: 7877
- Joined: Wed Feb 14, 2018 8:10 am
- Location: In a house
Re: Yubikey only at Vanguard now possible.
If true, amazing that they wouldn't communicate that...
Avid user of forums on variety of interests-financial, home brewing, F-150, EV, home repair, etc. Enjoy learning & passing on knowledge. It's PRINCIPAL, not PRINCIPLE. I ADVISE you to seek ADVICE.
- anon_investor
- Posts: 15122
- Joined: Mon Jun 03, 2019 1:43 pm
Re: Yubikey only at Vanguard now possible.
I would perfect Vanguard would allow for the use of an authenticator app.
- southerndoc
- Posts: 1266
- Joined: Wed Apr 22, 2009 7:07 pm
- Location: Atlanta
Re: Yubikey only at Vanguard now possible.
This is a great find! Vanguard should make this information better known. They may not want to though because if someone loses access to their Yubikey, they'll have to call Vanguard to restore access.
- southerndoc
- Posts: 1266
- Joined: Wed Apr 22, 2009 7:07 pm
- Location: Atlanta
Re: Yubikey only at Vanguard now possible.
It's true. I just went through and did it. When I logged back in, it didn't give me an option to get a security code. Yubikey was my only option.RickBoglehead wrote: ↑Thu May 27, 2021 6:45 am If true, amazing that they wouldn't communicate that...
Re: Yubikey only at Vanguard now possible.
Can you register more than one YubiKey?
-
- Posts: 31
- Joined: Sat Sep 10, 2016 8:46 pm
Re: Yubikey only at Vanguard now possible.
Please Fidelity - do the same thing! I have yubikeys ready to go.
Re: Yubikey only at Vanguard now possible.
Does anyone know if Quicken downloads work with Yubikey enabled? I saw the question asked several times, but no answer. Thanks
Re: Yubikey only at Vanguard now possible.
Are you familiar with 2-factor authentication? The concept is that, in order to access you account, you need 2 security "factors". They are usually something I know (a password) and something I have. The something I have part can come in many forms. The most common is using a cell phone for the second factor. The brokerage sends a text message with a code to your phone and you reply with the code. The problem is that text messages can be intercepted by someone that doesn't actually have the phone.grok87 wrote: ↑Thu May 27, 2021 6:44 amthanks pragmatist.pragmatist wrote: ↑Thu May 27, 2021 6:38 am Hello everyone,
Today I was able to disable security codes via SMS/Phone call while continuing to use the enrolled Yubikey security keys. It appears they listened to us. You can disable security codes by going to my accounts -> profile & settings -> security code and disabling there. Enjoy the increased security!
pragmatist
perhaps you can do an ELI5 (explain it like i'm 5 years old) for everyone. What is a yubikey, how does it work at Vanguard (now).
cheers,
grok
There are several alternatives to text messages that people use. One is to run an app on your phone called an Authenticator. Another method is use a small hardware key, like a Yubikey.
A Yubikey is a little device that you can plug into your computer's USB slot. Newer ones can also connect to your phone just by putting it near the back of your phone. The Yubikey confirms that you are who you say you are. This way, if someone steals or cracks your password, they still can't get in because they don't have your key.
In the past, Vanguard let you use a Yubikey as the second factor, but they also let you log in using text messages on your phone as a second factor. Because the text message approach isn't very secure, there wasn't much benefit to using a YubiKey. It would be like putting two locks on your door - one that was weak and one that was strong, but either will let you in. Vanguard did that (I presume) because they didn't want to deal with people loosing their Yubikey. If someone loses their phone, it's easy to replace. You can't replace a Yubikey.
If you want the best security, get a Yubikey. To be safe, get multiple keys so that you can still get in if you lose one. I keep one on me and one at home. My wife also has a pair. All four are keyed to our account. Use them to secure your brokerage account and your e-mail account.
Alternatively, you can use an Authenticator app. In broad terms, it converts your phone/computer into something like a Yubikey. It's more convenient, free, and slightly less secure.
Re: Yubikey only at Vanguard now possible.
I did not know Vanguard supports the use of an authenticator app. Is this a new feature?
“My opinions are just that - opinions.”
Re: Yubikey only at Vanguard now possible.
They don’t support Authenticator apps. I think he was just comparing 2FA options, in general.
Re: Yubikey only at Vanguard now possible.
That’s a pity. I much prefer an Authenticator app to an SMS message.
“My opinions are just that - opinions.”
Re: Yubikey only at Vanguard now possible.
Good to hear, but my SMS account is a hardware token protected (different from the one used at Vanguard) Google Voice account, so I don't mind keeping that as a backup. Great news for everyone vulnerable to SMS hijacking though!
Re: Yubikey only at Vanguard now possible.
So I got a Yubikey recently and since I received it get this error at Vangaurd!?
'Security key service is temporarily unavailable. Please try again.'
Anyone else having issues?
'Security key service is temporarily unavailable. Please try again.'
Anyone else having issues?
Fools think their own way is right, but the wise listen to others.
Re: Yubikey only at Vanguard now possible.
Lately it's been dropping me back onto the log on screen after validating my key, but using the bookmarks I have to enter the site works to get me past the login once authed.
-
- Posts: 1113
- Joined: Mon Jan 06, 2014 3:28 pm
- Location: US citizen now retired in Canada. Subject to income tax in both.
Re: Yubikey only at Vanguard now possible.
I've used Yubi keys with Vanguard for a number of years now. Only one time did I get the message you indicate. It only affected the log-in using the keys (other means of logging in were available). The "outage" lasted only for part of an evening, a few hours. Still was worrisome. But it was only that one time, for me.
Edit: it is working fine right now for me.
Re: Yubikey only at Vanguard now possible.
What do you do if you lose your Yubikey, and how are thieves prevented from doing the same thing?
Re: Yubikey only at Vanguard now possible.
I assume the "break glass in emergency" option is to call Vanguard and have your online account deleted and everything turned back to paper statements and confirmations, as would be for an account that had been opened by mail or by phone. Then, you could create an online account again. I would think (hope?) that the "create a new online account for a Vanguard account where online access was recently deleted" process is more stringent, possibly involving mailing something to you to authenticate you.
Re: Yubikey only at Vanguard now possible.
So it was operator error! I was using a special character to name my security key, they are not allowed. I am set up now with security key required, no 2FA!JohnFiscal wrote: ↑Thu May 27, 2021 7:09 pmI've used Yubi keys with Vanguard for a number of years now. Only one time did I get the message you indicate. It only affected the log-in using the keys (other means of logging in were available). The "outage" lasted only for part of an evening, a few hours. Still was worrisome. But it was only that one time, for me.
Edit: it is working fine right now for me.
Fools think their own way is right, but the wise listen to others.
Re: Yubikey only at Vanguard now possible.
I am assuming you would have to call Vangaurd, verify your identity and have them delete security key. "At Vangaurd, my voice is my password."
Fools think their own way is right, but the wise listen to others.
Re: Yubikey only at Vanguard now possible.
Re: Yubikey only at Vanguard now possible.
Good question! Calling Vangaurd for account access will always be an option, so the best we can do is control what we can. I assume the voice verification is pretty secure as they do not ask for any other verification.
Fools think their own way is right, but the wise listen to others.
Re: Yubikey only at Vanguard now possible.
Thanks for posting this update, this was my ideal setup with Vangaurd, and I can finally utilize this method of access.pragmatist wrote: ↑Thu May 27, 2021 6:38 am Hello everyone,
Today I was able to disable security codes via SMS/Phone call while continuing to use the enrolled Yubikey security keys. It appears they listened to us. You can disable security codes by going to my accounts -> profile & settings -> security code and disabling there. Enjoy the increased security!
Edited to add:
Yubikeys are physical security keys that provide a second factor for login authentication similar to receiving a text message with a code. They connect via USB ports or NFC. Vanguard uses the universal second factor (FIDO U2F) function of the keys which is widely considered to represent the highest standard of 2-factor authentication. At Vanguard, one enters their username and password, and then inserts the yubikey into a USB port, touches the key, and is then logged in. Previously, one had to enroll in security codes via SMS or phone call as a backup to the security key option, which defeats the purpose of the higher security provided by the keys.
If anyone wants to explain further or correct me, please feel free since I am no expert.
pragmatist
Fools think their own way is right, but the wise listen to others.
Re: Yubikey only at Vanguard now possible.
Can you turn off voice verification and keep SMS verification (very secure with dedicated google phone number).?
Re: Yubikey only at Vanguard now possible.
Yes, you can call Vanguard and ask them to turn off voice verification.
If you haven't do so already, you may want to consider telling the Vanguard rep you want to setup an "enhanced security password". You will be asked for this password whenever you call Vanguard.
Re: Yubikey only at Vanguard now possible.
thank youMarkBarb wrote: ↑Thu May 27, 2021 12:42 pmAre you familiar with 2-factor authentication? The concept is that, in order to access you account, you need 2 security "factors". They are usually something I know (a password) and something I have. The something I have part can come in many forms. The most common is using a cell phone for the second factor. The brokerage sends a text message with a code to your phone and you reply with the code. The problem is that text messages can be intercepted by someone that doesn't actually have the phone.grok87 wrote: ↑Thu May 27, 2021 6:44 amthanks pragmatist.pragmatist wrote: ↑Thu May 27, 2021 6:38 am Hello everyone,
Today I was able to disable security codes via SMS/Phone call while continuing to use the enrolled Yubikey security keys. It appears they listened to us. You can disable security codes by going to my accounts -> profile & settings -> security code and disabling there. Enjoy the increased security!
pragmatist
perhaps you can do an ELI5 (explain it like i'm 5 years old) for everyone. What is a yubikey, how does it work at Vanguard (now).
cheers,
grok
There are several alternatives to text messages that people use. One is to run an app on your phone called an Authenticator. Another method is use a small hardware key, like a Yubikey.
A Yubikey is a little device that you can plug into your computer's USB slot. Newer ones can also connect to your phone just by putting it near the back of your phone. The Yubikey confirms that you are who you say you are. This way, if someone steals or cracks your password, they still can't get in because they don't have your key.
In the past, Vanguard let you use a Yubikey as the second factor, but they also let you log in using text messages on your phone as a second factor. Because the text message approach isn't very secure, there wasn't much benefit to using a YubiKey. It would be like putting two locks on your door - one that was weak and one that was strong, but either will let you in. Vanguard did that (I presume) because they didn't want to deal with people loosing their Yubikey. If someone loses their phone, it's easy to replace. You can't replace a Yubikey.
If you want the best security, get a Yubikey. To be safe, get multiple keys so that you can still get in if you lose one. I keep one on me and one at home. My wife also has a pair. All four are keyed to our account. Use them to secure your brokerage account and your e-mail account.
Alternatively, you can use an Authenticator app. In broad terms, it converts your phone/computer into something like a Yubikey. It's more convenient, free, and slightly less secure.
RIP Mr. Bogle.
Re: Yubikey only at Vanguard now possible.
Hopefully it is the same as it is with google Advanced Security - a very long process taking a few days to confirm your identity. Certainly not a simple conversation with a call center rep. But who knows. Someone should test it and report back.
Re: Yubikey only at Vanguard now possible.
To learn more go to Vanguard’s homepage scroll to the very bottom and click on security center and then scroll down to the topic on security keys.
Having read the latest news on Russian hacking
attempts, I’m more concerned about the safety of Vanguard’s computers versus my own.
Having read the latest news on Russian hacking
attempts, I’m more concerned about the safety of Vanguard’s computers versus my own.
-
- Posts: 31
- Joined: Sat Sep 10, 2016 8:46 pm
Re: Yubikey only at Vanguard now possible.
I've just learned that turning off the security codes breaks both android apps. Not sure about iPhone. So if you make use of those, you may need to keep the security codes enabled for now. Personally, I'm just going to stop using them.
-
- Posts: 2241
- Joined: Fri Oct 19, 2012 11:24 am
Re: Yubikey only at Vanguard now possible.
Does this mean using the NFC yubikey is not an option with the Vanguard app?pragmatist wrote: ↑Fri May 28, 2021 11:11 am I've just learned that turning off the security codes breaks both android apps. Not sure about iPhone. So if you make use of those, you may need to keep the security codes enabled for now. Personally, I'm just going to stop using them.
“Doing nothing is better than being busy doing nothing.” – Lao Tzu
-
- Posts: 31
- Joined: Sat Sep 10, 2016 8:46 pm
Re: Yubikey only at Vanguard now possible.
I'm using an old version of android, but no, not that I have seen.RubyTuesday wrote: ↑Fri May 28, 2021 11:20 am
Does this mean using the NFC yubikey is not an option with the Vanguard app?
Re: Yubikey only at Vanguard now possible.
Someone posted on the forum a couple of months ago that he set up voice verification with VG then experimented with it by asking his wife to speak into the phone and the verifier allowed his wife into his account. I don't remember the ultimate outcome of that discussion.
"Never underestimate one's capacity to overestimate one's abilities" - The Dunning-Kruger Effect
-
- Posts: 1660
- Joined: Tue Feb 01, 2011 8:22 pm
Re: Yubikey only at Vanguard now possible.
I recommend that all Bogleheads set this up.
If you lose one, sign in with a backup key and "deregister" the lost one. I tested this out and it worked.
Make sure to have a backup key (Vanguard allows up to 4 keys to be registered)!
If you lose one, sign in with a backup key and "deregister" the lost one. I tested this out and it worked.
- ThereAreNoGurus
- Posts: 970
- Joined: Fri Jan 24, 2014 10:41 pm
Re: Yubikey only at Vanguard now possible.
I just clicked the link to register a security key and received a blank page.
Guess I'll have to wait until Monday to talk to a Vanguard person about this.
(And yes, I was logged-in and not timed-out.)
Guess I'll have to wait until Monday to talk to a Vanguard person about this.
(And yes, I was logged-in and not timed-out.)
Trade the news and you will lose.
-
- Posts: 1660
- Joined: Tue Feb 01, 2011 8:22 pm
Re: Yubikey only at Vanguard now possible.
I'm sorry to hear that; It was remarkably easy for me to set up.ThereAreNoGurus wrote: ↑Fri Jul 09, 2021 11:43 pm I just clicked the link to register a security key and received a blank page.
Guess I'll have to wait until Monday to talk to a Vanguard person about this.
(And yes, I was logged-in and not timed-out.)
Which web browser were you using? Were you able to reach someone at Vanguard?
Re: Yubikey only at Vanguard now possible.
I’m intrigued. So much so that I have ordered one to play with. If I like it, I will use it to secure my gmail and vanguard accounts…..
Given the amount of money at stake, it seems irresponsible not to use strong 2FA on these accounts…..
Given the amount of money at stake, it seems irresponsible not to use strong 2FA on these accounts…..
- ThereAreNoGurus
- Posts: 970
- Joined: Fri Jan 24, 2014 10:41 pm
Re: Yubikey only at Vanguard now possible.
Good questions!Silence Dogood wrote: ↑Tue Jul 13, 2021 4:32 pmI'm sorry to hear that; It was remarkably easy for me to set up.ThereAreNoGurus wrote: ↑Fri Jul 09, 2021 11:43 pm I just clicked the link to register a security key and received a blank page.
Guess I'll have to wait until Monday to talk to a Vanguard person about this.
(And yes, I was logged-in and not timed-out.)
Which web browser were you using? Were you able to reach someone at Vanguard?
I must say, I was impressed with Vanguard today.
I called around 11:30am, so I figured I would have a long wait before getting a rep, but was connected to a rep in 1 or 2 minutes!
She hadn't run across that error before, so after we talked a bit, tried and failed with a few things, she transferred me to a tech rep. I did not have a long wait... 5 minutes max.
The tech rep also had not seen this problem before. She had some good suggestions to try, such as different browsers, but I was still getting the blank page (using updated Chrome and Edge). Then she had me try an incognito Chrome browser (in desperation... I think... haha) and I got the page!
That really surprised both of us, and she wanted to work with me more to figure out what was going on, such as trying to access Vanguard from my cell phone using the web (not the app). I thought that was an excellent suggestion, but unfortunately I had an appointment coming up, and had to go.
So later today, I tried Edge in their private browser and it worked. Firefox and Brave browsers do not. (Brave's private browser did not work either.) Opera worked just fine in regular mode.
I do have a VPN which perhaps might be messing something up. (I did mention this to both reps). I have been getting the same results whether running a VPN or not.
I might play with this some more to try to figure out what is different among the browsers that's causing this issue, but most importantly, of course, it looks like I should be able to use Yubikeys. (I have some arriving tomorrow.)
By the way, that page is the only page that has that problem. All of the other pages/links on the settings page work fine, such as security code, check-writing, etc.
Trade the news and you will lose.
Re: Yubikey only at Vanguard now possible.
Using incognito / private mode in browsers typically has the side effect of turning off all browser extensions. So your description makes me think you might have an ad-blocker extension (like uBlock Origin) installed. The ad-blocker could be inadvertently interfering with how Vanguard login is supposed to work.ThereAreNoGurus wrote: ↑Tue Jul 13, 2021 9:24 pm ...Then she had me try an incognito Chrome browser (in desperation... I think... haha) and I got the page!
...
In Chrome, browse to chrome://extensions/ to see what extensions you have installed. As a temporary test, turn off any blocker and then try to logon to Vanguard using your Yubikey. If it works, that suggests the ad-blocker is the culprit. And don't forget to turn the ad-blocker back on.
If it is indeed an ad-blocker that's interfering with things, you can still probably get it all to work together. One option is to configure your ad-blocker to not do any blocking for vanguard.com web site pages, or not on the specific login related pages. Another option is to be more selective and only allow certain 3rd party javascript sites to load and run (this option would take some trial and error to figure out).
Re: Yubikey only at Vanguard now possible.
I run Firefox with a script blocker; while Google Mail allows me to use my Yubikey with whitelisting the site, whenever I try to use it through Vanguard it errors and requires me to use SMS instead. I think Vanguard still has some work to do, but I’m glad they’re getting there slowly but surely.
- ThereAreNoGurus
- Posts: 970
- Joined: Fri Jan 24, 2014 10:41 pm
Re: Yubikey only at Vanguard now possible.
Heh... Nice call! Thanks!sycamore wrote: ↑Wed Jul 14, 2021 8:02 amUsing incognito / private mode in browsers typically has the side effect of turning off all browser extensions. So your description makes me think you might have an ad-blocker extension (like uBlock Origin) installed. The ad-blocker could be inadvertently interfering with how Vanguard login is supposed to work.ThereAreNoGurus wrote: ↑Tue Jul 13, 2021 9:24 pm ...Then she had me try an incognito Chrome browser (in desperation... I think... haha) and I got the page!
...
In Chrome, browse to chrome://extensions/ to see what extensions you have installed. As a temporary test, turn off any blocker and then try to logon to Vanguard using your Yubikey. If it works, that suggests the ad-blocker is the culprit. And don't forget to turn the ad-blocker back on.
If it is indeed an ad-blocker that's interfering with things, you can still probably get it all to work together. One option is to configure your ad-blocker to not do any blocking for vanguard.com web site pages, or not on the specific login related pages. Another option is to be more selective and only allow certain 3rd party javascript sites to load and run (this option would take some trial and error to figure out).
That was it! Turned off the ad blocker for that page and it works. Very strange since there are no pop-ups on that page and every single other page on Vanguard's site works fine. But I know for sure it was the ad-blocker since turning it on and off repeatedly I get consistent results.
That page has no pop-ups and no exotic JS that is different from any other page, unless they are calling in some 3rd party JS or some-such. I didn't do a view source to see whether I can spot anything different.
Thanks again!
Trade the news and you will lose.
Re: Yubikey only at Vanguard now possible.
I was looking at the Yubico site, how do you figure which type of key? Basically we have a combination of devices, Iphones, Ipads, a Dell desktop and laptop? I took the quiz on the website but an still a bit confused. Thanks.
Marty....don't go to the year 2020....Dr. Emmett Brown
- ThereAreNoGurus
- Posts: 970
- Joined: Fri Jan 24, 2014 10:41 pm
Re: Yubikey only at Vanguard now possible.
That quiz seemed fishy to me. No matter what my choices it almost always recommended two keys, one that was standard USB and one that was USB-C even though it appeared to me I did not need USB-C.
Trade the news and you will lose.