Every now and then Wired Magazine and Yubikey have a promotion. During the promotion, $5 gets you a year's subscription to Wired and a Yubikey.absolute zero wrote: ↑Sun Sep 26, 2021 8:51 pmYeah I’ve half-considered it for awhile too, but not yet pulled the trigger. I guess there’s a very small chance that a Yubikey could save my bacon, butanon_investor wrote: ↑Sun Sep 26, 2021 8:42 pmGood point, I also have a print out of the back up codes in my safe.absolute zero wrote: ↑Sun Sep 26, 2021 8:39 pmYou may already be aware of this, but you can set things up such that if you lose your phone, you will face no issues with respect to authenticator app. I have the exact same setup that you just described (SMS for vanguard linked to GV number, google account backed up by authenticator app). If I lost my phone, then I would go pull a piece of paper out of my safe that has long backup codes written on it (one for gmail, one for Paypal, etc). These codes will allow me to get a new authenticator app "up and running" again. I can enter the gmail code into my new phone's authenticator app (or my spouse's phone/app if I'm in a hurry to access my account before buying a new phone) and the app will start displaying the same 6 digit codes that it did before. I can then log-in to gmail with no issues.anon_investor wrote: ↑Sun Sep 26, 2021 8:29 pmProbably. To make my Vanguard account more secure, I am using a Google Voice number for 2FA. The Gmail account that number is tied to is secured by Google Authenticator app. I am considering geting a Yubikey to secure the Gmail account AND Vanguard, so I have a way to immediately access both accounts in case I lose my phone.cuda74360 wrote: ↑Sun Sep 26, 2021 8:01 pm If SMS authentication is still required if you use a Yubikey, is it really worth buying the device and settings this up? Seems like a waste of money if it's that easy to bypass. I really wish Vanguard would give us an option to use TOTP like everyone else does.
This is one reason I have no spent any money on Yubikeys yet. Though if there is a good black friday sale, I might buy a couple of of them.
really the only risk that it would eliminate is phishing.
Maybe I will feel paranoid enough to get a couple Yubikeys in a few years when my account balances are (hopefully) a little bigger.
Yubikey only at Vanguard now possible.
-
- Posts: 2843
- Joined: Wed Feb 12, 2014 9:58 pm
Re: Yubikey only at Vanguard now possible.
Re: Yubikey only at Vanguard now possible.
The Yubikey site has a key selector app. Just work thru the questions and it will tell you what you need. I then bought mine on Amazon.anon_investor wrote: ↑Sun Sep 26, 2021 8:37 pmWhich ones did you buy? I am wondering if the $25 blue one is good enough.cowdogman wrote: ↑Sun Sep 26, 2021 8:35 pmI got a couple Yubikeys because of this thread. Wish I had done so long ago. I use them everywhere now, including LastPass, LogIn.gov (for SSA and other things), my email and Vanguard.cuda74360 wrote: ↑Sun Sep 26, 2021 8:01 pm If SMS authentication is still required if you use a Yubikey, is it really worth buying the device and settings this up? Seems like a waste of money if it's that easy to bypass. I really wish Vanguard would give us an option to use TOTP like everyone else does.
- anon_investor
- Posts: 15122
- Joined: Mon Jun 03, 2019 1:43 pm
Re: Yubikey only at Vanguard now possible.
Thanks, it looks like the $24.50 blue colored key works for everything I need. I am going to wait for potential black friday deals. I am still on the fence if a yubikey is even necessary, since I have already shifted my Vanguard 2FA to my google voice number, and my google account is secured by google authenticator and back up codes (not SMS).cowdogman wrote: ↑Mon Sep 27, 2021 9:20 amThe Yubikey site has a key selector app. Just work thru the questions and it will tell you what you need. I then bought mine on Amazon.anon_investor wrote: ↑Sun Sep 26, 2021 8:37 pmWhich ones did you buy? I am wondering if the $25 blue one is good enough.cowdogman wrote: ↑Sun Sep 26, 2021 8:35 pmI got a couple Yubikeys because of this thread. Wish I had done so long ago. I use them everywhere now, including LastPass, LogIn.gov (for SSA and other things), my email and Vanguard.cuda74360 wrote: ↑Sun Sep 26, 2021 8:01 pm If SMS authentication is still required if you use a Yubikey, is it really worth buying the device and settings this up? Seems like a waste of money if it's that easy to bypass. I really wish Vanguard would give us an option to use TOTP like everyone else does.
Re: Yubikey only at Vanguard now possible.
I bought my Yubikeys directly from Yubico as someone here warned it was a possible security risk to go through an intermediary like Amazon. They claimed that it’s more secure to get them directly from the source. (I’m glad I did as I was able to apply a $10 coupon I found online that I could not have used through Amazon). Also Yubico advertises that they manufacture their keys only in the USA and Sweden, avoiding any Chinese manufacturers, something other key vendors don’t do.
Re: Yubikey only at Vanguard now possible.
FWIW the seller on Amazon is Yubico--Fulfilled by Amazon.Nicolas wrote: ↑Mon Sep 27, 2021 6:51 pm I bought my Yubikeys directly from Yubico as someone here warned it was a possible security risk to go through an intermediary like Amazon. They claimed that it’s more secure to get them directly from the source. (I’m glad I did as I was able to apply a $10 coupon I found online that I could not have used through Amazon). Also Yubico advertises that they manufacture their keys only in the USA and Sweden, avoiding any Chinese manufacturers, something other key vendors don’t do.
- anon_investor
- Posts: 15122
- Joined: Mon Jun 03, 2019 1:43 pm
Re: Yubikey only at Vanguard now possible.
That is funny, the Yubico website has a link to buy from Amazon...Nicolas wrote: ↑Mon Sep 27, 2021 6:51 pm I bought my Yubikeys directly from Yubico as someone here warned it was a possible security risk to go through an intermediary like Amazon. They claimed that it’s more secure to get them directly from the source. (I’m glad I did as I was able to apply a $10 coupon I found online that I could not have used through Amazon). Also Yubico advertises that they manufacture their keys only in the USA and Sweden, avoiding any Chinese manufacturers, something other key vendors don’t do.
Re: Yubikey only at Vanguard now possible.
Amazon is everywhere...but that's ok now that I heard that William Shatner is on the next Blue Origin flight. Space, the final frontier!anon_investor wrote: ↑Mon Sep 27, 2021 8:13 pmThat is funny, the Yubico website has a link to buy from Amazon...Nicolas wrote: ↑Mon Sep 27, 2021 6:51 pm I bought my Yubikeys directly from Yubico as someone here warned it was a possible security risk to go through an intermediary like Amazon. They claimed that it’s more secure to get them directly from the source. (I’m glad I did as I was able to apply a $10 coupon I found online that I could not have used through Amazon). Also Yubico advertises that they manufacture their keys only in the USA and Sweden, avoiding any Chinese manufacturers, something other key vendors don’t do.
Re: Yubikey only at Vanguard now possible.
Does anyone know of any data about just how much using a hardware authentication device reduces your risk of having your account hacked is? Companies that flog their devices like yubikey naturally stress the worst case scenario, i.e. you lose all your money. It's not at all irrational to protect against a worst case outcome, but the expected case is relevant, too. My guess is that using a hardware authentication device reduces our risk of loss by comparison with other 2FA methods infinitesimally. I think the emphasis on such devices by endusers like ourselves is an example of the endowment effect. We see the login process again and again and naturally overemphasize it as a source of risk, ignoring the invisible risks which are almost certainly greater, such as intrusion into the brokerage company's systems.
[Off topic troll removed by Moderator Misenplace.]
[Off topic troll removed by Moderator Misenplace.]
-
- Posts: 1660
- Joined: Tue Feb 01, 2011 8:22 pm
Re: Yubikey only at Vanguard now possible.
For many reasons, I think that data would be very difficult to produce.
You could possibly conduct a test, sending out fake phishing attempts, but since so few people actually own/use physical security keys, it would be difficult to know how many were thwarted for that reason alone.
I think that the expected case is a phishing attempt (most of the major hacks that you hear about are due to phishing). The main vulnerability with other two-factor authentication methods is that they don't protect against phishing attempts.cbeck wrote: ↑Mon Sep 27, 2021 9:18 pm Companies that flog their devices like yubikey naturally stress the worst case scenario, i.e. you lose all your money. It's not at all irrational to protect against a worst case outcome, but the expected case is relevant, too. My guess is that using a hardware authentication device reduces our risk of loss by comparison with other 2FA methods infinitesimally.
With properly implemented hardware-based two-factor authentication, the important takeaway is that an attacker would need to be in physical possession of the security key in order to gain access to the account.
Re: Yubikey only at Vanguard now possible.
I agree with Silence Dogood but I look at the security issue in a slightly different way.Silence Dogood wrote: ↑Sat Oct 09, 2021 2:12 pmFor many reasons, I think that data would be very difficult to produce.
You could possibly conduct a test, sending out fake phishing attempts, but since so few people actually own/use physical security keys, it would be difficult to know how many were thwarted for that reason alone.
I think that the expected case is a phishing attempt (most of the major hacks that you hear about are due to phishing). The main vulnerability with other two-factor authentication methods is that they don't protect against phishing attempts.cbeck wrote: ↑Mon Sep 27, 2021 9:18 pm Companies that flog their devices like yubikey naturally stress the worst case scenario, i.e. you lose all your money. It's not at all irrational to protect against a worst case outcome, but the expected case is relevant, too. My guess is that using a hardware authentication device reduces our risk of loss by comparison with other 2FA methods infinitesimally.
With properly implemented hardware-based two-factor authentication, the important takeaway is that an attacker would need to be in physical possession of the security key in order to gain access to the account.
The internet is becoming a more dangerous and less secure place than it used to be. In a better world internet security would be increasing, but instead it's going the other way and the scale of hacks is becoming scarier.
So I want the most secure setup I can reasonably use*. So if there is an added security measure that doesn't cost much and is not a hassle to use, I'm going to use it even if the incremental security protection is minimal. (I may even upgrade to the new bio keys from Yubico.)
Plus I have found the use of a physical key to be less of a hassle than SMS or authenticators.
* Not using the internet is not reasonable--and I'm not sure it's even more secure--being able to monitor accounts in real time adds to security.
-
- Posts: 2352
- Joined: Tue Mar 05, 2019 9:29 pm
- Location: Colorado
Re: Yubikey only at Vanguard now possible.
Google was only able to completely eliminate phishing attacks against their 85,000+ workforce by requiring hardware keys.cbeck wrote: ↑Mon Sep 27, 2021 9:18 pm Does anyone know of any data about just how much using a hardware authentication device reduces your risk of having your account hacked is? Companies that flog their devices like yubikey naturally stress the worst case scenario, i.e. you lose all your money. It's not at all irrational to protect against a worst case outcome, but the expected case is relevant, too. My guess is that using a hardware authentication device reduces our risk of loss by comparison with other 2FA methods infinitesimally. I think the emphasis on such devices by endusers like ourselves is an example of the endowment effect. We see the login process again and again and naturally overemphasize it as a source of risk, ignoring the invisible risks which are almost certainly greater, such as intrusion into the brokerage company's systems.
[Off topic troll removed by Moderator Misenplace.]
https://krebsonsecurity.com/2018/07/goo ... -phishing/
Re: Yubikey only at Vanguard now possible.
Why put the code in a safe? Nobody knows what it's for. I have mine taped behind as cabinet door with a bunch of tuna recipes mixed in, it looks like the printer printed junk in the middle of a tuna salad. Nobody has a clue.
Re: Yubikey only at Vanguard now possible.
This reminds me of what my coworker told me in 1980 during the silver boom. He said he was going to buy a big brick of silver as an investment and then paint it some other color and use it as a doorstop. The ultimate security, hiding in plain sight. I don’t know if he ever followed through (and he’s dead now). It would’ve been a poor investment anyway, silver hit a peak then of $50/ounce (in 1980 dollars) and of course paid no dividends.
Re: Yubikey only at Vanguard now possible.
My important backups on the external USB drive is in the tampon box in the bathroom closet.Nicolas wrote: ↑Sat Oct 09, 2021 4:32 pmThis reminds me of what my coworker told me in 1980 during the silver boom. He said he was going to buy a big brick of silver as an investment and then paint it some other color and use it as a doorstop. The ultimate security, hiding in plain sight. I don’t know if he ever followed through (and he’s dead now). It would’ve been a poor investment anyway, silver hit a peak then of $50/ounce (in 1980 dollars) and of course paid no dividends.
Re: Yubikey only at Vanguard now possible.
That's interesting. I don't worry about phishing attempts. If phishing is the risk then a yubikey protects me from stupidly reading out to a phisher the six-digit 2FA code that I received in my email? Do you feel the need to protect yourself from this particular attack?Silence Dogood wrote: ↑Sat Oct 09, 2021 2:12 pmFor many reasons, I think that data would be very difficult to produce.
You could possibly conduct a test, sending out fake phishing attempts, but since so few people actually own/use physical security keys, it would be difficult to know how many were thwarted for that reason alone.
I think that the expected case is a phishing attempt (most of the major hacks that you hear about are due to phishing). The main vulnerability with other two-factor authentication methods is that they don't protect against phishing attempts.cbeck wrote: ↑Mon Sep 27, 2021 9:18 pm Companies that flog their devices like yubikey naturally stress the worst case scenario, i.e. you lose all your money. It's not at all irrational to protect against a worst case outcome, but the expected case is relevant, too. My guess is that using a hardware authentication device reduces our risk of loss by comparison with other 2FA methods infinitesimally.
With properly implemented hardware-based two-factor authentication, the important takeaway is that an attacker would need to be in physical possession of the security key in order to gain access to the account.
The downside of a yubikey type device is that now there is something else I would have to carry with me and can lose. Also, when I cross a border it can be demanded of me by the border police, which I may not legally be able to refuse. So, I lose deniability.
The security gain from yubikeys still looks infinitesimal to me.
Re: Yubikey only at Vanguard now possible.
In the absence of any data to support that claim how is that not faith-based reasoning?
Re: Yubikey only at Vanguard now possible.
That's an interesting article. However, notice that the only statistic cited is that since requiring yubikeys they have had no successful phishing attacks against their employees. So, the number of such attacks went to zero. But how many were there before the yubikeys? The article doesn't say. So, we have don't know how much risk the yubkeys eliminated. This is a good case of the dishonest use of statistics by the writer of that article.HawkeyePierce wrote: ↑Sat Oct 09, 2021 3:33 pmGoogle was only able to completely eliminate phishing attacks against their 85,000+ workforce by requiring hardware keys.cbeck wrote: ↑Mon Sep 27, 2021 9:18 pm Does anyone know of any data about just how much using a hardware authentication device reduces your risk of having your account hacked is? Companies that flog their devices like yubikey naturally stress the worst case scenario, i.e. you lose all your money. It's not at all irrational to protect against a worst case outcome, but the expected case is relevant, too. My guess is that using a hardware authentication device reduces our risk of loss by comparison with other 2FA methods infinitesimally. I think the emphasis on such devices by endusers like ourselves is an example of the endowment effect. We see the login process again and again and naturally overemphasize it as a source of risk, ignoring the invisible risks which are almost certainly greater, such as intrusion into the brokerage company's systems.
[Off topic troll removed by Moderator Misenplace.]
https://krebsonsecurity.com/2018/07/goo ... -phishing/
But assuming that Google actually did have a significant pre-yubikey problem. How is that relevant to you and me? Google employees are contacted by the public to do such things as unlock accounts, sometimes fraudulently. You and I are not fielding calls from untrusted persons. For instance, when I login to ssa.gov, I get a 2FA code by email which together with my loginid and strong password admits me to my account. Where is the opportunity for some swindler to talk me into providing all my credentials? If I can't complete the login for some reason I might call tech support at ssa.gov. So, then I know at least that I am talking to a government employee since he didn't call me. But I am still not going to give him my credentials under any circumstances. So, I don't see the risk reduction from preventing myself from giving away my own credentials.
-
- Posts: 240
- Joined: Thu Sep 30, 2021 8:16 am
Re: Yubikey only at Vanguard now possible.
In the news this week was that Google is going to move 150 million accounts to mandatory 2FA:
https://www.theregister.com/2021/10/06/ ... ntication/
That's a start - and they chose accounts for which the second factor was already registered. I would expect Google intends to move everyone to it.
This seems like a good idea for security, except that I really don't wish to have to generate a 2nd factor code every time I check email. I can see how Google might like me to just stay logged in all day ... I don't want that. Even if it's just an extra click (assuming my key is inserted in a usb port), then I'm liable to wear the key or port out by having to plug it in and take it out multiple times of day as I come and go from my home office desk.
I would be fine with this if it were just for banking/investment sites. I don't quite log into those daily, and certainly not multiple times a day. But just email? Ugh. I hope not.
https://www.theregister.com/2021/10/06/ ... ntication/
That's a start - and they chose accounts for which the second factor was already registered. I would expect Google intends to move everyone to it.
This seems like a good idea for security, except that I really don't wish to have to generate a 2nd factor code every time I check email. I can see how Google might like me to just stay logged in all day ... I don't want that. Even if it's just an extra click (assuming my key is inserted in a usb port), then I'm liable to wear the key or port out by having to plug it in and take it out multiple times of day as I come and go from my home office desk.
I would be fine with this if it were just for banking/investment sites. I don't quite log into those daily, and certainly not multiple times a day. But just email? Ugh. I hope not.
Re: Yubikey only at Vanguard now possible.
I would think Google will allow you to trust the device, just like others like Microsoft do.Second Round wrote: ↑Sat Oct 09, 2021 8:28 pm In the news this week was that Google is going to move 150 million accounts to mandatory 2FA:
https://www.theregister.com/2021/10/06/ ... ntication/
That's a start - and they chose accounts for which the second factor was already registered. I would expect Google intends to move everyone to it.
This seems like a good idea for security, except that I really don't wish to have to generate a 2nd factor code every time I check email. I can see how Google might like me to just stay logged in all day ... I don't want that. Even if it's just an extra click (assuming my key is inserted in a usb port), then I'm liable to wear the key or port out by having to plug it in and take it out multiple times of day as I come and go from my home office desk.
I would be fine with this if it were just for banking/investment sites. I don't quite log into those daily, and certainly not multiple times a day. But just email? Ugh. I hope not.
-
- Posts: 240
- Joined: Thu Sep 30, 2021 8:16 am
Re: Yubikey only at Vanguard now possible.
Maybe, maybe not. I often have to "enable less secure app access" to use an email client with Linux, rather than getting mail through a Google app or via their web browser. I'm inclined to view this as a self-serving scare tactic on their part rather than a fair assessment. Why should using a stored username + password combo on a desktop PC (doesn't leave the house; has user account password), connecting via ethernet, be considered less secure than an Android/Google phone that has those things remembered, DOES leave the house, connected by wifi or mobile data, and is protected by a lock screen handful of digits?
Here's what they have on the "security checkup" if I log into my Google account:
1 Recommendation
Turn off less secure app access
Your account is vulnerable to malicious activity because you’re allowing apps & devices that use less secure sign-in technology to access your account. You should turn off this type of access. Google will automatically turn this setting OFF if it’s not being used. Learn more
Re: Yubikey only at Vanguard now possible.
I think it's safe to assume, and reasonable to infer, that Google had a significant pre-yubikey problem, and that is why they required the use of security keys. And it's relevant because it's safe to assume that Google employees are among the most sophisticated tech users, and yet they were vulnerable to phishing, so the average person is much more likely to be a victim, and security keys eliminate that threat.
Security keys also eliminate the threat of being tricked by a spoofed website because the security key will not validate a fake site.
Security keys also eliminate the threat of a man-in-the-middle attack.
Security keys do not require access to phone service (as does SMS codes).
Security keys do not have batteries and do not lose power (as does smartphones which would prevent access to SMS and Authenticator codes).
I also find them to be very convenient...once your device is recognized then you can automatically log in, and even in those cases where you need to use the security key for authentication, you just touch it and you'rein... no more looking for your phone and opening the right app to get a code and then typing in the code and hoping you did not make a mistake.
-
- Posts: 2352
- Joined: Tue Mar 05, 2019 9:29 pm
- Location: Colorado
Re: Yubikey only at Vanguard now possible.
A mobile phone is far more secure than a PC.Second Round wrote: ↑Sat Oct 09, 2021 9:02 pmMaybe, maybe not. I often have to "enable less secure app access" to use an email client with Linux, rather than getting mail through a Google app or via their web browser. I'm inclined to view this as a self-serving scare tactic on their part rather than a fair assessment. Why should using a stored username + password combo on a desktop PC (doesn't leave the house; has user account password), connecting via ethernet, be considered less secure than an Android/Google phone that has those things remembered, DOES leave the house, connected by wifi or mobile data, and is protected by a lock screen handful of digits?
Here's what they have on the "security checkup" if I log into my Google account:
1 Recommendation
Turn off less secure app access
Your account is vulnerable to malicious activity because you’re allowing apps & devices that use less secure sign-in technology to access your account. You should turn off this type of access. Google will automatically turn this setting OFF if it’s not being used. Learn more
Google only requires you to redo 2FA every 30 days.
Re: Yubikey only at Vanguard now possible.
Well, that's clearly the inference that the writer of that article intended us to draw, but without supporting data, it's just another vacuous opinion.mptfan wrote: ↑Sat Oct 09, 2021 10:00 pmI think it's safe to assume, and reasonable to infer, that Google had a significant pre-yubikey problem, and that is why they required the use of security keys. And it's relevant because it's safe to assume that Google employees are among the most sophisticated tech users, and yet they were vulnerable to phishing, so the average person is much more likely to be a victim, and security keys eliminate that threat.
Security keys also eliminate the threat of being tricked by a spoofed website because the security key will not validate a fake site.
Security keys also eliminate the threat of a man-in-the-middle attack.
Security keys do not require access to phone service (as does SMS codes).
Security keys do not have batteries and do not lose power (as does smartphones which would prevent access to SMS and Authenticator codes).
I also find them to be very convenient...once your device is recognized then you can automatically log in, and even in those cases where you need to use the security key for authentication, you just touch it and you'rein... no more looking for your phone and opening the right app to get a code and then typing in the code and hoping you did not make a mistake.
Nor do I find evidence to support the claims you are making at least in a quick search. Lists of best practices to protect against MITM attacks don't mention yubikey-type devices. Neither do recommendations against spoofing, although they do recommend generic 2FA.
So, I don't see the benefit.
Re: Yubikey only at Vanguard now possible.
I worked for a different sophisticated tech firm. I worked with some of the smartest people I knew. Our security people used to occasionally intentionally phish the employee population as a little test and training exercise. Routinely, 20% or so of the population bought the phish.mptfan wrote: ↑Sat Oct 09, 2021 10:00 pmI think it's safe to assume, and reasonable to infer, that Google had a significant pre-yubikey problem, and that is why they required the use of security keys. And it's relevant because it's safe to assume that Google employees are among the most sophisticated tech users, and yet they were vulnerable to phishing, so the average person is much more likely to be a victim, and security keys eliminate that threat.
-
- Posts: 1660
- Joined: Tue Feb 01, 2011 8:22 pm
Re: Yubikey only at Vanguard now possible.
Are you under the impression that a successful phishing attack requires you to speak to someone over the phone?cbeck wrote: ↑Sat Oct 09, 2021 6:13 pm You and I are not fielding calls from untrusted persons. For instance, when I login to ssa.gov, I get a 2FA code by email which together with my loginid and strong password admits me to my account. Where is the opportunity for some swindler to talk me into providing all my credentials? If I can't complete the login for some reason I might call tech support at ssa.gov. So, then I know at least that I am talking to a government employee since he didn't call me. But I am still not going to give him my credentials under any circumstances. So, I don't see the risk reduction from preventing myself from giving away my own credentials.
-
- Posts: 1660
- Joined: Tue Feb 01, 2011 8:22 pm
-
- Posts: 240
- Joined: Thu Sep 30, 2021 8:16 am
Re: Yubikey only at Vanguard now possible.
That's pretty much the opposite of my understanding.
How hard is it to lose a desktop PC?
How strong are lock screen passwords on phones versus user account passwords on PCs?
How many times have malicious apps been discovered in one app store or another? Or apps that take great liberty with permissions (from mic and camera to GPS, clipboard, and address book)
Are not phones by nature subject to wifi sniffing and bluetooth vulnerabilities? [Laptops are too of course, but not necessarily desktop PCs using ethernet]
User control of background processes (or even knowledge of them)?
On average, I really don't think it's a contest either, but I think it goes the other way. But there is no doubt some overlap - some may be able to lock down their phone well and others may run their PCs as passwordless root all the time. But that's not the typical case.
I'm curious - what features on a desktop PC do you think are less secure than a phone?
Re: Yubikey only at Vanguard now possible.
Phones are encrypted usually with a dedicated encryption module, can be tracked and remotely locked or wiped, can take video/photo and audio of their surroundings, and can require 2 factor to login.
Desktop PCs frequently do very few of these on the assumption that they are not going to be stolen... Sometimes they are configured not to require a password at all.
Your typical phone is likely much more secure than the typical PC given physical access.
Desktop PCs frequently do very few of these on the assumption that they are not going to be stolen... Sometimes they are configured not to require a password at all.
Your typical phone is likely much more secure than the typical PC given physical access.
Re: Yubikey only at Vanguard now possible.
I have not offered vacuous opinions, I have researched this issue extensively and have done much more than just a "quick search," and all of the things I wrote are true and backed up by data and expert opinion.cbeck wrote: ↑Sat Oct 09, 2021 11:59 pm Well, that's clearly the inference that the writer of that article intended us to draw, but without supporting data, it's just another vacuous opinion.
Nor do I find evidence to support the claims you are making at least in a quick search. Lists of best practices to protect against MITM attacks don't mention yubikey-type devices. Neither do recommendations against spoofing, although they do recommend generic 2FA.
So, I don't see the benefit.
Re: Yubikey only at Vanguard now possible.
Have you bought a yubikey to prevent yourself from logging into your money account via a link in an email?Silence Dogood wrote: ↑Sun Oct 10, 2021 9:34 amAre you under the impression that a successful phishing attack requires you to speak to someone over the phone?cbeck wrote: ↑Sat Oct 09, 2021 6:13 pm You and I are not fielding calls from untrusted persons. For instance, when I login to ssa.gov, I get a 2FA code by email which together with my loginid and strong password admits me to my account. Where is the opportunity for some swindler to talk me into providing all my credentials? If I can't complete the login for some reason I might call tech support at ssa.gov. So, then I know at least that I am talking to a government employee since he didn't call me. But I am still not going to give him my credentials under any circumstances. So, I don't see the risk reduction from preventing myself from giving away my own credentials.
Re: Yubikey only at Vanguard now possible.
Probably the same percentage of smart endusers who still have easily crackable passwords. That doesn't include you, though, does it?Tubes wrote: ↑Sun Oct 10, 2021 6:43 amI worked for a different sophisticated tech firm. I worked with some of the smartest people I knew. Our security people used to occasionally intentionally phish the employee population as a little test and training exercise. Routinely, 20% or so of the population bought the phish.mptfan wrote: ↑Sat Oct 09, 2021 10:00 pmI think it's safe to assume, and reasonable to infer, that Google had a significant pre-yubikey problem, and that is why they required the use of security keys. And it's relevant because it's safe to assume that Google employees are among the most sophisticated tech users, and yet they were vulnerable to phishing, so the average person is much more likely to be a victim, and security keys eliminate that threat.
-
- Posts: 1660
- Joined: Tue Feb 01, 2011 8:22 pm
Re: Yubikey only at Vanguard now possible.
"Are you still upset about the button covers?"
As I wrote earlier in this thread:
Silence Dogood wrote: ↑Wed Jul 14, 2021 8:13 pm Hardware-based two-factor authentication is significantly more secure than SMS-based two-factor authentication. In order to successfully access your account, an attacker would need to have physical possession of your security key. That is not the case for SMS (phishing, SIM-swap, MITM).
(It's also more convenient than SMS - no fussing with codes.)
It stinks that it's yet another cost (purchasing a few Yubikeys), but I just consider it to be an unfortunate reality of the world that we live in. It would be nice if door locks weren't necessary either (and compared to a typical door lock, a Yubikey is like Fort Knox).
- anon_investor
- Posts: 15122
- Joined: Mon Jun 03, 2019 1:43 pm
Re: Yubikey only at Vanguard now possible.
Does the new Vanguard mobile app still basically bypass Yubikey authentication?
I am waiting for a Black Friday deal on Yubikeys before I buy anything, but if the mobile app basically doesn't require Yubikey, then really what is the point?
I am waiting for a Black Friday deal on Yubikeys before I buy anything, but if the mobile app basically doesn't require Yubikey, then really what is the point?
Re: Yubikey only at Vanguard now possible.
How can a hacker use a mobile app to get into one’s account?anon_investor wrote: ↑Mon Oct 11, 2021 8:22 am Does the new Vanguard mobile app still basically bypass Yubikey authentication?
I am waiting for a Black Friday deal on Yubikeys before I buy anything, but if the mobile app basically doesn't require Yubikey, then really what is the point?
For my phone, he would need my face or my code.
For my phone number for 2FA, I use a Google Voice number which sometimes works and sometimes does not. Since I mostly use a computer with a Yubikey, I never use 2FA.
Re: Yubikey only at Vanguard now possible.
All my iOS apps let me bypass the yubikey by default if FaceID is enabled. It's possible on Vanguard to disable faceID and require a password and yubikey with every login. Perhaps some would find it ideal to allow faceID but still require a yubikey.hudson wrote: ↑Mon Oct 11, 2021 8:51 amHow can a hacker use a mobile app to get into one’s account?anon_investor wrote: ↑Mon Oct 11, 2021 8:22 am Does the new Vanguard mobile app still basically bypass Yubikey authentication?
I am waiting for a Black Friday deal on Yubikeys before I buy anything, but if the mobile app basically doesn't require Yubikey, then really what is the point?
For my phone, he would need my face or my code.
For my phone number for 2FA, I use a Google Voice number which sometimes works and sometimes does not. Since I mostly use a computer with a Yubikey, I never use 2FA.
I think it comes down what you're protecting against. If it's online phishing schemes, faceID seems like it would prevent those. If you're protecting against a mugger stealing your phone, restraining you, and logging in with your face...maybe a yubikey or memorized password would help. My guess is if that extremely unlikely event got that far, you'd be persuaded to log in yourself. If you want upmost security, I'd only access financial accounts from a home computer with a yubikey.
- anon_investor
- Posts: 15122
- Joined: Mon Jun 03, 2019 1:43 pm
Re: Yubikey only at Vanguard now possible.
hudson wrote: ↑Mon Oct 11, 2021 8:51 am How can a hacker use a mobile app to get into one’s account?
For my phone, he would need my face or my code.
For my phone number for 2FA, I use a Google Voice number which sometimes works and sometimes does not. Since I mostly use a computer with a Yubikey, I never use 2FA.
This issue is a non-issue if only a secured Google Voice number is used for 2FA (I have this in place), instead of a cell phone. At least with the prior iterations of the Vanguard mobile app, someone trying to access your vanguard account with user name/password (for example stolen via phishing scam, etc.) on an unrecognized mobile device would be prompted with only the SMS 2FA (even if the account was secured by a Yubikey). This has nothing to do with how you would secure your own Vanguard mobile app via biometrics (finger print or faceID).TJat wrote: ↑Mon Oct 11, 2021 9:26 am All my iOS apps let me bypass the yubikey by default if FaceID is enabled. It's possible on Vanguard to disable faceID and require a password and yubikey with every login. Perhaps some would find it ideal to allow faceID but still require a yubikey.
I think it comes down what you're protecting against. If it's online phishing schemes, faceID seems like it would prevent those. If you're protecting against a mugger stealing your phone, restraining you, and logging in with your face...maybe a yubikey or memorized password would help. My guess is if that extremely unlikely event got that far, you'd be persuaded to log in yourself. If you want upmost security, I'd only access financial accounts from a home computer with a yubikey.
This "bug" of defaulting to SMS 2FA for the Vanguard mobile app, essentially renders the protection of Yubikey irrelenvant. I know that Vanguard mobile app (at least on Android) has been recently update to a new UI, I am wondering if it works the same way.
Re: Yubikey only at Vanguard now possible.
Not true. It's true that defaulting to SMS does significantly weaken the protection, but it's not irrelevant because a security key still protects you from logging in to a fake site.anon_investor wrote: ↑Mon Oct 11, 2021 9:54 am This "bug" of defaulting to SMS 2FA for the Vanguard mobile app, essentially renders the protection of Yubikey irrelenvant.
- anon_investor
- Posts: 15122
- Joined: Mon Jun 03, 2019 1:43 pm
Re: Yubikey only at Vanguard now possible.
I guess there is that, but it seems like incomplete protection, like locking your front door with a deadbolt but only using a flimsy door knob lock on your backdoor...mptfan wrote: ↑Mon Oct 11, 2021 2:18 pmNot true. It's true that defaulting to SMS does significantly weaken the protection, but it's not irrelevant because a security key still protects you from logging in to a fake site.anon_investor wrote: ↑Mon Oct 11, 2021 9:54 am This "bug" of defaulting to SMS 2FA for the Vanguard mobile app, essentially renders the protection of Yubikey irrelenvant.
Re: Yubikey only at Vanguard now possible.
Is a Yubikey significantly more secure than using something like Google Authenticator?
I typically use Super Strong Password (generated by Lastpass) + Google Authenticator on any site that allows it.
I typically use Super Strong Password (generated by Lastpass) + Google Authenticator on any site that allows it.
Re: Yubikey only at Vanguard now possible.
It protects against a man in the middle attack. For instance, you click on a vanguard link in your email that brings you to a fake but realistic looking vanguard page. Type in your credentials (script types it in at vanguard), fake site asks for google code, vanguard asks phisher for google code. You type it in, they automatically type it in and voila, are logged in.
That’s considered impossible to happen with a security key.
- anon_investor
- Posts: 15122
- Joined: Mon Jun 03, 2019 1:43 pm
Re: Yubikey only at Vanguard now possible.
What about one of those apps that only work when the website pings the app and you have to acknowledge the attempted login.TJat wrote: ↑Mon Oct 11, 2021 6:28 pmIt protects against a man in the middle attack. For instance, you click on a vanguard link in your email that brings you to a fake but realistic looking vanguard page. Type in your credentials (script types it in at vanguard), fake site asks for google code, vanguard asks phisher for google code. You type it in, they automatically type it in and voila, are logged in.
That’s considered impossible to happen with a security key.
-
- Posts: 2352
- Joined: Tue Mar 05, 2019 9:29 pm
- Location: Colorado
Re: Yubikey only at Vanguard now possible.
Phones—at least any modern Android or iPhone—are fully encrypted. Losing the device does not risk your data.Second Round wrote: ↑Sun Oct 10, 2021 10:34 amThat's pretty much the opposite of my understanding.
How hard is it to lose a desktop PC?
How strong are lock screen passwords on phones versus user account passwords on PCs?
How many times have malicious apps been discovered in one app store or another? Or apps that take great liberty with permissions (from mic and camera to GPS, clipboard, and address book)
Are not phones by nature subject to wifi sniffing and bluetooth vulnerabilities? [Laptops are too of course, but not necessarily desktop PCs using ethernet]
User control of background processes (or even knowledge of them)?
On average, I really don't think it's a contest either, but I think it goes the other way. But there is no doubt some overlap - some may be able to lock down their phone well and others may run their PCs as passwordless root all the time. But that's not the typical case.
I'm curious - what features on a desktop PC do you think are less secure than a phone?
Cracking an iOS passcode is nearly impossible unless you have NSA-level resources.
Apps abusing device privileges does not risk your data in another app.
Wifi sniffing doesn't matter, the connection between your app and Vanguard is encrypted end-to-end.
As for PCs...
Windows does not encrypt disks by default. Apple only started doing so a few years ago.
PC browsers are generally less secure than mobile browsers, due to the shady nature of browser extensions.
Application sandboxing is far, far weaker in either Windows or Mac OS than either Android or iOS, though improvements have been made.
- cflannagan
- Posts: 1208
- Joined: Sun Oct 21, 2007 11:44 am
- Location: Working Remotely
Re: Yubikey only at Vanguard now possible.
I know you're strictly comparing phones and PCs but phones also are at risk of a sim-swapping hack https://en.wikipedia.org/wiki/SIM_swap_scamHawkeyePierce wrote: ↑Mon Oct 11, 2021 6:47 pm Phones—at least any modern Android or iPhone—are fully encrypted. Losing the device does not risk your data.
Cracking an iOS passcode is nearly impossible unless you have NSA-level resources.
Apps abusing device privileges does not risk your data in another app.
Wifi sniffing doesn't matter, the connection between your app and Vanguard is encrypted end-to-end.
If a person is targeted by sim-swapping hack, Yubikey would be useless for accounts where 2FA with Yubikey is enabled, but 2FA with SMS cannot be disabled.
-
- Posts: 2352
- Joined: Tue Mar 05, 2019 9:29 pm
- Location: Colorado
Re: Yubikey only at Vanguard now possible.
That is true, but has nothing to do with the security of the phone. Nothing on the device is at risk due to sim swapping.cflannagan wrote: ↑Mon Oct 11, 2021 7:00 pmI know you're strictly comparing phones and PCs but phones also are at risk of a sim-swapping hack https://en.wikipedia.org/wiki/SIM_swap_scamHawkeyePierce wrote: ↑Mon Oct 11, 2021 6:47 pm Phones—at least any modern Android or iPhone—are fully encrypted. Losing the device does not risk your data.
Cracking an iOS passcode is nearly impossible unless you have NSA-level resources.
Apps abusing device privileges does not risk your data in another app.
Wifi sniffing doesn't matter, the connection between your app and Vanguard is encrypted end-to-end.
If a person is targeted by sim-swapping hack, Yubikey would be useless for accounts where 2FA with Yubikey is enabled, but 2FA with SMS cannot be disabled.
Re: Yubikey only at Vanguard now possible.
I tried to disable SMS at Vanguard after installing 2 Yubikeys but was not able too. In addition to several IRAs and a taxable account I have a Vanguard linked 401k. Unfortunately I was told any account with a linked non-retail account such as a 401K cannot disable SMS.
Gary
Gary
- anon_investor
- Posts: 15122
- Joined: Mon Jun 03, 2019 1:43 pm
Re: Yubikey only at Vanguard now possible.
Does anyone know if this new USB C Yubikey works with Vanguard?
Yubico FIDO Security Key C NFC:
https://www.amazon.com/dp/B09HJBL6F3
Yubico FIDO Security Key C NFC:
https://www.amazon.com/dp/B09HJBL6F3
Re: Yubikey only at Vanguard now possible.
It does. I have that one and the nano usb. To my knowledge, the only modern yubikey that vanguard does not support is the 5CI. They claim it’s because that is a “mobile” key.anon_investor wrote: ↑Sat Nov 06, 2021 7:36 am Does anyone know if this new USB C Yubikey works with Vanguard?
Yubico FIDO Security Key C NFC:
https://www.amazon.com/dp/B09HJBL6F3