Yubikey only at Vanguard now possible.

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: Yubikey only at Vanguard now possible.

Post by anon_investor »

TJat wrote: Sat Nov 06, 2021 7:58 am
anon_investor wrote: Sat Nov 06, 2021 7:36 am Does anyone know if this new USB C Yubikey works with Vanguard?

Yubico FIDO Security Key C NFC:
https://www.amazon.com/dp/B09HJBL6F3
It does. I have that one and the nano usb. To my knowledge, the only modern yubikey that vanguard does not support is the 5CI. They claim it’s because that is a “mobile” key.
Cool thanks, USB C is the future! I wonder if there will be any Cyber Monday sales on this or other Yubikeys.
Silence Dogood
Posts: 1660
Joined: Tue Feb 01, 2011 8:22 pm

Re: Yubikey only at Vanguard now possible.

Post by Silence Dogood »

Silence Dogood wrote: Tue Aug 24, 2021 6:48 pm Allow all clients to disable SMS after registering their security keys.

Some of us (including myself) are able to do this now.

As I noted earlier in this thread, I think it would be smart for Vanguard to require at least two security keys to be registered before allowing SMS to be disabled.
Are those who previously weren't allowed to disable SMS able to now?
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: Yubikey only at Vanguard now possible.

Post by anon_investor »

Silence Dogood wrote: Sun Dec 05, 2021 6:32 pm
Silence Dogood wrote: Tue Aug 24, 2021 6:48 pm Allow all clients to disable SMS after registering their security keys.

Some of us (including myself) are able to do this now.

As I noted earlier in this thread, I think it would be smart for Vanguard to require at least two security keys to be registered before allowing SMS to be disabled.
Are those who previously weren't allowed to disable SMS able to now?
I didn't try it, but when I registered my Yubikey last week Vanguard had a message on the screen saying you had to have 2 security keys registered in order to disable SMS 2FA.
Silence Dogood
Posts: 1660
Joined: Tue Feb 01, 2011 8:22 pm

Re: Yubikey only at Vanguard now possible.

Post by Silence Dogood »

anon_investor wrote: Sun Dec 05, 2021 7:05 pm
Silence Dogood wrote: Sun Dec 05, 2021 6:32 pm
Silence Dogood wrote: Tue Aug 24, 2021 6:48 pm Allow all clients to disable SMS after registering their security keys.

Some of us (including myself) are able to do this now.

As I noted earlier in this thread, I think it would be smart for Vanguard to require at least two security keys to be registered before allowing SMS to be disabled.
Are those who previously weren't allowed to disable SMS able to now?
I didn't try it, but when I registered my Yubikey last week Vanguard had a message on the screen saying you had to have 2 security keys registered in order to disable SMS 2FA.
Thanks for reporting back, anon_investor.

If true, then it looks like Vanguard took my advice (I have made them aware of my suggestions).

However, unfortunately, I've heard back from another Boglehead (via private message) who reports that he's still not allowed to disable SMS.
saver1
Posts: 336
Joined: Wed Oct 12, 2016 8:33 pm

Re: Yubikey only at Vanguard now possible.

Post by saver1 »

Silence Dogood wrote: Mon Dec 20, 2021 8:04 pm
anon_investor wrote: Sun Dec 05, 2021 7:05 pm
Silence Dogood wrote: Sun Dec 05, 2021 6:32 pm
Silence Dogood wrote: Tue Aug 24, 2021 6:48 pm Allow all clients to disable SMS after registering their security keys.

Some of us (including myself) are able to do this now.

As I noted earlier in this thread, I think it would be smart for Vanguard to require at least two security keys to be registered before allowing SMS to be disabled.
Are those who previously weren't allowed to disable SMS able to now?
I didn't try it, but when I registered my Yubikey last week Vanguard had a message on the screen saying you had to have 2 security keys registered in order to disable SMS 2FA.
Thanks for reporting back, anon_investor.

If true, then it looks like Vanguard took my advice (I have made them aware of my suggestions).

However, unfortunately, I've heard back from another Boglehead (via private message) who reports that he's still not allowed to disable SMS.
I recently bought two Yubikeys specifically for my Vanguard account. After registering the two keys I was able to disable SMS 2FA. It worked fine on the website, however I would not advise disabling SMS 2FA because of the behavior in the mobile application. It actually downgrades your security when you disable SMS 2FA after registering two Yubikeys. The reason for this is the user flow on the mobile app.

1. If you install the mobile app it will allow you to login only with your username and password.
2. It will then prompt you to setup SMS 2FA. You are forced to setup SMS 2FA in order to use the mobile app.
3. The worst part comes next. When you go through the user flow on the mobile app to setup SMS 2FA it will allow you to choose your registered cellphone number or to add ANY new number.

If a hacker or someone close to you that is not trustworthy has your username and password they can basically re-direct the SMS 2FA to their own cellphone number and access your account.

Therefore, I recommend keeping SMS 2FA enabled and use a Google voice number for the SMS 2FA. Secure Google voice with the Yubikeys. That is basically the workaround discussed previously to get around the problem.
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: Yubikey only at Vanguard now possible.

Post by anon_investor »

saver1 wrote: Mon Dec 20, 2021 9:54 pm
Silence Dogood wrote: Mon Dec 20, 2021 8:04 pm
anon_investor wrote: Sun Dec 05, 2021 7:05 pm
Silence Dogood wrote: Sun Dec 05, 2021 6:32 pm
Silence Dogood wrote: Tue Aug 24, 2021 6:48 pm Allow all clients to disable SMS after registering their security keys.

Some of us (including myself) are able to do this now.

As I noted earlier in this thread, I think it would be smart for Vanguard to require at least two security keys to be registered before allowing SMS to be disabled.
Are those who previously weren't allowed to disable SMS able to now?
I didn't try it, but when I registered my Yubikey last week Vanguard had a message on the screen saying you had to have 2 security keys registered in order to disable SMS 2FA.
Thanks for reporting back, anon_investor.

If true, then it looks like Vanguard took my advice (I have made them aware of my suggestions).

However, unfortunately, I've heard back from another Boglehead (via private message) who reports that he's still not allowed to disable SMS.
I recently bought two Yubikeys specifically for my Vanguard account. After registering the two keys I was able to disable SMS 2FA. It worked fine on the website, however I would not advise disabling SMS 2FA because of the behavior in the mobile application. It actually downgrades your security when you disable SMS 2FA after registering two Yubikeys. The reason for this is the user flow on the mobile app.

1. If you install the mobile app it will allow you to login only with your username and password.
2. It will then prompt you to setup SMS 2FA. You are forced to setup SMS 2FA in order to use the mobile app.
3. The worst part comes next. When you go through the user flow on the mobile app to setup SMS 2FA it will allow you to choose your registered cellphone number or to add ANY new number.

If a hacker or someone close to you that is not trustworthy has your username and password they can basically re-direct the SMS 2FA to their own cellphone number and access your account.

Therefore, I recommend keeping SMS 2FA enabled and use a Google voice number for the SMS 2FA. Secure Google voice with the Yubikeys. That is basically the workaround discussed previously to get around the problem.
Yep, the mobile app is the weak point.
Silence Dogood
Posts: 1660
Joined: Tue Feb 01, 2011 8:22 pm

Re: Yubikey only at Vanguard now possible.

Post by Silence Dogood »

saver1 wrote: Mon Dec 20, 2021 9:54 pm I recently bought two Yubikeys specifically for my Vanguard account. After registering the two keys I was able to disable SMS 2FA. It worked fine on the website, however I would not advise disabling SMS 2FA because of the behavior in the mobile application. It actually downgrades your security when you disable SMS 2FA after registering two Yubikeys. The reason for this is the user flow on the mobile app.

1. If you install the mobile app it will allow you to login only with your username and password.
2. It will then prompt you to setup SMS 2FA. You are forced to setup SMS 2FA in order to use the mobile app.
3. The worst part comes next. When you go through the user flow on the mobile app to setup SMS 2FA it will allow you to choose your registered cellphone number or to add ANY new number.

If a hacker or someone close to you that is not trustworthy has your username and password they can basically re-direct the SMS 2FA to their own cellphone number and access your account.

Therefore, I recommend keeping SMS 2FA enabled and use a Google voice number for the SMS 2FA. Secure Google voice with the Yubikeys. That is basically the workaround discussed previously to get around the problem.
I reported these issues to Vanguard this past summer (see my earlier posts in this thread - for example, here and here).

The fact that these issues still haven't been fixed is very concerning.

At the very least, Vanguard can and should get rid of the ability to add any new phone number for sending security codes to when using the mobile app (i.e., only allow existing phone numbers on file). That should not take long to implement.
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: Yubikey only at Vanguard now possible.

Post by anon_investor »

Silence Dogood wrote: Wed Dec 22, 2021 10:02 am
saver1 wrote: Mon Dec 20, 2021 9:54 pm I recently bought two Yubikeys specifically for my Vanguard account. After registering the two keys I was able to disable SMS 2FA. It worked fine on the website, however I would not advise disabling SMS 2FA because of the behavior in the mobile application. It actually downgrades your security when you disable SMS 2FA after registering two Yubikeys. The reason for this is the user flow on the mobile app.

1. If you install the mobile app it will allow you to login only with your username and password.
2. It will then prompt you to setup SMS 2FA. You are forced to setup SMS 2FA in order to use the mobile app.
3. The worst part comes next. When you go through the user flow on the mobile app to setup SMS 2FA it will allow you to choose your registered cellphone number or to add ANY new number.

If a hacker or someone close to you that is not trustworthy has your username and password they can basically re-direct the SMS 2FA to their own cellphone number and access your account.

Therefore, I recommend keeping SMS 2FA enabled and use a Google voice number for the SMS 2FA. Secure Google voice with the Yubikeys. That is basically the workaround discussed previously to get around the problem.
I reported these issues to Vanguard this past summer (see my earlier posts in this thread - for example, here and here).

The fact that these issues still haven't been fixed is very concerning.

At the very least, Vanguard can and should get rid of the ability to add any new phone number for sending security codes to when using the mobile app (i.e., only allow existing phone numbers on file). That should not take long to implement.
Have you seen how terrible the new mobile app is? I have 0 confidence in Vanguard fixing anything. As others have eariler suggested I have utilized the Yubikey + GV# SMS 2FA set up. I wish Vanguard woud move to a Yubikey + authenticator app set up.
Silence Dogood
Posts: 1660
Joined: Tue Feb 01, 2011 8:22 pm

Re: Yubikey only at Vanguard now possible.

Post by Silence Dogood »

anon_investor wrote: Wed Dec 22, 2021 10:07 am
Silence Dogood wrote: Wed Dec 22, 2021 10:02 am
saver1 wrote: Mon Dec 20, 2021 9:54 pm I recently bought two Yubikeys specifically for my Vanguard account. After registering the two keys I was able to disable SMS 2FA. It worked fine on the website, however I would not advise disabling SMS 2FA because of the behavior in the mobile application. It actually downgrades your security when you disable SMS 2FA after registering two Yubikeys. The reason for this is the user flow on the mobile app.

1. If you install the mobile app it will allow you to login only with your username and password.
2. It will then prompt you to setup SMS 2FA. You are forced to setup SMS 2FA in order to use the mobile app.
3. The worst part comes next. When you go through the user flow on the mobile app to setup SMS 2FA it will allow you to choose your registered cellphone number or to add ANY new number.

If a hacker or someone close to you that is not trustworthy has your username and password they can basically re-direct the SMS 2FA to their own cellphone number and access your account.

Therefore, I recommend keeping SMS 2FA enabled and use a Google voice number for the SMS 2FA. Secure Google voice with the Yubikeys. That is basically the workaround discussed previously to get around the problem.
I reported these issues to Vanguard this past summer (see my earlier posts in this thread - for example, here and here).

The fact that these issues still haven't been fixed is very concerning.

At the very least, Vanguard can and should get rid of the ability to add any new phone number for sending security codes to when using the mobile app (i.e., only allow existing phone numbers on file). That should not take long to implement.
Have you seen how terrible the new mobile app is? I have 0 confidence in Vanguard fixing anything. As others have eariler suggested I have utilized the Yubikey + GV# SMS 2FA set up. I wish Vanguard woud move to a Yubikey + authenticator app set up.
My only experiences with the Vanguard mobile app has been a few times over this past year - in order to test out the two-factor authentication (hence my discovery of the issue back in the summer). Each time I tried it out, I never actually logged in and I uninstalled it immediately afterwards.

Yubikeys are perfectly capable of working with mobile apps; I don't see any reason why Yubikey-only can't be an option.
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: Yubikey only at Vanguard now possible.

Post by anon_investor »

Silence Dogood wrote: Wed Dec 22, 2021 10:25 am
anon_investor wrote: Wed Dec 22, 2021 10:07 am
Silence Dogood wrote: Wed Dec 22, 2021 10:02 am
saver1 wrote: Mon Dec 20, 2021 9:54 pm I recently bought two Yubikeys specifically for my Vanguard account. After registering the two keys I was able to disable SMS 2FA. It worked fine on the website, however I would not advise disabling SMS 2FA because of the behavior in the mobile application. It actually downgrades your security when you disable SMS 2FA after registering two Yubikeys. The reason for this is the user flow on the mobile app.

1. If you install the mobile app it will allow you to login only with your username and password.
2. It will then prompt you to setup SMS 2FA. You are forced to setup SMS 2FA in order to use the mobile app.
3. The worst part comes next. When you go through the user flow on the mobile app to setup SMS 2FA it will allow you to choose your registered cellphone number or to add ANY new number.

If a hacker or someone close to you that is not trustworthy has your username and password they can basically re-direct the SMS 2FA to their own cellphone number and access your account.

Therefore, I recommend keeping SMS 2FA enabled and use a Google voice number for the SMS 2FA. Secure Google voice with the Yubikeys. That is basically the workaround discussed previously to get around the problem.
I reported these issues to Vanguard this past summer (see my earlier posts in this thread - for example, here and here).

The fact that these issues still haven't been fixed is very concerning.

At the very least, Vanguard can and should get rid of the ability to add any new phone number for sending security codes to when using the mobile app (i.e., only allow existing phone numbers on file). That should not take long to implement.
Have you seen how terrible the new mobile app is? I have 0 confidence in Vanguard fixing anything. As others have eariler suggested I have utilized the Yubikey + GV# SMS 2FA set up. I wish Vanguard woud move to a Yubikey + authenticator app set up.
My only experiences with the Vanguard mobile app has been a few times over this past year - in order to test out the two-factor authentication (hence my discovery of the issue back in the summer). Each time I tried it out, I never actually logged in and I uninstalled it immediately afterwards.

Yubikeys are perfectly capable of working with mobile apps; I don't see any reason why Yubikey-only can't be an option.
Well making the Vanguard mobile app support Yubikey would be another option.
criticalmass
Posts: 2843
Joined: Wed Feb 12, 2014 9:58 pm

Re: Yubikey only at Vanguard now possible.

Post by criticalmass »

anon_investor wrote: Wed Dec 22, 2021 12:03 pm
Silence Dogood wrote: Wed Dec 22, 2021 10:25 am
anon_investor wrote: Wed Dec 22, 2021 10:07 am
Silence Dogood wrote: Wed Dec 22, 2021 10:02 am
saver1 wrote: Mon Dec 20, 2021 9:54 pm I recently bought two Yubikeys specifically for my Vanguard account. After registering the two keys I was able to disable SMS 2FA. It worked fine on the website, however I would not advise disabling SMS 2FA because of the behavior in the mobile application. It actually downgrades your security when you disable SMS 2FA after registering two Yubikeys. The reason for this is the user flow on the mobile app.

1. If you install the mobile app it will allow you to login only with your username and password.
2. It will then prompt you to setup SMS 2FA. You are forced to setup SMS 2FA in order to use the mobile app.
3. The worst part comes next. When you go through the user flow on the mobile app to setup SMS 2FA it will allow you to choose your registered cellphone number or to add ANY new number.

If a hacker or someone close to you that is not trustworthy has your username and password they can basically re-direct the SMS 2FA to their own cellphone number and access your account.

Therefore, I recommend keeping SMS 2FA enabled and use a Google voice number for the SMS 2FA. Secure Google voice with the Yubikeys. That is basically the workaround discussed previously to get around the problem.
I reported these issues to Vanguard this past summer (see my earlier posts in this thread - for example, here and here).

The fact that these issues still haven't been fixed is very concerning.

At the very least, Vanguard can and should get rid of the ability to add any new phone number for sending security codes to when using the mobile app (i.e., only allow existing phone numbers on file). That should not take long to implement.
Have you seen how terrible the new mobile app is? I have 0 confidence in Vanguard fixing anything. As others have eariler suggested I have utilized the Yubikey + GV# SMS 2FA set up. I wish Vanguard woud move to a Yubikey + authenticator app set up.
My only experiences with the Vanguard mobile app has been a few times over this past year - in order to test out the two-factor authentication (hence my discovery of the issue back in the summer). Each time I tried it out, I never actually logged in and I uninstalled it immediately afterwards.

Yubikeys are perfectly capable of working with mobile apps; I don't see any reason why Yubikey-only can't be an option.
Well making the Vanguard mobile app support Yubikey would be another option.
The Vanguard mobile app doesn’t support Vanguard mutual fund accounts or many basic functions for brokerage accounts either. I wouldn’t count on Yubikey support.
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: Yubikey only at Vanguard now possible.

Post by anon_investor »

criticalmass wrote: Wed Dec 22, 2021 12:37 pm
anon_investor wrote: Wed Dec 22, 2021 12:03 pm
Silence Dogood wrote: Wed Dec 22, 2021 10:25 am
anon_investor wrote: Wed Dec 22, 2021 10:07 am
Silence Dogood wrote: Wed Dec 22, 2021 10:02 am

I reported these issues to Vanguard this past summer (see my earlier posts in this thread - for example, here and here).

The fact that these issues still haven't been fixed is very concerning.

At the very least, Vanguard can and should get rid of the ability to add any new phone number for sending security codes to when using the mobile app (i.e., only allow existing phone numbers on file). That should not take long to implement.
Have you seen how terrible the new mobile app is? I have 0 confidence in Vanguard fixing anything. As others have eariler suggested I have utilized the Yubikey + GV# SMS 2FA set up. I wish Vanguard woud move to a Yubikey + authenticator app set up.
My only experiences with the Vanguard mobile app has been a few times over this past year - in order to test out the two-factor authentication (hence my discovery of the issue back in the summer). Each time I tried it out, I never actually logged in and I uninstalled it immediately afterwards.

Yubikeys are perfectly capable of working with mobile apps; I don't see any reason why Yubikey-only can't be an option.
Well making the Vanguard mobile app support Yubikey would be another option.
The Vanguard mobile app doesn’t support Vanguard mutual fund accounts or many basic functions for brokerage accounts either. I wouldn’t count on Yubikey support.
The "new" mobile app is horrible, you can't view individual tax lots (neeed for TLH), you can't fund a mutual fund purchase from a bank account (you have to first transfer from your bank account to you settlement found).
saver1
Posts: 336
Joined: Wed Oct 12, 2016 8:33 pm

Re: Yubikey only at Vanguard now possible.

Post by saver1 »

anon_investor wrote: Wed Dec 22, 2021 1:06 pm
criticalmass wrote: Wed Dec 22, 2021 12:37 pm
anon_investor wrote: Wed Dec 22, 2021 12:03 pm
Silence Dogood wrote: Wed Dec 22, 2021 10:25 am
anon_investor wrote: Wed Dec 22, 2021 10:07 am

Have you seen how terrible the new mobile app is? I have 0 confidence in Vanguard fixing anything. As others have eariler suggested I have utilized the Yubikey + GV# SMS 2FA set up. I wish Vanguard woud move to a Yubikey + authenticator app set up.
My only experiences with the Vanguard mobile app has been a few times over this past year - in order to test out the two-factor authentication (hence my discovery of the issue back in the summer). Each time I tried it out, I never actually logged in and I uninstalled it immediately afterwards.

Yubikeys are perfectly capable of working with mobile apps; I don't see any reason why Yubikey-only can't be an option.
Well making the Vanguard mobile app support Yubikey would be another option.
The Vanguard mobile app doesn’t support Vanguard mutual fund accounts or many basic functions for brokerage accounts either. I wouldn’t count on Yubikey support.
The "new" mobile app is horrible, you can't view individual tax lots (neeed for TLH), you can't fund a mutual fund purchase from a bank account (you have to first transfer from your bank account to you settlement found).
Yes, I agree that the mobile app is quite bad. One thing to consider is that Vanguard is probably following the Agile Scrum software development model, which means they have released a minimally functional product and will be adding new features incrementally. Keep giving them feedback on the app through the support section and be patient. Hopefully, they will fix a lot of these issues over time. If they don't, then we should consider other options such as going to a different brokerage. If they ignore fixing these issues with the mobile app and the website it will be to their disadvantage. The increased customers transitioning out of Vanguard to other brokerages will catch up to them to the point where they will not be able to ignore it any longer.
Silence Dogood
Posts: 1660
Joined: Tue Feb 01, 2011 8:22 pm

Re: Yubikey only at Vanguard now possible.

Post by Silence Dogood »

criticalmass wrote: Wed Dec 22, 2021 12:37 pmI wouldn’t count on Yubikey support.
To be clear, I'm not counting on Yubikey support any time soon [for the Vanguard mobile app].

Here are the suggestions I provided to Vanguard:
Silence Dogood wrote: Tue Aug 24, 2021 6:48 pm Here are the things that Vanguard should fix:

1. Allow all clients to disable SMS after registering their security keys.

Some of us (including myself) are able to do this now.

As I noted earlier in this thread, I think it would be smart for Vanguard to require at least two security keys to be registered before allowing SMS to be disabled.

2. Longer term, the mobile apps should be made to work with security keys. In the meantime, the mobile apps should be disabled for those who've disabled SMS.

This could work in a similar way to how the "restrict access to recognized devices" option currently works.

3. Require the security key for every log in - but stop asking whether or not the device should be recognized.

Apparently Vanguard does require the security key to be used with every log in - which is best practice. However, for whatever reason, Vanguard continues to ask whether or not the device being used is private or public. Whichever option is chosen seems to not have any effect. This is a lower priority issue, since it's more of a design/aesthetic issue, but it should still be fixed.
But as I wrote earlier today:
Silence Dogood wrote: Wed Dec 22, 2021 10:02 am At the very least, Vanguard can and should get rid of the ability to add any new phone number for sending security codes to when using the mobile app (i.e., only allow existing phone numbers on file). That should not take long to implement.
Last edited by Silence Dogood on Fri Jan 21, 2022 6:23 pm, edited 1 time in total.
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: Yubikey only at Vanguard now possible.

Post by anon_investor »

saver1 wrote: Wed Dec 22, 2021 1:53 pm
anon_investor wrote: Wed Dec 22, 2021 1:06 pm
criticalmass wrote: Wed Dec 22, 2021 12:37 pm
anon_investor wrote: Wed Dec 22, 2021 12:03 pm
Silence Dogood wrote: Wed Dec 22, 2021 10:25 am

My only experiences with the Vanguard mobile app has been a few times over this past year - in order to test out the two-factor authentication (hence my discovery of the issue back in the summer). Each time I tried it out, I never actually logged in and I uninstalled it immediately afterwards.

Yubikeys are perfectly capable of working with mobile apps; I don't see any reason why Yubikey-only can't be an option.
Well making the Vanguard mobile app support Yubikey would be another option.
The Vanguard mobile app doesn’t support Vanguard mutual fund accounts or many basic functions for brokerage accounts either. I wouldn’t count on Yubikey support.
The "new" mobile app is horrible, you can't view individual tax lots (neeed for TLH), you can't fund a mutual fund purchase from a bank account (you have to first transfer from your bank account to you settlement found).
Yes, I agree that the mobile app is quite bad. One thing to consider is that Vanguard is probably following the Agile Scrum software development model, which means they have released a minimally functional product and will be adding new features incrementally. Keep giving them feedback on the app through the support section and be patient. Hopefully, they will fix a lot of these issues over time. If they don't, then we should consider other options such as going to a different brokerage. If they ignore fixing these issues with the mobile app and the website it will be to their disadvantage. The increased customers transitioning out of Vanguard to other brokerages will catch up to them to the point where they will not be able to ignore it any longer.
I don't want to be Vanguard's guinea pig. They already had this terrible app as a beta test called "Beacon" for well over a year. I have already submitted my negative feedback to Vanguard. I have already stopped investing new money in my taxable account at Vanguard for now while I try other brokerages. Fidelity's app seems to meet my needs, Merrill Edge, not so much.
cseinv
Posts: 17
Joined: Mon Feb 10, 2014 5:50 pm

Re: Yubikey only at Vanguard now possible.

Post by cseinv »

The Vanguard phone app does support biometric(fingerprint) login on newer phones. Which is what I have been using. I have no issues with login credentials.

I also use a vpn to protect data transfers on my phone and computer.

I do agree the app is horrible to do anything so log in just to check balances.
sketchy9
Posts: 205
Joined: Mon Oct 25, 2010 2:10 pm

Re: Yubikey only at Vanguard now possible.

Post by sketchy9 »

Just wanted to chime in with my experience with the mobile app. Vanguard has my mobile number but I have 2 yubikeys set up. When logging in with the mobile app for the first time, it prompted me to set up fingerprint login (good). It then stated I needed to set up security codes (ok). It gave me the option to use my existing number (good) OR add a new number (VERY BAD). So, it appears that even if you have a phone number in their system, you can still bypass that number and add a new number the first time you install the app.

That's just so mind-bogglingly stupid (and dangerous). It's enough to make me leave them. They want me to use their ETFs anyway, I can do that just as well at a place like Fidelity.
squirm
Posts: 4239
Joined: Sat Mar 19, 2011 11:53 am

Re: Yubikey only at Vanguard now possible.

Post by squirm »

What do they do when you request a password reset?
conundrum
Posts: 871
Joined: Sat May 09, 2009 7:00 pm

Re: Yubikey only at Vanguard now possible.

Post by conundrum »

I was able to register 2 security keys and disable the text/SMS option. Previously I have my logins restricted to one computer. Is this restriction still necessary? I ask because with the restriction I get locked out once a month or so and have to call in. I have no interest in the mobile app. Is there any risk of the mobile app if I never sign up?
Thanks,
Drum :sharebeer
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: Yubikey only at Vanguard now possible.

Post by anon_investor »

conundrum wrote: Fri Jan 21, 2022 1:39 pm I was able to register 2 security keys and disable the text/SMS option. Previously I have my logins restricted to one computer. Is this restriction still necessary? I ask because with the restriction I get locked out once a month or so and have to call in. I have no interest in the mobile app. Is there any risk of the mobile app if I never sign up?
Thanks,
Drum :sharebeer
Yes, there is still a risk with the mobile app. If someone else installs the mobile app and tries to login with your user name and password, Vanguard will use whatever phone number you have on file as the 2FA. While still unlikely, if someone has your user name and password, and access to your phone number (e.g. SIM swap, etc.), they could access your account.

Personally, because I want to use the mobile app, I just use a Google Voice number for my SMS 2FA, so I have closed that loophole. My Goolge account is secured by a Yubikey.
conundrum
Posts: 871
Joined: Sat May 09, 2009 7:00 pm

Re: Yubikey only at Vanguard now possible.

Post by conundrum »

Is there anyway to block the ability to have a mobile account at Vanguard?
conundrum
Posts: 871
Joined: Sat May 09, 2009 7:00 pm

Re: Yubikey only at Vanguard now possible.

Post by conundrum »

Or would it be best to leave the computer restriction access on? Can you use Yubikeys and the computer access restrictions at the same time?
Thanks,
Drum
User avatar
cowdogman
Posts: 2072
Joined: Sat Dec 16, 2017 6:44 pm
Location: Washington State

Re: Yubikey only at Vanguard now possible.

Post by cowdogman »

conundrum wrote: Fri Jan 21, 2022 2:36 pm Or would it be best to leave the computer restriction access on? Can you use Yubikeys and the computer access restrictions at the same time?
Thanks,
Drum
If you use Yubikey (which is in its way the same as computer restriction--Yubikey restriction) and Google voice for SMS, you should be good without computer access restriction.

The other option is switch to Fidelity and use an authenticator to log in. Can't believe Vanguard does not offer that.
sycamore
Posts: 6360
Joined: Tue May 08, 2018 12:06 pm

Re: Yubikey only at Vanguard now possible.

Post by sycamore »

conundrum wrote: Fri Jan 21, 2022 1:46 pm Is there anyway to block the ability to have a mobile account at Vanguard?
I know you asked a subsequent question, but regarding this one above, I don't think so. It's an interesting question; not sure how one would define "mobile account." Perhaps you mean "mobile device" or "mobile app" ?

Given that mobile devices are just computers that let you access Vanguard via an app or its website via a browser. I don't think a custodian would offer a feature to let you block based on whether a browser is being used on a mobile device versus desktop. But they could more easily offer an option to prevent access via app, or vice versa only allow access via an app; unlikely to happen in any case.
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: Yubikey only at Vanguard now possible.

Post by anon_investor »

cowdogman wrote: Fri Jan 21, 2022 6:09 pm
conundrum wrote: Fri Jan 21, 2022 2:36 pm Or would it be best to leave the computer restriction access on? Can you use Yubikeys and the computer access restrictions at the same time?
Thanks,
Drum
If you use Yubikey (which is in its way the same as computer restriction--Yubikey restriction) and Google voice for SMS, you should be good without computer access restriction.

The other option is switch to Fidelity and use an authenticator to log in. Can't believe Vanguard does not offer that.
You’d expect Vanguard to offer a fully functional mobile app too… but nope. :x
Silence Dogood
Posts: 1660
Joined: Tue Feb 01, 2011 8:22 pm

Re: Yubikey only at Vanguard now possible.

Post by Silence Dogood »

Silence Dogood wrote: Wed Dec 22, 2021 2:41 pm
criticalmass wrote: Wed Dec 22, 2021 12:37 pmI wouldn’t count on Yubikey support.
To be clear, I'm not counting on Yubikey support any time soon [for the Vanguard mobile app].

Here are the suggestions I provided to Vanguard:
Silence Dogood wrote: Tue Aug 24, 2021 6:48 pm Here are the things that Vanguard should fix:

1. Allow all clients to disable SMS after registering their security keys.

Some of us (including myself) are able to do this now.

As I noted earlier in this thread, I think it would be smart for Vanguard to require at least two security keys to be registered before allowing SMS to be disabled.

2. Longer term, the mobile apps should be made to work with security keys. In the meantime, the mobile apps should be disabled for those who've disabled SMS.

This could work in a similar way to how the "restrict access to recognized devices" option currently works.

3. Require the security key for every log in - but stop asking whether or not the device should be recognized.

Apparently Vanguard does require the security key to be used with every log in - which is best practice. However, for whatever reason, Vanguard continues to ask whether or not the device being used is private or public. Whichever option is chosen seems to not have any effect. This is a lower priority issue, since it's more of a design/aesthetic issue, but it should still be fixed.
But as I wrote earlier today:
Silence Dogood wrote: Wed Dec 22, 2021 10:02 am At the very least, Vanguard can and should get rid of the ability to add any new phone number for sending security codes to when using the mobile app (i.e., only allow existing phone numbers on file). That should not take long to implement.
I just checked - unfortunately, there is still an option to "Enter a new number".
User avatar
Lucent
Posts: 1
Joined: Mon Jul 22, 2019 5:29 pm
Location: Knoxville, TN

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by Lucent »

[Posts merged into here from: Vanguard 2-factor authentication becoming mandatory and available for non-US --admin LadyGeek]

You can now disable "secure codes" entirely if you add two U2F hardware keys.
User avatar
southerndoc
Posts: 1266
Joined: Wed Apr 22, 2009 7:07 pm
Location: Atlanta

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by southerndoc »

How do you disable the SMS text messaging and only allow Yubikeys?
FlyingMoose
Posts: 630
Joined: Wed Mar 04, 2009 9:48 pm

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by FlyingMoose »

southerndoc wrote: Fri Mar 04, 2022 12:13 am How do you disable the SMS text messaging and only allow Yubikeys?
It is currently not possible to do this safely. You can do it but then anyone can get in with just the password using the app.
User avatar
southerndoc
Posts: 1266
Joined: Wed Apr 22, 2009 7:07 pm
Location: Atlanta

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by southerndoc »

I wasn't planning on it until I read where @Lucent said you could disable secure codes if you have 2 U2F keys. I have 3. Would like to disable SMS texting and require a Yubikey 100% of the time.
edgeagg
Posts: 451
Joined: Tue Jan 23, 2018 12:27 pm
Location: WA-US

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by edgeagg »

HawkeyePierce wrote: Wed Apr 29, 2020 10:08 pm ...

Now if Vanguard will just let customers use *only* Yubikeys without the phone fallback.
Suppose you can't use your Yubikey - suppose it physically fails. What is the recovery path? You'd need a path outside the crypto token won't you?
criticalmass
Posts: 2843
Joined: Wed Feb 12, 2014 9:58 pm

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by criticalmass »

edgeagg wrote: Fri Mar 04, 2022 9:14 am
HawkeyePierce wrote: Wed Apr 29, 2020 10:08 pm ...

Now if Vanguard will just let customers use *only* Yubikeys without the phone fallback.
Suppose you can't use your Yubikey - suppose it physically fails. What is the recovery path? You'd need a path outside the crypto token won't you?
Sure, you could call Vanguard and use their automated voice authentication, which is what they use to authenticate for wires. They can also followup with security questions. Voila.
Silence Dogood
Posts: 1660
Joined: Tue Feb 01, 2011 8:22 pm

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by Silence Dogood »

edgeagg wrote: Fri Mar 04, 2022 9:14 am
HawkeyePierce wrote: Wed Apr 29, 2020 10:08 pm ...

Now if Vanguard will just let customers use *only* Yubikeys without the phone fallback.
Suppose you can't use your Yubikey - suppose it physically fails. What is the recovery path? You'd need a path outside the crypto token won't you?
My understanding is that Vanguard now requires at least two security keys to be registered before allowing SMS to be disabled.

However, please see this post regarding a serious security flaw with the Vanguard mobile app.
Last edited by Silence Dogood on Fri Mar 04, 2022 8:10 pm, edited 2 times in total.
DivesEtPauper
Posts: 66
Joined: Fri Mar 15, 2019 11:38 pm

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by DivesEtPauper »

Silence Dogood wrote: Fri Mar 04, 2022 7:09 pm
edgeagg wrote: Fri Mar 04, 2022 9:14 am
HawkeyePierce wrote: Wed Apr 29, 2020 10:08 pm ...

Now if Vanguard will just let customers use *only* Yubikeys without the phone fallback.
Suppose you can't use your Yubikey - suppose it physically fails. What is the recovery path? You'd need a path outside the crypto token won't you?
My understanding is that Vanguard requires at least two security keys to be registered before allowing SMS to be disabled.
I use Yubikeys with Vanguard, and no SMS (I've never given them my cell number). My "backup" is to have them call my home phone (old fashioned land-line) and speak the secret code to me. Only hassle getting this to work was that I had to fake my browser agent, since their website insisted that I had to use Chrome (spoiler: Firefox works fine).
User avatar
LadyGeek
Site Admin
Posts: 95696
Joined: Sat Dec 20, 2008 4:34 pm
Location: Philadelphia
Contact:

Re: Yubikey only at Vanguard now possible.

Post by LadyGeek »

I moved a post and ensuing discussion by new member Lucent into this thread from Vanguard 2-factor authentication becoming mandatory and available for non-US.
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
Northern Flicker
Posts: 15365
Joined: Fri Apr 10, 2015 12:29 am

Re: Yubikey only at Vanguard now possible.

Post by Northern Flicker »

cowdogman wrote: If you use Yubikey (which is in its way the same as computer restriction--Yubikey restriction)
Having a service remember your computer is not the equivalent of using a Yubikey in the level of security enhancement achieved.
User avatar
cowdogman
Posts: 2072
Joined: Sat Dec 16, 2017 6:44 pm
Location: Washington State

Re: Yubikey only at Vanguard now possible.

Post by cowdogman »

Northern Flicker wrote: Sat Mar 05, 2022 1:31 am
cowdogman wrote: If you use Yubikey (which is in its way the same as computer restriction--Yubikey restriction)
Having a service remember your computer is not the equivalent of using a Yubikey in the level of security enhancement achieved.
Yes, I agree, but they are getting at the same thing--restricting access to a specific computer--the one Vanguard remembers or the one that has the Yubikey inserted.
conundrum
Posts: 871
Joined: Sat May 09, 2009 7:00 pm

Re: Yubikey only at Vanguard now possible.

Post by conundrum »

With the current issues with the security of the mobile app we are using both yubikeys ( and disabling the SMS option) AND the computer restriction. I would rather just use the yubikey but until there is better security on the mobile app or a way to block the app I will do both.
Drum
HawkeyePierce
Posts: 2352
Joined: Tue Mar 05, 2019 9:29 pm
Location: Colorado

Re: Yubikey only at Vanguard now possible.

Post by HawkeyePierce »

cowdogman wrote: Tue Mar 08, 2022 10:44 am
Northern Flicker wrote: Sat Mar 05, 2022 1:31 am
cowdogman wrote: If you use Yubikey (which is in its way the same as computer restriction--Yubikey restriction)
Having a service remember your computer is not the equivalent of using a Yubikey in the level of security enhancement achieved.
Yes, I agree, but they are getting at the same thing--restricting access to a specific computer--the one Vanguard remembers or the one that has the Yubikey inserted.
They are not even remotely equivalent.
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: Yubikey only at Vanguard now possible.

Post by anon_investor »

conundrum wrote: Tue Mar 08, 2022 12:03 pm With the current issues with the security of the mobile app we are using both yubikeys ( and disabling the SMS option) AND the computer restriction. I would rather just use the yubikey but until there is better security on the mobile app or a way to block the app I will do both.
Drum
Using a Google Voice number with a Google account secured by a Yubikey as the SMS 2FA for your Vanguard account and Yubikey as the other 2FA option for your Vanguard account is the only way to really secure your Vanguard account at this time.
conundrum
Posts: 871
Joined: Sat May 09, 2009 7:00 pm

Re: Yubikey only at Vanguard now possible.

Post by conundrum »

It would seem that using the Yubikey and the computer/device restriction would be as secure as the google voice option. I understand the advantage of using google voice rather then SMS for 2FA but am not understanding why that would be better then restricting the devices/computer to only one computer dedicated to financial transactions?
Drum
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: Yubikey only at Vanguard now possible.

Post by anon_investor »

conundrum wrote: Tue Mar 08, 2022 12:50 pm It would seem that using the Yubikey and the computer/device restriction would be as secure as the google voice option. I understand the advantage of using google voice rather then SMS for 2FA but am not understanding why that would be better then restricting the devices/computer to only one computer dedicated to financial transactions?
Drum
The single computer/device restriction has been reported by some BHs as having issues and not working right, locking people out of their account as the designated computer/device is not remembered. I would also suggest not leaving the SMS 2FA blank, which would bypass the risk of the security loophole with the mobile app when there is no SMS 2FA in place; in case for some reason the single computer/device restriction some how gets deactivated.
conundrum
Posts: 871
Joined: Sat May 09, 2009 7:00 pm

Re: Yubikey only at Vanguard now possible.

Post by conundrum »

With the ability to “add a new number” on the mobile app as noted by Silence Dogood above wouldn’t the computer restriction be safer? It would seem the ability to add a new number would limit the effectiveness of using google voice as your 2 FA number?
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: Yubikey only at Vanguard now possible.

Post by anon_investor »

conundrum wrote: Tue Mar 08, 2022 2:10 pm With the ability to “add a new number” on the mobile app as noted by Silence Dogood above wouldn’t the computer restriction be safer? It would seem the ability to add a new number would limit the effectiveness of using google voice as your 2 FA number?
You can only "add a new number" if there is no number aready listed for SMS 2FA. So if you have a Google Voice number listed for SMS 2FA, then it will won't give you an option to add a new number.
mptfan
Posts: 7218
Joined: Mon Mar 05, 2007 8:58 am

Re: Yubikey only at Vanguard now possible.

Post by mptfan »

HawkeyePierce wrote: Tue Mar 08, 2022 12:24 pm They are not even remotely equivalent.
I agree, it's not the same at all.
Northern Flicker
Posts: 15365
Joined: Fri Apr 10, 2015 12:29 am

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by Northern Flicker »

edgeagg wrote: Fri Mar 04, 2022 9:14 am
HawkeyePierce wrote: Wed Apr 29, 2020 10:08 pm ...

Now if Vanguard will just let customers use *only* Yubikeys without the phone fallback.
Suppose you can't use your Yubikey - suppose it physically fails. What is the recovery path? You'd need a path outside the crypto token won't you?
You can register 2 yubikeys in case 1 fails.
Northern Flicker
Posts: 15365
Joined: Fri Apr 10, 2015 12:29 am

Re: Yubikey only at Vanguard now possible.

Post by Northern Flicker »

cowdogman wrote: Tue Mar 08, 2022 10:44 am
Northern Flicker wrote: Sat Mar 05, 2022 1:31 am
cowdogman wrote: If you use Yubikey (which is in its way the same as computer restriction--Yubikey restriction)
Having a service remember your computer is not the equivalent of using a Yubikey in the level of security enhancement achieved.
Yes, I agree, but they are getting at the same thing--restricting access to a specific computer--the one Vanguard remembers or the one that has the Yubikey inserted.
The Yubikey implements challenge-response authentication, which prevents various man-in-the-middle attacks and various trojan horse attacks. This is significantly more robust security than even an Authenticator app, much less remembering a computer or SMS 2FA.
edgeagg
Posts: 451
Joined: Tue Jan 23, 2018 12:27 pm
Location: WA-US

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Post by edgeagg »

Northern Flicker wrote: Wed Mar 09, 2022 3:17 am
edgeagg wrote: Fri Mar 04, 2022 9:14 am
HawkeyePierce wrote: Wed Apr 29, 2020 10:08 pm ...

Now if Vanguard will just let customers use *only* Yubikeys without the phone fallback.
Suppose you can't use your Yubikey - suppose it physically fails. What is the recovery path? You'd need a path outside the crypto token won't you?
You can register 2 yubikeys in case 1 fails.
The point I am making here is that the recovery path has to be set up at the same time that the primary (yubikey) path is set up and has to be (deally) more secure than the primary path since it re-establishes trust in a new primary path. It may be less convenient of course, but that isn't a problem since it is used for one time recovery. The design of security ceremonies (yes, that is a real technical term) is a pretty well studied area of cs security research and one that requires real user testing to see if the ceremony works.

In the specific case used by VG, they have decided to lower the security of the recovery step, thus forcing users to come up with their own ceremony hacks to have a recovery path that provides availability with equivalent (or higher) security.

Of these hacks:

1) Voice print based recovery: I've no idea how secure this is, since VG has never published anything on the actual security of their implementation or efforts to penetration test this. Seems very woo-woo to me in the absence of better data.
2) Secondary (recovery) yubikey: This seems promising, but has 2 problems: How do you know the secondary yubikey works without using it regularly? Correlated failures can happen (like your house being destroyed - something that actually happened in my case). But a fireproof safe might be sufficient.
3) Single purpose phone #: You have to make sure that you remember this number and need a way to ensure that it is available only to you when your regular # is hacked and that is also available - the landline fails under the house destruction scenario rendering the secondary path unavailable.

I wonder if a tertiary recovery via a notary public and a government issued ID would be accepted by VG. But of all the proposals, I might go with the secondary yubikey.

Like others, I find it surprising & disappointing that a company that manages trillions of dollars in investments doesn't appear to know of fairly well understood security concepts, leading individual users to come up with their own security protocols.

EDIT: Carl Ellison's original ceremony paper (https://eprint.iacr.org/2007/399.pdf)
Northern Flicker
Posts: 15365
Joined: Fri Apr 10, 2015 12:29 am

Re: Yubikey only at Vanguard now possible.

Post by Northern Flicker »

You should set up two yubikeys and rotate them, say quarterly or every 6 months. Authentication reset is the achilles heal of every internet-facing service I use. I am not aware of many if any financial institutions that get it right.

I have been permanently locked out of google accounts when trying to reset a password despite having 2FA enabled as the most robust mechanism for authenticating the reset, so I don't think google has exactly nailed it either.

Key management and distribution is a difficult problem for a user base distributed around the internet.
User avatar
cowdogman
Posts: 2072
Joined: Sat Dec 16, 2017 6:44 pm
Location: Washington State

Re: Yubikey only at Vanguard now possible.

Post by cowdogman »

HawkeyePierce wrote: Tue Mar 08, 2022 12:24 pm
cowdogman wrote: Tue Mar 08, 2022 10:44 am
Northern Flicker wrote: Sat Mar 05, 2022 1:31 am
cowdogman wrote: If you use Yubikey (which is in its way the same as computer restriction--Yubikey restriction)
Having a service remember your computer is not the equivalent of using a Yubikey in the level of security enhancement achieved.
Yes, I agree, but they are getting at the same thing--restricting access to a specific computer--the one Vanguard remembers or the one that has the Yubikey inserted.
They are not even remotely equivalent.
Please explain. I agreed above that they are not equivalent but are getting at the same thing. Specifically, would use both (1) computer restriction and (2) Yubikey? If so (or not), why?
Post Reply