Vanguard: Upgrading Yubikeys

Have a question about your personal investments? No matter how simple or complex, you can ask it here.
TOMO
Posts: 28
Joined: Fri Mar 02, 2007 4:48 pm

Re: Vanguard: Upgrading Yubikeys

Post by TOMO »

I’m trying to decide between the Yubi Key 5 NFC and the Yubi Security Key NFC for the Vanguard security upgrade. Is the Yubi Key 5 worth the extra cost for the Vanguard security application?
Fremdon Ferndock
Posts: 1181
Joined: Fri Dec 24, 2021 11:26 am

Re: Vanguard: Upgrading Yubikeys

Post by Fremdon Ferndock »

TOMO wrote: Sun Aug 07, 2022 10:41 am I’m trying to decide between the Yubi Key 5 NFC and the Yubi Security Key NFC for the Vanguard security upgrade. Is the Yubi Key 5 worth the extra cost for the Vanguard security application?
YubiKey 5 Series
The YubiKey 5 Series is a hardware based authentication solution that offers strong two-factor, multi-factor and passwordless authentication with support for multiple protocols including FIDO2, U2F, PIV, Yubico OTP, and OATH TOTP. By offering the first set of multi-protocol security keys supporting FIDO2, the YubiKey 5 Series helps users accelerate to a passwordless future.
Security Key Series by Yubico
Security Key Series by Yubico delivers FIDO2 and FIDO U2F in a single device, supporting thousands of existing U2F two-factor authentication (2FA) services as well as future FIDO2 implementations.
I'm not the expert, but it looks to me as though the Yubi5 might be needed for passwordless authentication, which is what Vanguard and other sites may be moving toward. I'd check that out.
"Risk is what’s left over when you think you’ve thought of everything." ~ Morgan Housel
TOMO
Posts: 28
Joined: Fri Mar 02, 2007 4:48 pm

Re: Vanguard: Upgrading Yubikeys

Post by TOMO »

I’m trying to decide between the Yubi Key 5 NFC and the Yubi Security Key NFC for the Vanguard security upgrade. Is the Yubi Key 5 is enough better for the Vanguard security application to justify the extra cost?

Tom
TOMO
Posts: 28
Joined: Fri Mar 02, 2007 4:48 pm

Re: Vanguard: Upgrading Yubikeys

Post by TOMO »

Sorry about the double post. User error. Thanks Fremdon Ferndock.
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: Vanguard: Upgrading Yubikeys

Post by anon_investor »

TOMO wrote: Sun Aug 07, 2022 10:53 am I’m trying to decide between the Yubi Key 5 NFC and the Yubi Security Key NFC for the Vanguard security upgrade. Is the Yubi Key 5 is enough better for the Vanguard security application to justify the extra cost?

Tom
I have the cheapest blue Yubikey, it works fine with the new Vanguard requirements.
Silence Dogood
Posts: 1660
Joined: Tue Feb 01, 2011 8:22 pm

Re: Vanguard: Upgrading Yubikeys

Post by Silence Dogood »

I re-registered both of my Yubikeys; I was not required to create a PIN.

It looks like Vanguard has not specified whether or not a PIN is required - hence why a PIN is being required for some clients but not others (see below). Given that Vanguard requires a (separate) password, my recommendation would be for Vanguard to not require a PIN and to specify this in their user verification settings.
Yubico wrote:
Why they appear
  • FIDO2 is made up of two components - WebAuthn on the service provider end, and CTAP2 on the YubiKey end.
  • PIN prompts are a result of a WebAuthn setting known as User Verification. This setting is controlled by each service provider.
  • If a service provider does not specify a setting for User Verification, most modern browsers will default setting it to Preferred (as per the WebAuthn spec), which may result in a PIN prompt.
  • If you prefer not to be prompted for a PIN, try disabling the YubiKey's FIDO2 function, and see if that eliminates the PIN prompt, while still allowing you to sign in. Note that FIDO2 is required for certain services (e.g. personal Microsoft accounts), so disabling the function on the YubiKey will cause it to not work or not be recognized by those services.
[Emphasis added.]
Fremdon Ferndock
Posts: 1181
Joined: Fri Dec 24, 2021 11:26 am

Re: Vanguard: Upgrading Yubikeys

Post by Fremdon Ferndock »

Silence Dogood wrote: Sun Aug 07, 2022 1:01 pm I re-registered both of my Yubikeys; I was not required to create a PIN.

It looks like Vanguard has not specified whether or not a PIN is required - hence why a PIN is being required for some clients but not others (see below). Given that Vanguard requires a (separate) password, my recommendation would be for Vanguard to not require a PIN and to specify this in their user verification settings.
Yubico wrote:
Why they appear
  • FIDO2 is made up of two components - WebAuthn on the service provider end, and CTAP2 on the YubiKey end.
  • PIN prompts are a result of a WebAuthn setting known as User Verification. This setting is controlled by each service provider.
  • If a service provider does not specify a setting for User Verification, most modern browsers will default setting it to Preferred (as per the WebAuthn spec), which may result in a PIN prompt.
  • If you prefer not to be prompted for a PIN, try disabling the YubiKey's FIDO2 function, and see if that eliminates the PIN prompt, while still allowing you to sign in. Note that FIDO2 is required for certain services (e.g. personal Microsoft accounts), so disabling the function on the YubiKey will cause it to not work or not be recognized by those services.
[Emphasis added.]
I believe the Yubi password problem occurred in my case because I already had a FIDO2 PIN in my Yubi, but didn't know it-- I don't remember ever creating one. Never got asked for it, because none of the sites I was logging onto (including Vanguard) was FIDO2. The PIN is optional, but if you have a FIDO2 PIN, then the Yubi will interrogate for the PIN when you are logging onto a FIDO2 site. Vanguard has apparently is migrating to FIDO2, so my Yubi asked for the PIN I didn't know I had. I was confused about the whole thing, so I thought Vanguard was now asking for the PIN. When I got my head around this, I reset the Yubi to remove the FIDO2 PIN and now I'm not asked for it when logging onto Vanguard.

Please make a note of this -- it will be on the next Yubi/FIDO2 quiz toward your Master's degree in "stuff I never knew about my computer, the internet, security, or anything else electronic, but I use it anyway and hope for the best."
"Risk is what’s left over when you think you’ve thought of everything." ~ Morgan Housel
Fremdon Ferndock
Posts: 1181
Joined: Fri Dec 24, 2021 11:26 am

Re: Vanguard: Upgrading Yubikeys

Post by Fremdon Ferndock »

anon_investor wrote: Sun Aug 07, 2022 11:51 am
TOMO wrote: Sun Aug 07, 2022 10:53 am I’m trying to decide between the Yubi Key 5 NFC and the Yubi Security Key NFC for the Vanguard security upgrade. Is the Yubi Key 5 is enough better for the Vanguard security application to justify the extra cost?

Tom
I have the cheapest blue Yubikey, it works fine with the new Vanguard requirements.
It does now, but they haven't implemented passwordless authentication yet.
"Risk is what’s left over when you think you’ve thought of everything." ~ Morgan Housel
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: Vanguard: Upgrading Yubikeys

Post by anon_investor »

Fremdon Ferndock wrote: Sun Aug 07, 2022 1:38 pm
anon_investor wrote: Sun Aug 07, 2022 11:51 am
TOMO wrote: Sun Aug 07, 2022 10:53 am I’m trying to decide between the Yubi Key 5 NFC and the Yubi Security Key NFC for the Vanguard security upgrade. Is the Yubi Key 5 is enough better for the Vanguard security application to justify the extra cost?

Tom
I have the cheapest blue Yubikey, it works fine with the new Vanguard requirements.
It does now, but they haven't implemented passwordless authentication yet.
I think Vanguard is a long ways away from that. The mobile app security flaw needs to be fixed first...
Silence Dogood
Posts: 1660
Joined: Tue Feb 01, 2011 8:22 pm

Re: Vanguard: Upgrading Yubikeys

Post by Silence Dogood »

Fremdon Ferndock wrote: Sun Aug 07, 2022 1:38 pm
anon_investor wrote: Sun Aug 07, 2022 11:51 am
TOMO wrote: Sun Aug 07, 2022 10:53 am I’m trying to decide between the Yubi Key 5 NFC and the Yubi Security Key NFC for the Vanguard security upgrade. Is the Yubi Key 5 is enough better for the Vanguard security application to justify the extra cost?

Tom
I have the cheapest blue Yubikey, it works fine with the new Vanguard requirements.
It does now, but they haven't implemented passwordless authentication yet.
The Security Key Series (the blue key) is FIDO2 compliant:

https://www.yubico.com/products/security-key/
TOMO wrote: Sun Aug 07, 2022 10:53 am I’m trying to decide between the Yubi Key 5 NFC and the Yubi Security Key NFC for the Vanguard security upgrade. Is the Yubi Key 5 is enough better for the Vanguard security application to justify the extra cost?

Tom
If you are specifically looking to protect your Vanguard account, the Security Key Series should work perfectly fine (it is FIDO2 compliant). Depending on the devices you use, I would recommend looking into the Security Key C NFC instead (USB-C is the future). FYI: It looks like you can use promo code SUMMER22 to get a 20% discount if you purchase by August 16th 12PM PT.

https://www.yubico.com/product/security ... by-yubico/
Fremdon Ferndock
Posts: 1181
Joined: Fri Dec 24, 2021 11:26 am

Re: Vanguard: Upgrading Yubikeys

Post by Fremdon Ferndock »

Tried the promo code and didn't work.
"Risk is what’s left over when you think you’ve thought of everything." ~ Morgan Housel
increment
Posts: 1736
Joined: Tue May 15, 2018 2:20 pm

Re: Vanguard: Upgrading Yubikeys

Post by increment »

That code (for back-to-school season) is for two of the Security Keys (the blue ones).
498jk9
Posts: 2
Joined: Sun Aug 07, 2022 3:14 pm

Re: Vanguard: Upgrading Yubikeys

Post by 498jk9 »

I was nagged to upgrade my security keys. To make the upgrade process work I was forced to delete my keys first. I did this and like the upgrade which forces me to add a security code.

What I do not like is that I was forced to add an sms code which defeats the purpose of my physical key. Earlier this year Vanguard allowed customers to only use keys without sms codes as a backup. Unfortunately, Vanguard seems to have brought back sms as a backup. In addition, installing the Vanguard app defeats security codes too. Even if I do not install the app anyone in the World can install it using my name and request an sms code...I cannot click a box at vanguard.com that does not allow the app to be used.

Again, there is no way to turn off sms when you are forced to install their "updated security" If there is please let me know. My guess Vanguard is being lazy and getting tired of people calling in and saying their physical key is not working and neededing tech support. How about charging people who lose their keys or doing something that is not Vanguard's fault $100 for each time they need help and harden security for the rest of us?
MrJedi
Posts: 3540
Joined: Wed May 06, 2020 11:42 am

Re: Vanguard: Upgrading Yubikeys

Post by MrJedi »

While the SMS backup is disappointing and does defeat some points of the hardware key, it does not make them useless.

Each time you use the hardware key instead of a one-time password, it is one less chance of a phishing attack, man in the middle attack, keylogging attack, etc. There is still some value in using it even if SMS / sim swap vulnerability is there.


Many of us loosely patch up the SMS sim swap vulnerability by using a Google Voice number, and the Google account can be locked down to a hardware key itself and the number can be locked from an external port / swap. Then allow SMS backup to the locked down Google Voice number.
498jk9
Posts: 2
Joined: Sun Aug 07, 2022 3:14 pm

Re: Vanguard: Upgrading Yubikeys

Post by 498jk9 »

Interesting. Good point about the benefits of a hardware key. I hear you on Google number but have a feeling that if I was ever hacked Vanguard would use this as an excuse to get out of making good on the money that was stolen from me.
User avatar
tuningfork
Posts: 885
Joined: Wed Oct 30, 2013 8:30 pm

Re: Vanguard: Upgrading Yubikeys

Post by tuningfork »

498jk9 wrote: Sun Aug 07, 2022 3:23 pm What I do not like is that I was forced to add an sms code which defeats the purpose of my physical key. Earlier this year Vanguard allowed customers to only use keys without sms codes as a backup. Unfortunately, Vanguard seems to have brought back sms as a backup. In addition, installing the Vanguard app defeats security codes too. Even if I do not install the app anyone in the World can install it using my name and request an sms code...I cannot click a box at vanguard.com that does not allow the app to be used.
Don't they have to know your username and password before they can request an SMS code? And wouldn't it go to the SMS number you've already setup with Vanguard, which means they would have to know that number and have already social-engineered a SIM swap with your phone company? I don't think "anyone in the World" can do this, only a highly targeted attack from someone who already knows all this info about you and has already done the SIM swap (or has physical possession of your phone and the ability to unlock it).

The fallback to SMS is a hole, yes, but not as big a hole as some make it out to be IMHO.
Northern Flicker
Posts: 15363
Joined: Fri Apr 10, 2015 12:29 am

Re: Vanguard: Upgrading Yubikeys

Post by Northern Flicker »

Fremdon Ferndock wrote: Tue Aug 02, 2022 7:27 pm I guess I just did this with a Mac running Chrome. Only I deleted my Yubi and then re-registered it from scratch. I presume this worked since I've not seen anything to the contrary. Now I have to enter the PIN for the Yubi each time I log on. I didn't have to do that before. Is that a feature of Fido2? If so, I don't like it. Don't see the point either, because you can just opt for a text code to log in, so if somebody doesn't know the Yubi PIN that is no deterrent.
The pin is so that someone other than you cannot use the Yubikey if it is lost or stolen.
Last edited by Northern Flicker on Sun Aug 07, 2022 9:55 pm, edited 1 time in total.
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: Vanguard: Upgrading Yubikeys

Post by anon_investor »

Northern Flicker wrote: Sun Aug 07, 2022 9:52 pm
Fremdon Ferndock wrote: Tue Aug 02, 2022 7:27 pm I guess I just did this with a Mac running Chrome. Only I deleted my Yubi and then re-registered it from scratch. I presume this worked since I've not seen anything to the contrary. Now I have to enter the PIN for the Yubi each time I log on. I didn't have to do that before. Is that a feature of Fido2? If so, I don't like it. Don't see the point either, because you can just opt for a text code to log in, so if somebody doesn't know the Yubi PIN that is no deterrent.
The pin is so that someone other than you cannot use the Yubikey if it is lost or stolen.
I actually like this feature.
Northern Flicker
Posts: 15363
Joined: Fri Apr 10, 2015 12:29 am

Re: Vanguard: Upgrading Yubikeys

Post by Northern Flicker »

Anyone who wants Vanguard to continue improving account security should welcome this change. The downside is you have to remember the pin or store it in a password safe.

An alternative would have been to have 3FA where an SMS code and Yubikey are both required.
Northern Flicker
Posts: 15363
Joined: Fri Apr 10, 2015 12:29 am

Re: Vanguard: Upgrading Yubikeys

Post by Northern Flicker »

498jk9 wrote: Sun Aug 07, 2022 4:16 pm Interesting. Good point about the benefits of a hardware key. I hear you on Google number but have a feeling that if I was ever hacked Vanguard would use this as an excuse to get out of making good on the money that was stolen from me.
You still have a Vanguard password on the account. If Vanguard does not employ a robust password reset protocol, they cannot pin that on Google.

The point of leaving SMS active is that the Vanguard app does not support yubikey authentication so without SMS there currently would be no 2FA for someone attacking your account with the app. Hopefully Vanguard will address that.
Fremdon Ferndock
Posts: 1181
Joined: Fri Dec 24, 2021 11:26 am

Re: Vanguard: Upgrading Yubikeys

Post by Fremdon Ferndock »

increment wrote: Sun Aug 07, 2022 3:21 pm That code (for back-to-school season) is for two of the Security Keys (the blue ones).
Got it. Thanks.
"Risk is what’s left over when you think you’ve thought of everything." ~ Morgan Housel
StrongMBS
Posts: 67
Joined: Sat Jan 14, 2017 1:38 pm

Re: Vanguard: Upgrading Yubikeys

Post by StrongMBS »

Once again lots of incorrect information and confusing terminology around FIDO2 security keys.

Tip: If all you are looking for is FIDO2 functionality then you only need is a FIDO2 key such as the Yubico blue Security Key series. That includes the FIDO2 use case of phish-proof “passwordless-MFA” using a key as the first factor and a PIN and user presence as the second which is best-in-class and state-of-the-art authentication. Hopefully Vanguard will get here sooner or later.

Please remember Vanguard was one of the first to enable FIDO-based security keys. And although some of their choices are non-ideal from a cybersecurity stance, at least they were in the game. I will also point out that their communication of what their plans are, and their technical details have been non-existent or less than ideal.

Unfortunately deploying early in the technology curve means as technology evolves there is often technical debt to keep up with the times. We saw this late last year into early this year when they needed to transition from using the U2F API to the Web Authentication API.

I am not sure why Vanguard needs us to re-register our security keys, but it could be part of this technical debt.

First, we need to understand the technology and terms a little bit better. FIDO protocols, like most, has a layered approach and many options. The FIDO architecture has 3 components: Server, Client, Authenticator. Think of the Server as the service hosting the Web page (i.e., URL). The Client could be an app or browser. The Authenticator can be a FIDO security key.

When a browser is involved in the Client it communicates with the Server thru its top layer is referred as the “xxx API” (e.g., U2F API, WebAuthn API) and with the Authenticator (i.e., FIDO security key) with the bottom layer what is now called the Client to Authenticator Protocol (CTAP).

The FIDO Alliance has released several specifications and protocols the years. One of those was commonly called FIDO U2F (Universal Second Factor) which was used by Google and Vanguard in the early days. In this case the two protocols were U2F API for the top layer and FIDO U2F for the bottom layer (yes, an unfortunate name since that is what most people refer the service as and the start of some confusion), it is now called CTAP1.

FIDO2 has two protocols W3C’s Web Authentication (i.e., WebAuthn) specification and corresponding Client-to-Authenticator Protocols (CTAP) from the FIDO Alliance. CTAP has two version CTAP1 (i.e., FIDO U2F) and CTAP2 which supports the new functionality in WebAuthn.

Unlike where saying “FIDO U2F” defined the use case (i.e, using the FIDO security key as “Universal Second Factor”), there is no predefined uses case for what “FIDO2” means. FIDO2 has many options and there are a multitude of use cases. Here is a white paper that walks thru 10 of these use cases. https://media.fidoalliance.org/wp-conte ... .03.01.pdf

To provide backwards compatibility to early FIDO keys, NOT a FIDO2 key (e.g., a Yubico YubiKey 4 Series or Neo) when using the WebAuthn API there is a mapping of CTAP2 functionality to CTAP1 (i.e., FIDO U2F).

If you are using a FIDO2 key in a WebAuthn environment technically you are not using U2F but rather FIDO2 as a second factor (this is the Use Case 2 in the white paper above). You will note that “User Verification” using PIN or biometrics is optional. I think there is an error in the table since it has “User Presence” (i.e., touch the key) is recommended but I thought it was still required which the text states.

You will notice that Use Case 3: Web Authentication using FIDO as a first factor (passwordless) and once again “User Verification” using PIN or biometrics is optional. This is what Microsoft uses in M365 Azure AD which is “passwordless-MFA” since the PIN is required and is the best-in-class and state-of-the-art authentication. It is best to think of the PIN as a Pinword or LocalPassword since the FIDO2 PIN should have the normal password restriction of some minimum length (like 8) and complexity (numbers and letters).
StrongMBS
Posts: 67
Joined: Sat Jan 14, 2017 1:38 pm

Re: Vanguard: Upgrading Yubikeys

Post by StrongMBS »

Fremdon Ferndock wrote: Sun Aug 07, 2022 10:52 am
TOMO wrote: Sun Aug 07, 2022 10:41 am I’m trying to decide between the Yubi Key 5 NFC and the Yubi Security Key NFC for the Vanguard security upgrade. Is the Yubi Key 5 worth the extra cost for the Vanguard security application?
YubiKey 5 Series
The YubiKey 5 Series is a hardware based authentication solution that offers strong two-factor, multi-factor and passwordless authentication with support for multiple protocols including FIDO2, U2F, PIV, Yubico OTP, and OATH TOTP. By offering the first set of multi-protocol security keys supporting FIDO2, the YubiKey 5 Series helps users accelerate to a passwordless future.
Security Key Series by Yubico
Security Key Series by Yubico delivers FIDO2 and FIDO U2F in a single device, supporting thousands of existing U2F two-factor authentication (2FA) services as well as future FIDO2 implementations.
I'm not the expert, but it looks to me as though the Yubi5 might be needed for passwordless authentication, which is what Vanguard and other sites may be moving toward. I'd check that out.
NO NO NO NO this is not right. If we are talking about FIDO2 based passwordless authentication, then all you need is a security key that supports FIDO2 which is what blue Security Key Series is.
Lynette
Posts: 2407
Joined: Sun Jul 27, 2014 9:47 am

Re: Vanguard: Upgrading Yubikeys

Post by Lynette »

I started using Yubikeys some time ago. I do not remember setting up a Pin. I cannot set register Yubikey without entering a Pin on Vanguard. I also use Yubikey for my Google gmail accounts. I am not willing to reset the Yubikeys and lose the access to Gmail. I called Vanguard support and the young man did not know what a PIN was required as his instructions did not tell him what it was. He was supposed to call me back this afternoon but did not. I may buy 2 more Yubikeys for only Vanguard or simply revert to SMS. How much time is it worth to try to sort this out? I have tried this on both Chromebook and Microsoft. In fact I can no longer reregister the one key as I have had too many tries for the pin.
Northern Flicker
Posts: 15363
Joined: Fri Apr 10, 2015 12:29 am

Re: Vanguard: Upgrading Yubikeys

Post by Northern Flicker »

498jk9 wrote: Sun Aug 07, 2022 3:23 pm I was nagged to upgrade my security keys. To make the upgrade process work I was forced to delete my keys first. I did this and like the upgrade which forces me to add a security code.

What I do not like is that I was forced to add an sms code which defeats the purpose of my physical key. Earlier this year Vanguard allowed customers to only use keys without sms codes as a backup. Unfortunately, Vanguard seems to have brought back sms as a backup. In addition, installing the Vanguard app defeats security codes too. Even if I do not install the app anyone in the World can install it using my name and request an sms code...I cannot click a box at vanguard.com that does not allow the app to be used.

Again, there is no way to turn off sms when you are forced to install their "updated security" If there is please let me know. My guess Vanguard is being lazy and getting tired of people calling in and saying their physical key is not working and neededing tech support. How about charging people who lose their keys or doing something that is not Vanguard's fault $100 for each time they need help and harden security for the rest of us?
Until the Vanguard phone/tablet app is upgraded to use Yubikey authentication, you want SMS enabled. Otherwise, if your password were compromised, an attacker could use the app to gain access to your account without 2FA.
RANkiDEr
Posts: 40
Joined: Fri Jun 18, 2021 4:09 pm

Re: Vanguard: Upgrading Yubikeys

Post by RANkiDEr »

Just completed the upgrade of my security keys using a laptop and Google Chrome.
Prior to updating the keys I went to the security key manufacturers website to make sure the keys are Fido2 compliant.
Then I proceeded to the update. The process ran smoothly and everything updated accordingly.

Total time to make the update was about 5 minutes. :sharebeer
Lynette
Posts: 2407
Joined: Sun Jul 27, 2014 9:47 am

Re: Vanguard: Upgrading Yubikeys

Post by Lynette »

RANkiDEr wrote: Sat Aug 13, 2022 11:09 am Just completed the upgrade of my security keys using a laptop and Google Chrome.
Prior to updating the keys I went to the security key manufacturers website to make sure the keys are Fido2 compliant.
Then I proceeded to the update. The process ran smoothly and everything updated accordingly.

Total time to make the update was about 5 minutes. :sharebeer
Did you have to enter a Pin?
bridge2benefits
Posts: 81
Joined: Sat May 07, 2022 10:53 pm

Re: Vanguard: Upgrading Yubikeys

Post by bridge2benefits »

Interesting - I upgraded today using Firefox (the browser I usually use to access Vanguard) and it said the update succeeded. I then logged out and now when I try to login again through Firefox, it says "We're experiencing technical difficulties We apologize for the temporary inconvenience. For immediate help, contact Vanguard support."

I am able to successfully login through Google Chrome, however - it prompts me to use my key and then logs me in, and the message nagging me to upgrade my key is not being displayed anymore. So in my case, I guess the upgrade "worked," but somehow broke their Firefox support :(
increment
Posts: 1736
Joined: Tue May 15, 2018 2:20 pm

Re: Vanguard: Upgrading Yubikeys

Post by increment »

bridge2benefits wrote: Sat Aug 13, 2022 9:22 pm So in my case, I guess the upgrade "worked," but somehow broke their Firefox support :(
I am having the same experience. It harks back to the old days when Vanguard required Chrome in order to use a hardware security key. (Trying Firefox always went straight to the phone method.)
robertvax
Posts: 13
Joined: Wed Apr 20, 2022 1:49 pm

Re: Vanguard: Upgrading Yubikeys

Post by robertvax »

bridge2benefits wrote: Sat Aug 13, 2022 9:22 pm Interesting - I upgraded today using Firefox (the browser I usually use to access Vanguard) and it said the update succeeded. I then logged out and now when I try to login again through Firefox, it says "We're experiencing technical difficulties We apologize for the temporary inconvenience. For immediate help, contact Vanguard support."

I am able to successfully login through Google Chrome, however - it prompts me to use my key and then logs me in, and the message nagging me to upgrade my key is not being displayed anymore. So in my case, I guess the upgrade "worked," but somehow broke their Firefox support :(
I can confirm the same breakage with Firefox + Yubikey with PIN, however it only breaks for me when I use an incognito window, or what Firefox calls a "private window". If I don't open a Firefox private window and instead use the default (presumably "non-private") Firefox browser window, I'm then able to log in via Firefox, with a Yubikey that uses a PIN.

I've informed Vanguard support and told them that I believe this is enough for their developers to be able to replicate the problem.

- RV
bridge2benefits
Posts: 81
Joined: Sat May 07, 2022 10:53 pm

Re: Vanguard: Upgrading Yubikeys

Post by bridge2benefits »

robertvax wrote: Sun Aug 14, 2022 12:29 am
bridge2benefits wrote: Sat Aug 13, 2022 9:22 pm Interesting - I upgraded today using Firefox (the browser I usually use to access Vanguard) and it said the update succeeded. I then logged out and now when I try to login again through Firefox, it says "We're experiencing technical difficulties We apologize for the temporary inconvenience. For immediate help, contact Vanguard support."

I am able to successfully login through Google Chrome, however - it prompts me to use my key and then logs me in, and the message nagging me to upgrade my key is not being displayed anymore. So in my case, I guess the upgrade "worked," but somehow broke their Firefox support :(
I can confirm the same breakage with Firefox + Yubikey with PIN, however it only breaks for me when I use an incognito window, or what Firefox calls a "private window". If I don't open a Firefox private window and instead use the default (presumably "non-private") Firefox browser window, I'm then able to log in via Firefox, with a Yubikey that uses a PIN.

I've informed Vanguard support and told them that I believe this is enough for their developers to be able to replicate the problem.
Thanks! Indeed, the reason I use Firefox for this is for its security, including using it in "permanent private browsing mode."

One additional detail is I'm not using a PIN with my Yubikey - I just followed the key upgrade process on the Vanguard site, and I was not prompted to enter a PIN (and when I login using Chrome now, I still do so without a PIN).
cacophony
Posts: 1363
Joined: Tue Oct 16, 2007 9:12 pm

Re: Vanguard: Upgrading Yubikeys

Post by cacophony »

I'm currently using a bunch of Yubikey 4 models, which don't appear to support FIDO2. Will that be a problem or security concern?
Silence Dogood
Posts: 1660
Joined: Tue Feb 01, 2011 8:22 pm

Re: Vanguard: Upgrading Yubikeys

Post by Silence Dogood »

Silence Dogood wrote: Sun Aug 07, 2022 1:01 pm Given that Vanguard requires a (separate) password, my recommendation would be for Vanguard to not require a PIN and to specify this in their user verification settings.
To expand on this, I think that Vanguard should eventually require a PIN - with the ultimate goal of implementing security key + PIN (only) for authentication. However, currently not all operating systems/browsers support this. For the most part, all modern operating systems/browsers do support username/password + security key.

Operating system and web browser support for FIDO2 and U2F

Of course, the main obstacle remains - the Vanguard mobile app, which currently does not support security keys at all.

I think the most effective action that we can all take is to contact Vanguard to let them know that security key support for the mobile app is important to us. The more they hear about this from their clients, the more likely they are to prioritize this.
mr.pappag
Posts: 14
Joined: Wed Jan 06, 2021 12:56 pm
Location: NJ

Re: Vanguard: Upgrading Yubikeys

Post by mr.pappag »

bridge2benefits wrote: Sun Aug 14, 2022 5:50 am
robertvax wrote: Sun Aug 14, 2022 12:29 am I can confirm the same breakage with Firefox + Yubikey with PIN, however it only breaks for me when I use an incognito window, or what Firefox calls a "private window". If I don't open a Firefox private window and instead use the default (presumably "non-private") Firefox browser window, I'm then able to log in via Firefox, with a Yubikey that uses a PIN.

I've informed Vanguard support and told them that I believe this is enough for their developers to be able to replicate the problem.
Thanks! Indeed, the reason I use Firefox for this is for its security, including using it in "permanent private browsing mode."

One additional detail is I'm not using a PIN with my Yubikey - I just followed the key upgrade process on the Vanguard site, and I was not prompted to enter a PIN (and when I login using Chrome now, I still do so without a PIN).
Another thanks! Exactly the same here. I've gotten so use to Firefox and incognito with VG I didn't think of trying a regular window. Works non-incognito Firefox and both incognito and non-incognito Chrome. No PIN using the blue Yubikey "Security Key".
cacophony
Posts: 1363
Joined: Tue Oct 16, 2007 9:12 pm

Re: Vanguard: Upgrading Yubikeys

Post by cacophony »

cacophony wrote: Sun Aug 14, 2022 1:05 pm I'm currently using a bunch of Yubikey 4 models, which don't appear to support FIDO2. Will that be a problem or security concern?
To partly answer my own question: It appears that Vanguard requires keys to support FIDO2.

Which means that the four Yubikeys I bought a few years ago are now unusable on the Vanguard website. I really hope FIDO2 offers a significant security advantage; one that justifies needing to purchase new hardware keys.
User avatar
HanSolo
Posts: 2312
Joined: Thu Jul 19, 2012 3:18 am

Re: Vanguard: Upgrading Yubikeys

Post by HanSolo »

jamesthebaker wrote: Tue Aug 02, 2022 4:01 pm Does anybody know why I was successful in upgrading one account but not the second account? Any ideas?
No, I don't know why, and yes, I have an idea... maybe it happened that way because the IT person responsible for that feature took a long lunch, and therefore didn't get the feature working correctly.

Kidding aside (well, actually, I'm not sure I'm kidding)... I have two security keys called "Security Key by Yubico" (they are not branded as "Yubikey"), and have been using them with Vanguard for a few years, no problems. They come with both U2F and FIDO2. So I'm not even sure why Vanguard needs me to re-register keys that are already registered and already have the right features. I feel like they're bothering me unnecessarily.

Nevertheless, they are bothering me, so I'll probably re-register the same keys with Vanguard before their deadline, and hope that action doesn't lock me out of my account.

Considering that their process requires the person to receive an SMS (as I understand), I wonder what would happen to someone who's overseas during this period (e.g., student, or extended work assignment) and doesn't have access to their US-based cell service. Before the pandemic, I was often overseas for extended periods, and was more or less expecting that they'd pull something like this sooner or later (and half-expecting that Vanguard would find a way to mess it up).
Strategic Macro Senior (top 1%, 2019 Bogleheads Contest)
User avatar
tuningfork
Posts: 885
Joined: Wed Oct 30, 2013 8:30 pm

Re: Vanguard: Upgrading Yubikeys

Post by tuningfork »

cacophony wrote: Sun Aug 14, 2022 11:02 pm
cacophony wrote: Sun Aug 14, 2022 1:05 pm I'm currently using a bunch of Yubikey 4 models, which don't appear to support FIDO2. Will that be a problem or security concern?
To partly answer my own question: It appears that Vanguard requires keys to support FIDO2.

Which means that the four Yubikeys I bought a few years ago are now unusable on the Vanguard website. I really hope FIDO2 offers a significant security advantage; one that justifies needing to purchase new hardware keys.
I have a Yubikey 4 and Yubikey 5. After the upgrade, both still work at Vanguard. The 5 asks for a PIN, the 4 does not. Perhaps they will require FIDO2 in the future, but for now they don't.
HanSolo wrote: Mon Aug 15, 2022 2:14 am Kidding aside (well, actually, I'm not sure I'm kidding)... I have two security keys called "Security Key by Yubico" (they are not branded as "Yubikey"), and have been using them with Vanguard for a few years, no problems. They come with both U2F and FIDO2. So I'm not even sure why Vanguard needs me to re-register keys that are already registered and already have the right features. I feel like they're bothering me unnecessarily.
I have no actual knowledge, but my guess is that to add support for FIDO2 Vanguard had to switch to a different backend software package with an incompatible user database. They could have spent time and money developing the code to migrate the user database (with the potential for increased support costs if that new code were buggy), or they could skip the new code and new bugs and require everyone to reregister their keys. If I were the IT guy in charge with cost being a primary concern, I know which one I would choose!
Lynette
Posts: 2407
Joined: Sun Jul 27, 2014 9:47 am

Re: Vanguard: Upgrading Yubikeys

Post by Lynette »

It seems that on Chrome, one does not need a PIN to reregister a new Yubikey but only for one that has been used before or on another site. Yesterday, I logged on to Vanguard with my existing key but could not reregister it without a PIN. I did not want to reset them as I use them on other sites so I bought 2 new keys. After logging on with the old key, I could register the new ones without a PIN. I was able to log on with the new Yubikeys that I had registered. Then I tried to log on with my old Yubikey that I had just used. I got the message that Vanguard was having technical difficulties.

Today I logged onto Vanguard successfully with the new Yubikeys I registered yesterday - without a PIN. Then I tried to log on with the old ones and was required to enter a PIN that I do not know. Oh well buying two new Yubikeys solved the problem for me. Good luck to everyone including Vangaurd support.
EHEngineer
Posts: 1085
Joined: Sat Feb 28, 2015 3:35 pm

Re: Vanguard: Upgrading Yubikeys

Post by EHEngineer »

PizzaEater wrote: Fri Aug 05, 2022 8:44 am I was finally able to re-register my 2 Yubikeys using the de-register and register trick. But it was a multi-day process:

Wife's account: We were able to re-register the 2 Yubikeys no problem (without de-registering first). SMS is still disabled in account settings (though when logging in to her account there is a link that we could presumable use to send an SMS code if the Yubikey is unavailable - we haven't tried it).

My account: Yesterday, in order to de-register 1 of the 2 Yubikeys I re-enabled SMS authentication. Then I de-registered 1 Yubikey and then registered it. Then I went to de-register the 2nd Yubikey, and oops, now I can't access the "old" Yubikey interface. After some internet searching I finally found the URL and just pasted it directly into my browser (sorry I didn't save it...). This let me then de-register the 2nd key. Ok now to register it again... that worked. Next step go back and disable SMS, right? Well I did that, logged in again, and this time it didn't ask for a Yubikey - it just logged in and then immediately told me I need to enable SMS. So I did that. Now it tells me I have no Yubikeys registered. So I try to register key #1 and I get an error message that that key is already registered - even though Vanguard's site doesn't list any keys already registered. Logging out and logging back in it requires SMS authentication. I figured I confused the poor system and need to wait a day.

Today: Log in again (with SMS) and go to register Yubikey #1: success! Then register Yubikey #2: success! Logging back out and in again, I can use the Yubikey. Trying to turn off SMS: it won't let me! I figure the poor system is confused again so rather than mess up my account I'll wait until Monday to try to turn off SMS (while leaving the 2 Yubikeys enabled).
Were you able to remove SMS backup after you re-registered your two yubikeys?
Or, you can ... decline to let me, a stranger on the Internet, egg you on to an exercise in time-wasting, and you could say "I'm probably OK and I don't care about it that much." -Nisiprius
EHEngineer
Posts: 1085
Joined: Sat Feb 28, 2015 3:35 pm

Re: Vanguard: Upgrading Yubikeys

Post by EHEngineer »

Tarheelstrummer wrote: Wed Aug 03, 2022 12:40 pm
Fremdon Ferndock wrote: Tue Aug 02, 2022 7:27 pm I guess I just did this with a Mac running Chrome. Only I deleted my Yubi and then re-registered it from scratch. I presume this worked since I've not seen anything to the contrary. Now I have to enter the PIN for the Yubi each time I log on. I didn't have to do that before. Is that a feature of Fido2? If so, I don't like it. Don't see the point either, because you can just opt for a text code to log in, so if somebody doesn't know the Yubi PIN that is no deterrent.
You can also opt out of the ability to use an SMS code as a backup by going into your Vanguard security settings. I have done so because allowing a text code defeats the purpose of using a security key in two-factor authentication. Vanguard apparently will allow you to opt out of SMS code backup only if you have two security keys (a primary and backup) registered.

Like some (but apparently not all) of the other commenters who have re-authorized their Yubikeys under the new Vanguard system, I am now required to enter a pin before I touch the key.
Have you successfully re-registered your 2 yubikeys AND removed SMS?

I have yubikey only 2FA, but it is making me re-enroll in SMS before I can re-register. That makes sense for the transition, but I want to make sure I can remove SMS after I re-register my yubikeys (I have multiple). Thanks.
Or, you can ... decline to let me, a stranger on the Internet, egg you on to an exercise in time-wasting, and you could say "I'm probably OK and I don't care about it that much." -Nisiprius
cacophony
Posts: 1363
Joined: Tue Oct 16, 2007 9:12 pm

Re: Vanguard: Upgrading Yubikeys

Post by cacophony »

tuningfork wrote: Mon Aug 15, 2022 9:31 am
cacophony wrote: Sun Aug 14, 2022 11:02 pm
cacophony wrote: Sun Aug 14, 2022 1:05 pm I'm currently using a bunch of Yubikey 4 models, which don't appear to support FIDO2. Will that be a problem or security concern?
To partly answer my own question: It appears that Vanguard requires keys to support FIDO2.

Which means that the four Yubikeys I bought a few years ago are now unusable on the Vanguard website. I really hope FIDO2 offers a significant security advantage; one that justifies needing to purchase new hardware keys.
I have a Yubikey 4 and Yubikey 5. After the upgrade, both still work at Vanguard. The 5 asks for a PIN, the 4 does not. Perhaps they will require FIDO2 in the future, but for now they don't.
The instructions prior to registering a new key say "Make sure the key you choose meets the FIDO2 certification standard for secure authentication".
I'd prefer to be able to use my old keys, but not if it's going to introduce some sort of security risk or violation of Vanguard terms.

Can anyone comment on the risks or disadvantages of going against Vanguard's instructions and registering a key that only supports FIDO?
PizzaEater
Posts: 145
Joined: Wed Apr 10, 2019 1:35 pm

Re: Vanguard: Upgrading Yubikeys

Post by PizzaEater »

EHEngineer wrote: Thu Aug 25, 2022 12:10 pm
PizzaEater wrote: Fri Aug 05, 2022 8:44 am I was finally able to re-register my 2 Yubikeys using the de-register and register trick. But it was a multi-day process:

Wife's account: We were able to re-register the 2 Yubikeys no problem (without de-registering first). SMS is still disabled in account settings (though when logging in to her account there is a link that we could presumable use to send an SMS code if the Yubikey is unavailable - we haven't tried it).

My account: Yesterday, in order to de-register 1 of the 2 Yubikeys I re-enabled SMS authentication. Then I de-registered 1 Yubikey and then registered it. Then I went to de-register the 2nd Yubikey, and oops, now I can't access the "old" Yubikey interface. After some internet searching I finally found the URL and just pasted it directly into my browser (sorry I didn't save it...). This let me then de-register the 2nd key. Ok now to register it again... that worked. Next step go back and disable SMS, right? Well I did that, logged in again, and this time it didn't ask for a Yubikey - it just logged in and then immediately told me I need to enable SMS. So I did that. Now it tells me I have no Yubikeys registered. So I try to register key #1 and I get an error message that that key is already registered - even though Vanguard's site doesn't list any keys already registered. Logging out and logging back in it requires SMS authentication. I figured I confused the poor system and need to wait a day.

Today: Log in again (with SMS) and go to register Yubikey #1: success! Then register Yubikey #2: success! Logging back out and in again, I can use the Yubikey. Trying to turn off SMS: it won't let me! I figure the poor system is confused again so rather than mess up my account I'll wait until Monday to try to turn off SMS (while leaving the 2 Yubikeys enabled).
Were you able to remove SMS backup after you re-registered your two yubikeys?
Thanks for the reminder! Yes, I was able to disable SMS today. Logged out and back in again with my YubiKey. The "press the button on your YubiKey" webpage now has a "I've lost my YubiKey" link instead of the "send me an SMS code" link. I didn't try clicking it to see what would happen, though.
User avatar
cartophile
Posts: 67
Joined: Mon Sep 14, 2015 10:52 pm

Re: Vanguard: Upgrading Yubikeys

Post by cartophile »

cacophony wrote: Thu Aug 25, 2022 7:57 pm
The instructions prior to registering a new key say "Make sure the key you choose meets the FIDO2 certification standard for secure authentication".
I'd prefer to be able to use my old keys, but not if it's going to introduce some sort of security risk or violation of Vanguard terms.

Can anyone comment on the risks or disadvantages of going against Vanguard's instructions and registering a key that only supports FIDO?
I have the old original Yubikey blue U2F keys (not the current blue model) which do not do FIDO2. I was able to reregister them while logging into Vanguard in the Chrome browser. As I recall it was not perfectly smooth but it DID work. For two keys I think I ended up getting five e-mail messages of confirmation.

One set of Vanguard instructions specifies FIDO2 but another set does not. I've logged in several times since using my old U2F keys and everything seems to be working correctly.
Diluted Waters
Posts: 262
Joined: Sun Sep 13, 2020 7:35 pm

Re: Vanguard: Upgrading Yubikeys

Post by Diluted Waters »

MrJedi wrote: Wed Aug 03, 2022 12:48 pm
Diluted Waters wrote: Tue Aug 02, 2022 8:16 pm
Fremdon Ferndock wrote: Tue Aug 02, 2022 7:27 pm I guess I just did this with a Mac running Chrome. Only I deleted my Yubi and then re-registered it from scratch. I presume this worked since I've not seen anything to the contrary. Now I have to enter the PIN for the Yubi each time I log on. I didn't have to do that before. Is that a feature of Fido2? If so, I don't like it. Don't see the point either, because you can just opt for a text code to log in, so if somebody doesn't know the Yubi PIN that is no deterrent.
I reregistered my Yubikey 5 NFCs from the link associated with the sign-on notice, but am puzzled by some reporting the need to now enter a PIN when signing on. I don't have to do that and I was not asked to supply a PIN when I re-registered. Any ideas why it's working differently for my keys than others?

-DW
Did you ever set a PIN on your Yubikey with the manager?
No. Didn’t know I could, or should. Few instructions came with the key. I also didn’t take the course in grad school.
MrJedi
Posts: 3540
Joined: Wed May 06, 2020 11:42 am

Re: Vanguard: Upgrading Yubikeys

Post by MrJedi »

Diluted Waters wrote: Fri Aug 26, 2022 9:52 am
MrJedi wrote: Wed Aug 03, 2022 12:48 pm
Diluted Waters wrote: Tue Aug 02, 2022 8:16 pm
Fremdon Ferndock wrote: Tue Aug 02, 2022 7:27 pm I guess I just did this with a Mac running Chrome. Only I deleted my Yubi and then re-registered it from scratch. I presume this worked since I've not seen anything to the contrary. Now I have to enter the PIN for the Yubi each time I log on. I didn't have to do that before. Is that a feature of Fido2? If so, I don't like it. Don't see the point either, because you can just opt for a text code to log in, so if somebody doesn't know the Yubi PIN that is no deterrent.
I reregistered my Yubikey 5 NFCs from the link associated with the sign-on notice, but am puzzled by some reporting the need to now enter a PIN when signing on. I don't have to do that and I was not asked to supply a PIN when I re-registered. Any ideas why it's working differently for my keys than others?

-DW
Did you ever set a PIN on your Yubikey with the manager?
No. Didn’t know I could, or should. Few instructions came with the key. I also didn’t take the course in grad school.
The PIN is a feature in the FIDO2 standard that Vanguard is moving toward. It is not inherently required by FIDO2, it is up to the site you are using it on to decide if they want a PIN or not.

This part is my conjecture: It seems Vanguard is doing something where if you have a PIN set on your key, then they want the PIN entered, but if you don't have a PIN set, then don't require it.

I would personally set a PIN even just to get in the habit of knowing what it is.
EHEngineer
Posts: 1085
Joined: Sat Feb 28, 2015 3:35 pm

Re: Vanguard: Upgrading Yubikeys

Post by EHEngineer »

PizzaEater wrote: Fri Aug 26, 2022 8:44 am
EHEngineer wrote: Thu Aug 25, 2022 12:10 pm
PizzaEater wrote: Fri Aug 05, 2022 8:44 am I was finally able to re-register my 2 Yubikeys using the de-register and register trick. But it was a multi-day process:

Wife's account: We were able to re-register the 2 Yubikeys no problem (without de-registering first). SMS is still disabled in account settings (though when logging in to her account there is a link that we could presumable use to send an SMS code if the Yubikey is unavailable - we haven't tried it).

My account: Yesterday, in order to de-register 1 of the 2 Yubikeys I re-enabled SMS authentication. Then I de-registered 1 Yubikey and then registered it. Then I went to de-register the 2nd Yubikey, and oops, now I can't access the "old" Yubikey interface. After some internet searching I finally found the URL and just pasted it directly into my browser (sorry I didn't save it...). This let me then de-register the 2nd key. Ok now to register it again... that worked. Next step go back and disable SMS, right? Well I did that, logged in again, and this time it didn't ask for a Yubikey - it just logged in and then immediately told me I need to enable SMS. So I did that. Now it tells me I have no Yubikeys registered. So I try to register key #1 and I get an error message that that key is already registered - even though Vanguard's site doesn't list any keys already registered. Logging out and logging back in it requires SMS authentication. I figured I confused the poor system and need to wait a day.

Today: Log in again (with SMS) and go to register Yubikey #1: success! Then register Yubikey #2: success! Logging back out and in again, I can use the Yubikey. Trying to turn off SMS: it won't let me! I figure the poor system is confused again so rather than mess up my account I'll wait until Monday to try to turn off SMS (while leaving the 2 Yubikeys enabled).
Were you able to remove SMS backup after you re-registered your two yubikeys?
Thanks for the reminder! Yes, I was able to disable SMS today. Logged out and back in again with my YubiKey. The "press the button on your YubiKey" webpage now has a "I've lost my YubiKey" link instead of the "send me an SMS code" link. I didn't try clicking it to see what would happen, though.
Thanks. I was able to disable SMS 2FA as soon as my second security key was registered, no waiting needed. I learned that zero or one security key requires SMS 2FA to be enabled, but 2, 3, or 4 security keys allows you to disable SMS 2FA.
Or, you can ... decline to let me, a stranger on the Internet, egg you on to an exercise in time-wasting, and you could say "I'm probably OK and I don't care about it that much." -Nisiprius
MrJedi
Posts: 3540
Joined: Wed May 06, 2020 11:42 am

Re: Vanguard: Upgrading Yubikeys

Post by MrJedi »

EHEngineer wrote: Fri Aug 26, 2022 2:16 pm
PizzaEater wrote: Fri Aug 26, 2022 8:44 am
EHEngineer wrote: Thu Aug 25, 2022 12:10 pm
PizzaEater wrote: Fri Aug 05, 2022 8:44 am I was finally able to re-register my 2 Yubikeys using the de-register and register trick. But it was a multi-day process:

Wife's account: We were able to re-register the 2 Yubikeys no problem (without de-registering first). SMS is still disabled in account settings (though when logging in to her account there is a link that we could presumable use to send an SMS code if the Yubikey is unavailable - we haven't tried it).

My account: Yesterday, in order to de-register 1 of the 2 Yubikeys I re-enabled SMS authentication. Then I de-registered 1 Yubikey and then registered it. Then I went to de-register the 2nd Yubikey, and oops, now I can't access the "old" Yubikey interface. After some internet searching I finally found the URL and just pasted it directly into my browser (sorry I didn't save it...). This let me then de-register the 2nd key. Ok now to register it again... that worked. Next step go back and disable SMS, right? Well I did that, logged in again, and this time it didn't ask for a Yubikey - it just logged in and then immediately told me I need to enable SMS. So I did that. Now it tells me I have no Yubikeys registered. So I try to register key #1 and I get an error message that that key is already registered - even though Vanguard's site doesn't list any keys already registered. Logging out and logging back in it requires SMS authentication. I figured I confused the poor system and need to wait a day.

Today: Log in again (with SMS) and go to register Yubikey #1: success! Then register Yubikey #2: success! Logging back out and in again, I can use the Yubikey. Trying to turn off SMS: it won't let me! I figure the poor system is confused again so rather than mess up my account I'll wait until Monday to try to turn off SMS (while leaving the 2 Yubikeys enabled).
Were you able to remove SMS backup after you re-registered your two yubikeys?
Thanks for the reminder! Yes, I was able to disable SMS today. Logged out and back in again with my YubiKey. The "press the button on your YubiKey" webpage now has a "I've lost my YubiKey" link instead of the "send me an SMS code" link. I didn't try clicking it to see what would happen, though.
Thanks. I was able to disable SMS 2FA as soon as my second security key was registered, no waiting needed. I learned that zero or one security key requires SMS 2FA to be enabled, but 2, 3, or 4 security keys allows you to disable SMS 2FA.
Beware. I haven't tested this is in the past couple months, but at least as of a few months ago, if you removed SMS and then logged in via mobile browser or app, then you can just enter a new phone number for SMS and then basically bypass the key.

Many of us use a Google Voice number for SMS backup. And then within Google you can lock the number from third party porting (effectively stops SIM swap attack). Then you lock the Google account down with the hardware key to ensure your Google Voice is secured.

Edit: autocorrect typo
Last edited by MrJedi on Fri Aug 26, 2022 4:15 pm, edited 1 time in total.
EHEngineer
Posts: 1085
Joined: Sat Feb 28, 2015 3:35 pm

Re: Vanguard: Upgrading Yubikeys

Post by EHEngineer »

MrJedi wrote: Fri Aug 26, 2022 2:38 pm
EHEngineer wrote: Fri Aug 26, 2022 2:16 pm Thanks. I was able to disable SMS 2FA as soon as my second security key was registered, no waiting needed. I learned that zero or one security key requires SMS 2FA to be enabled, but 2, 3, or 4 security keys allows you to disable SMS 2FA.
Beware. I haven't tested this is in the past couple months, but at least as of a few months ago, if you removed SMS and then logged in via mobile browser or app, then you can just enter a new phone number for SMS and then basically bypass the key.

Many of us use a Google Voice number for SMS backup. And then within Google you can lock the money from third party porting (effectively stops SIM swap attack). Then you lock the Google account down with the hardware key to ensure your Google Voice is secured.
I tested that and wrote about it here. I'd be interested to know if you can replicate what I found.
viewtopic.php?p=6842840#p6842840
Or, you can ... decline to let me, a stranger on the Internet, egg you on to an exercise in time-wasting, and you could say "I'm probably OK and I don't care about it that much." -Nisiprius
MrJedi
Posts: 3540
Joined: Wed May 06, 2020 11:42 am

Re: Vanguard: Upgrading Yubikeys

Post by MrJedi »

EHEngineer wrote: Fri Aug 26, 2022 2:42 pm
MrJedi wrote: Fri Aug 26, 2022 2:38 pm
EHEngineer wrote: Fri Aug 26, 2022 2:16 pm Thanks. I was able to disable SMS 2FA as soon as my second security key was registered, no waiting needed. I learned that zero or one security key requires SMS 2FA to be enabled, but 2, 3, or 4 security keys allows you to disable SMS 2FA.
Beware. I haven't tested this is in the past couple months, but at least as of a few months ago, if you removed SMS and then logged in via mobile browser or app, then you can just enter a new phone number for SMS and then basically bypass the key.

Many of us use a Google Voice number for SMS backup. And then within Google you can lock the money from third party porting (effectively stops SIM swap attack). Then you lock the Google account down with the hardware key to ensure your Google Voice is secured.
I tested that and wrote about it here. I'd be interested to know if you can replicate what I found.
viewtopic.php?p=6842840#p6842840
Yes that is the process to get around the hardware key. All you need is username password and security questions. I don't consider security questions any more secure than a normal password. In fact they can be even less secure than a password if you use a "real" answer.
EHEngineer
Posts: 1085
Joined: Sat Feb 28, 2015 3:35 pm

Re: Vanguard: Upgrading Yubikeys

Post by EHEngineer »

MrJedi wrote: Fri Aug 26, 2022 2:53 pm
EHEngineer wrote: Fri Aug 26, 2022 2:42 pm
MrJedi wrote: Fri Aug 26, 2022 2:38 pm
EHEngineer wrote: Fri Aug 26, 2022 2:16 pm Thanks. I was able to disable SMS 2FA as soon as my second security key was registered, no waiting needed. I learned that zero or one security key requires SMS 2FA to be enabled, but 2, 3, or 4 security keys allows you to disable SMS 2FA.
Beware. I haven't tested this is in the past couple months, but at least as of a few months ago, if you removed SMS and then logged in via mobile browser or app, then you can just enter a new phone number for SMS and then basically bypass the key.

Many of us use a Google Voice number for SMS backup. And then within Google you can lock the money from third party porting (effectively stops SIM swap attack). Then you lock the Google account down with the hardware key to ensure your Google Voice is secured.
I tested that and wrote about it here. I'd be interested to know if you can replicate what I found.
viewtopic.php?p=6842840#p6842840
Yes that is the process to get around the hardware key. All you need is username password and security questions. I don't consider security questions any more secure than a normal password. In fact they can be even less secure than a password if you use a "real" answer.
Thanks for the feedback. I have read all the vanguard 2 factor threads that I can find, and didn't read anyone else say it requires username, password, AND a security question. But glad to know you have the same understanding. I do worry about google accounts. Google can get difficult if you don't use an account much and can even re-assign your phone number if it goes unused for a year or so. Probably not much security risk with losing your GV number, but certainly an inconvenience. YMMV. I agree that security questions should be at least as complex as a password. Same with a username.

Thanks,
Ehen
Or, you can ... decline to let me, a stranger on the Internet, egg you on to an exercise in time-wasting, and you could say "I'm probably OK and I don't care about it that much." -Nisiprius
Post Reply