Congrats!K72 wrote: ↑Fri Jun 03, 2022 1:33 pm Finally got Vanguard 2FA set up using Yubikeys plus GV, and secured Google account with Yubikeys and no SMS 2FA. Confirmed the V mobile app uses GV for SMS 2FA and does not give a choice for another number. Couple of hiccups though:
- When I first tried to set up Yubikeys in Vanguard I already had a key inserted and got an error message. Had to remove the Yubikey and start over. Worked ok then.
- Before installing the mobile app I wanted to validate the phone number change to GV, but couldn't figure out an easy way to do it, so I deleted the Yubikeys, logged out, then logged back in to utilize 2FA SMS to the GV number. I then re-registered the Yubikeys. Kind of convoluted but got the job done
Yubikey only at Vanguard now possible.
- anon_investor
- Posts: 15122
- Joined: Mon Jun 03, 2019 1:43 pm
Re: Yubikey only at Vanguard now possible.
Re: Yubikey only at Vanguard now possible.
You can also just go to the website on a mobile device to prompt the SMS authentication.K72 wrote: ↑Fri Jun 03, 2022 1:33 pm - Before installing the mobile app I wanted to validate the phone number change to GV, but couldn't figure out an easy way to do it, so I deleted the Yubikeys, logged out, then logged back in to utilize 2FA SMS to the GV number. I then re-registered the Yubikeys. Kind of convoluted but got the job done
-
- Posts: 1660
- Joined: Tue Feb 01, 2011 8:22 pm
Re: Update on Vanguard mobile app security
It's concerning that Vanguard's IT team is seemingly unaware of this issue.
Silence Dogood wrote: ↑Wed Jul 21, 2021 11:49 am When I sign in using a web browser, I do not see any option to use a security code (SMS) as a backup (I looked carefully for it).
However, I just downloaded the mobile app to test this out...
Disappointingly, when I attempt to sign in, it prompts me to re-enable security codes. There is a drop-down menu that shows my phone number and another option that actually allows me to enter a new phone number to send a security code to. I did not actually go ahead and test that out, but presumably an attacker could actually enter any phone number and use that to get in.
-
- Posts: 1660
- Joined: Tue Feb 01, 2011 8:22 pm
Re: Yubikey only at Vanguard now possible.
At least it's an indication that Vanguard might actually be listening to feedback.anon_investor wrote: ↑Mon May 23, 2022 6:46 pmSo they fixed the cosmetic annoyance but not the actual security issue...Silence Dogood wrote: ↑Mon May 23, 2022 5:27 pmTo Vanguard's credit, they have fixed this specific issue.Silence Dogood wrote: ↑Tue Aug 24, 2021 6:48 pm Here are the things that Vanguard should fix:
...
3. Require the security key for every log in - but stop asking whether or not the device should be recognized.
Apparently Vanguard does require the security key to be used with every log in - which is best practice. However, for whatever reason, Vanguard continues to ask whether or not the device being used is private or public. Whichever option is chosen seems to not have any effect. This is a lower priority issue, since it's more of a design/aesthetic issue, but it should still be fixed.
For example:
Silence Dogood wrote: ↑Tue Aug 24, 2021 6:48 pm Here are the things that Vanguard should fix:
1. Allow all clients to disable SMS after registering their security keys.
Some of us (including myself) are able to do this now.
As I noted earlier in this thread, I think it would be smart for Vanguard to require at least two security keys to be registered before allowing SMS to be disabled.
However, as you rightfully point out, Vanguard needs to fix the actual security issue.anon_investor wrote: ↑Sun Dec 05, 2021 7:05 pm ...when I registered my Yubikey last week Vanguard had a message on the screen saying you had to have 2 security keys registered in order to disable SMS 2FA.
- anon_investor
- Posts: 15122
- Joined: Mon Jun 03, 2019 1:43 pm
Re: Yubikey only at Vanguard now possible.
Unfortunately that did not close the Vanguard mobile app security flaw, that allows someone to add a new mobile # for SMS 2FA if you do not already have one. So using a Google Voice # for SMS 2FA is still needed to close that loophole.Silence Dogood wrote: ↑Sun Jul 03, 2022 8:08 pmAt least it's an indication that Vanguard might actually be listening to feedback.anon_investor wrote: ↑Mon May 23, 2022 6:46 pmSo they fixed the cosmetic annoyance but not the actual security issue...Silence Dogood wrote: ↑Mon May 23, 2022 5:27 pmTo Vanguard's credit, they have fixed this specific issue.Silence Dogood wrote: ↑Tue Aug 24, 2021 6:48 pm Here are the things that Vanguard should fix:
...
3. Require the security key for every log in - but stop asking whether or not the device should be recognized.
Apparently Vanguard does require the security key to be used with every log in - which is best practice. However, for whatever reason, Vanguard continues to ask whether or not the device being used is private or public. Whichever option is chosen seems to not have any effect. This is a lower priority issue, since it's more of a design/aesthetic issue, but it should still be fixed.
For example:
Silence Dogood wrote: ↑Tue Aug 24, 2021 6:48 pm Here are the things that Vanguard should fix:
1. Allow all clients to disable SMS after registering their security keys.
Some of us (including myself) are able to do this now.
As I noted earlier in this thread, I think it would be smart for Vanguard to require at least two security keys to be registered before allowing SMS to be disabled.However, as you rightfully point out, Vanguard needs to fix the actual security issue.anon_investor wrote: ↑Sun Dec 05, 2021 7:05 pm ...when I registered my Yubikey last week Vanguard had a message on the screen saying you had to have 2 security keys registered in order to disable SMS 2FA.
-
- Posts: 1660
- Joined: Tue Feb 01, 2011 8:22 pm
Re: Yubikey only at Vanguard now possible.
Correct - Vanguard needs to fix the security flaw with their mobile app (I notified them about this last July).anon_investor wrote: ↑Sun Jul 03, 2022 8:11 pm Unfortunately that did not close the Vanguard mobile app security flaw, that allows someone to add a new mobile # for SMS 2FA if you do not already have one.
As I've mentioned repeatedly, the quick fix - that Vanguard should implement immediately - would be to get rid of the ability to enter any new phone number to send a code to (only allow the selection of a phone number already on file). The best solution would be to implement Yubikey support for the mobile app.
What is tragic is that Vanguard is so close to getting this right - and actually being ahead of the competition (at the vanguard of, if you will) but the security flaw with the mobile app is so egregious that they've managed to snatch defeat from the jaws of victory.
-
- Posts: 15371
- Joined: Fri Apr 10, 2015 12:29 am
Re: Yubikey only at Vanguard now possible.
It is needed to have a secure 2FA on the mobile app. The fact that a thief could add their own number for 2FA after gaining access to your account would be one of the more minor issues you would be facing if a thief gained access to your account.anon_investor wrote: ↑Sun Jul 03, 2022 8:11 pmUnfortunately that did not close the Vanguard mobile app security flaw, that allows someone to add a new mobile # for SMS 2FA if you do not already have one. So using a Google Voice # for SMS 2FA is still needed to close that loophole.Silence Dogood wrote: ↑Sun Jul 03, 2022 8:08 pmAt least it's an indication that Vanguard might actually be listening to feedback.anon_investor wrote: ↑Mon May 23, 2022 6:46 pmSo they fixed the cosmetic annoyance but not the actual security issue...Silence Dogood wrote: ↑Mon May 23, 2022 5:27 pmTo Vanguard's credit, they have fixed this specific issue.Silence Dogood wrote: ↑Tue Aug 24, 2021 6:48 pm Here are the things that Vanguard should fix:
...
3. Require the security key for every log in - but stop asking whether or not the device should be recognized.
Apparently Vanguard does require the security key to be used with every log in - which is best practice. However, for whatever reason, Vanguard continues to ask whether or not the device being used is private or public. Whichever option is chosen seems to not have any effect. This is a lower priority issue, since it's more of a design/aesthetic issue, but it should still be fixed.
For example:
Silence Dogood wrote: ↑Tue Aug 24, 2021 6:48 pm Here are the things that Vanguard should fix:
1. Allow all clients to disable SMS after registering their security keys.
Some of us (including myself) are able to do this now.
As I noted earlier in this thread, I think it would be smart for Vanguard to require at least two security keys to be registered before allowing SMS to be disabled.However, as you rightfully point out, Vanguard needs to fix the actual security issue.anon_investor wrote: ↑Sun Dec 05, 2021 7:05 pm ...when I registered my Yubikey last week Vanguard had a message on the screen saying you had to have 2 security keys registered in order to disable SMS 2FA.
- anon_investor
- Posts: 15122
- Joined: Mon Jun 03, 2019 1:43 pm
Re: Yubikey only at Vanguard now possible.
The security flaw means the bad guys only need your user name and password if you don't have SMS 2FA set up. Yubikey won't help.Northern Flicker wrote: ↑Mon Jul 04, 2022 4:51 pmIt is needed to have a secure 2FA on the mobile app. The fact that a thief could add their own number for 2FA after gaining access to your account would be one of the more minor issues you would be facing if a thief gained access to your account.anon_investor wrote: ↑Sun Jul 03, 2022 8:11 pmUnfortunately that did not close the Vanguard mobile app security flaw, that allows someone to add a new mobile # for SMS 2FA if you do not already have one. So using a Google Voice # for SMS 2FA is still needed to close that loophole.Silence Dogood wrote: ↑Sun Jul 03, 2022 8:08 pmAt least it's an indication that Vanguard might actually be listening to feedback.anon_investor wrote: ↑Mon May 23, 2022 6:46 pmSo they fixed the cosmetic annoyance but not the actual security issue...Silence Dogood wrote: ↑Mon May 23, 2022 5:27 pm
To Vanguard's credit, they have fixed this specific issue.
For example:
Silence Dogood wrote: ↑Tue Aug 24, 2021 6:48 pm Here are the things that Vanguard should fix:
1. Allow all clients to disable SMS after registering their security keys.
Some of us (including myself) are able to do this now.
As I noted earlier in this thread, I think it would be smart for Vanguard to require at least two security keys to be registered before allowing SMS to be disabled.However, as you rightfully point out, Vanguard needs to fix the actual security issue.anon_investor wrote: ↑Sun Dec 05, 2021 7:05 pm ...when I registered my Yubikey last week Vanguard had a message on the screen saying you had to have 2 security keys registered in order to disable SMS 2FA.
-
- Posts: 15371
- Joined: Fri Apr 10, 2015 12:29 am
Re: Yubikey only at Vanguard now possible.
Yes, that is the concern. My point was that the fact that they can register their own phone number if they successfully broke in to the account is not really a security flaw. The flaw is not having 2FA for the app despite having registered Yubikeys unless a text code SMS also is enabled.anon_investor wrote: ↑Mon Jul 04, 2022 5:21 pmThe security flaw means the bad guys only need your user name and password if you don't have SMS 2FA set up. Yubikey won't help.Northern Flicker wrote: ↑Mon Jul 04, 2022 4:51 pm It is needed to have a secure 2FA on the mobile app. The fact that a thief could add their own number for 2FA after gaining access to your account would be one of the more minor issues you would be facing if a thief gained access to your account.
There is a simple bandaid to close the vulnerability, which is just not to allow logins from the app if no SMS 2FA is enabled. The login process has to check for the 2FA method after the password is confirmed regardless. If it finds none enabled, it should just fail the authentication instead of having it succeed. But Vanguard, like most brokers, seems ok with users not having 2FA enabled.
- anon_investor
- Posts: 15122
- Joined: Mon Jun 03, 2019 1:43 pm
Re: Yubikey only at Vanguard now possible.
Vanguard needs to fix a lot of stuff in their "new" mobile app...Northern Flicker wrote: ↑Mon Jul 04, 2022 8:07 pmYes, that is the concern. My point was that the fact that they can register their own phone number if they successfully broke in to the account is not really a security flaw. The flaw is not having 2FA for the app despite having registered Yubikeys unless a text code SMS also is enabled.anon_investor wrote: ↑Mon Jul 04, 2022 5:21 pmThe security flaw means the bad guys only need your user name and password if you don't have SMS 2FA set up. Yubikey won't help.Northern Flicker wrote: ↑Mon Jul 04, 2022 4:51 pm It is needed to have a secure 2FA on the mobile app. The fact that a thief could add their own number for 2FA after gaining access to your account would be one of the more minor issues you would be facing if a thief gained access to your account.
There is a simple bandaid to close the vulnerability, which is just not to allow logins from the app if no SMS 2FA is enabled. The login process has to check for the 2FA method after the password is confirmed regardless. If it finds none enabled, it should just fail the authentication instead of having it succeed. But Vanguard, like most brokers, seems ok with users not having 2FA enabled.
Re: Yubikey only at Vanguard now possible.
How have you been able to remove SMS from your account. I have registered 3 keys, one for my wife, one for myself, and a backup. Vanguard won't let me remove the SMS until I remove my keys.
I have contacted Vanguard a few times, but the help desk often don't understand my request.
I have contacted Vanguard a few times, but the help desk often don't understand my request.
Registering a Yubikey 5C NFC via Windows 11 at Vanguard?
[Thread merged into here --adminLadyGeek]
Mine work fine when I try them on Yubikey's test site, but I haven't been able to register them at Vanguard. The latest production builds of Brave and Chrome both fail to register the key with a message indicating that a security key can't be registered now (and to please try later).
Later doesn't help. Yuibikey confirms that this model is supposed to be supported. Vanguard front-line support was a tad less than informed; 55 minutes later I finally reached a tech support specialist who is researching the issue with no estimated time for resolution.
I see that the 5 CI keys are not supported by Vanguard. Anyone been successful from a Windows machine with a 5C NFC?
Cyclist
Mine work fine when I try them on Yubikey's test site, but I haven't been able to register them at Vanguard. The latest production builds of Brave and Chrome both fail to register the key with a message indicating that a security key can't be registered now (and to please try later).
Later doesn't help. Yuibikey confirms that this model is supposed to be supported. Vanguard front-line support was a tad less than informed; 55 minutes later I finally reached a tech support specialist who is researching the issue with no estimated time for resolution.
I see that the 5 CI keys are not supported by Vanguard. Anyone been successful from a Windows machine with a 5C NFC?
Cyclist
Re: Yubikey only at Vanguard now possible.
I merged cyclist's thread into the ongoing discussion. The combined thread is in the Personal Consumer Issues forum.
(Thanks to the member who reported the post and explained what's wrong.)
(Thanks to the member who reported the post and explained what's wrong.)
Re: Registering a Yubikey 5C NFC via Windows 11 at Vanguard?
Disable your adblockers and script-blockers for Vanguard's site and try again.cyclist wrote: ↑Sat Jul 23, 2022 5:55 pm [Thread merged into here --adminLadyGeek]
Mine work fine when I try them on Yubikey's test site, but I haven't been able to register them at Vanguard. The latest production builds of Brave and Chrome both fail to register the key with a message indicating that a security key can't be registered now (and to please try later).
Later doesn't help. Yuibikey confirms that this model is supposed to be supported. Vanguard front-line support was a tad less than informed; 55 minutes later I finally reached a tech support specialist who is researching the issue with no estimated time for resolution.
I see that the 5 CI keys are not supported by Vanguard. Anyone been successful from a Windows machine with a 5C NFC?
Cyclist
Re: Registering a Yubikey 5C NFC via Windows 11 at Vanguard?
Try removing spaces (etc) from your key label. They have somewhat strict format requirements for the key label but don't tell you that's why it fails.
Re: Registering a Yubikey 5C NFC via Windows 11 at Vanguard?
Thanks, but that’s not the issue either.
I’m still hoping to hear from folks who have tried working with this specific model of Yubikey, the 5C NFC, on a Windows machine (preferably Windows 11).
Cyclist
-
- Posts: 1660
- Joined: Tue Feb 01, 2011 8:22 pm
Re: Yubikey only at Vanguard now possible.
I can confirm that the YubiKey 5C NFC works with Vanguard (MacOS, Linux, Windows).cyclist wrote: ↑Sat Jul 23, 2022 5:55 pm [Thread merged into here --adminLadyGeek]
Mine work fine when I try them on Yubikey's test site, but I haven't been able to register them at Vanguard. The latest production builds of Brave and Chrome both fail to register the key with a message indicating that a security key can't be registered now (and to please try later).
Later doesn't help. Yuibikey confirms that this model is supposed to be supported. Vanguard front-line support was a tad less than informed; 55 minutes later I finally reached a tech support specialist who is researching the issue with no estimated time for resolution.
I see that the 5 CI keys are not supported by Vanguard. Anyone been successful from a Windows machine with a 5C NFC?
Cyclist
When I registered my keys with Vanguard (a little over a year ago), it was super easy.
I primarily use Mozilla Firefox - I am certain that I was using Firefox when I first registered my keys.
Re: Yubikey only at Vanguard now possible.
Thanks, that was exactly what I was hoping to hear.Silence Dogood wrote: ↑Sun Jul 24, 2022 10:22 am I can confirm that the YubiKey 5C NFC works with Vanguard (MacOS, Linux, Windows).
When I registered my keys with Vanguard (a little over a year ago), it was super easy.
I primarily use Mozilla Firefox - I am certain that I was using Firefox when I first registered my keys.
It's not working for me with Firefox on Windows either, so there must be some other issue. (Did you register your keys on a Windows 11 machine?)
Cyclist
Re: Yubikey only at Vanguard now possible.
I have read the first 3 pages of this thread in full and then jumped to the 10th to see if the backdoor had been sealed. (Nope).
Also, I was surprised to see no mention of security questions. Have they been dropped because Vanguard is committed to using this (admittedly weak, deprecated) system of codes by SMS?
I remember locking myself out of Vanguard a very long time ago by forgetting the answers to my security questions (because they were fake answers). This was before everyone owned a cellphone. Maybe Vg got tired of dealing with that and decided to just implement SMS codes partly for that reason. If so, true security has taken a back seat to convenience, moving on to the next customer call.
I do wonder how hard it would be for an institution like Vanguard to work with apps like Authy and make SMS deletable for Yubikey users and users of authenticator apps alike. Come on Vanguard, get it done!
Also, I was surprised to see no mention of security questions. Have they been dropped because Vanguard is committed to using this (admittedly weak, deprecated) system of codes by SMS?
I remember locking myself out of Vanguard a very long time ago by forgetting the answers to my security questions (because they were fake answers). This was before everyone owned a cellphone. Maybe Vg got tired of dealing with that and decided to just implement SMS codes partly for that reason. If so, true security has taken a back seat to convenience, moving on to the next customer call.
I do wonder how hard it would be for an institution like Vanguard to work with apps like Authy and make SMS deletable for Yubikey users and users of authenticator apps alike. Come on Vanguard, get it done!
missing [b]madsinger[/b]’s monthly reports
Vanguard + Yubikey
[Thread merged into here --admin LadyGeek]
I was thinking of using a Yubikey with my Vanguard account. But when I read the attached, it seems the key only works with web access, and you'll still receive a 2FA code texted to your mobile number if you use Vanguard's mobile app. That seems to defeat the purpose of having a Yubikey. Am I missing something? Thx.
https://icedrive.net/s/ay7WgyWPvXg8QX99Tua2YZ78D7XP
I was thinking of using a Yubikey with my Vanguard account. But when I read the attached, it seems the key only works with web access, and you'll still receive a 2FA code texted to your mobile number if you use Vanguard's mobile app. That seems to defeat the purpose of having a Yubikey. Am I missing something? Thx.
https://icedrive.net/s/ay7WgyWPvXg8QX99Tua2YZ78D7XP
“My opinions are just that - opinions.”
Re: Vanguard + Yubikey
Good question. But my mobile phone requires a separate log in (or FaceID) so there is another factor involved. I don't use mobile devices for financial sites.Gaston wrote: ↑Mon Jul 25, 2022 11:09 am I was thinking of using a Yubikey with my Vanguard account. But when I read the attached, it seems the key only works with web access, and you'll still receive a 2FA code texted to your mobile number if you use Vanguard's mobile app. That seems to defeat the purpose of having a Yubikey. Am I missing something? Thx.
https://icedrive.net/s/ay7WgyWPvXg8QX99Tua2YZ78D7XP
With an iPhone there is also another feature called Screen Time which can be used to lock an individual app (set screen time to zero).
Don't trust me, look it up. https://www.irs.gov/forms-instructions-and-publications
- changingtimes
- Posts: 483
- Joined: Mon Jul 24, 2017 9:28 am
Re: Vanguard + Yubikey
The current Android version of the Vanguard app allows a fingerprint sign-in, and not having to receive a text anymore.Gaston wrote: ↑Mon Jul 25, 2022 11:09 am I was thinking of using a Yubikey with my Vanguard account. But when I read the attached, it seems the key only works with web access, and you'll still receive a 2FA code texted to your mobile number if you use Vanguard's mobile app. That seems to defeat the purpose of having a Yubikey. Am I missing something? Thx.
https://icedrive.net/s/ay7WgyWPvXg8QX99Tua2YZ78D7XP
Re: Yubikey only at Vanguard now possible.
I merged Gaston's thread into the ongoing discussion. The combined thread is in the Personal Consumer Issues forum (website).
(Thanks to the member who reported the post and provided a link to this thread.)
(Thanks to the member who reported the post and provided a link to this thread.)
Re: Yubikey only at Vanguard now possible.
I certainly agree that Vanguard should adopt security keys or authenticator apps for two-factor authentication, both for web access and for access via the Vanguard mobile app. Simply put, SMS for 2FA is an insecure medium.
The people at Vanguard are clever, so I assume it's mostly a question of prioritizing IT spending for an enhancement of this type. Longer term, we'll see if the password-less initiative sponsored by the FIDO Alliance (Apple + Google + Microsoft) makes this discussion mute.
“My opinions are just that - opinions.”
-
- Posts: 1660
- Joined: Tue Feb 01, 2011 8:22 pm
Re: Yubikey only at Vanguard now possible.
I think the most effective thing we can all do is to call Vanguard and let them know that this is important to us. The more they hear about this from their clients, the more likely they are to prioritize this.
I think keeping the request clear and concise is beneficial - "Please implement Yubikey support for the Vanguard mobile app."
- bertilak
- Posts: 10726
- Joined: Tue Aug 02, 2011 5:23 pm
- Location: East of the Pecos, West of the Mississippi
Re: Vanguard + Yubikey
Yes, I use both: YubiKey on laptop and fingerprint on smart phone.changingtimes wrote: ↑Mon Jul 25, 2022 11:37 amThe current Android version of the Vanguard app allows a fingerprint sign-in, and not having to receive a text anymore.Gaston wrote: ↑Mon Jul 25, 2022 11:09 am I was thinking of using a Yubikey with my Vanguard account. But when I read the attached, it seems the key only works with web access, and you'll still receive a 2FA code texted to your mobile number if you use Vanguard's mobile app. That seems to defeat the purpose of having a Yubikey. Am I missing something? Thx.
https://icedrive.net/s/ay7WgyWPvXg8QX99Tua2YZ78D7XP
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker (aka S.O.B.), the Cowboy Poet
Re: Yubikey only at Vanguard now possible.
I agree. Let’s all try to convey this message to a Vanguard rep.Silence Dogood wrote: ↑Tue Jul 26, 2022 5:24 pm I think the most effective thing we can all do is to call Vanguard and let them know that this is important to us. The more they hear about this from their clients, the more likely they are to prioritize this.
“My opinions are just that - opinions.”
- anon_investor
- Posts: 15122
- Joined: Mon Jun 03, 2019 1:43 pm
Re: Yubikey only at Vanguard now possible.
When I logged into Vanguard today on my computer with my Yubikey, it has a message to re-register it and now I had to add a passcode. That does make it feel a bit more secure, you need to know my user name, password, have my Yubikey and my Yubikey pass code OR access to my GV SMS.
Re: Yubikey only at Vanguard now possible.
Yes, got this today. I don't have time for a mistake so I deferred. So it was a simple process?anon_investor wrote: ↑Thu Jul 28, 2022 10:57 pm When I logged into Vanguard today on my computer with my Yubikey, it has a message to re-register it and now I had to add a passcode. That does make it feel a bit more secure, you need to know my user name, password, have my Yubikey and my Yubikey pass code OR access to my GV SMS.
- anon_investor
- Posts: 15122
- Joined: Mon Jun 03, 2019 1:43 pm
Re: Yubikey only at Vanguard now possible.
Yes, you basically have to re-register your YubiKey and create a PIN. But be careful typing it in, because they don't ask you to reverify your PIN.Tubes wrote: ↑Fri Jul 29, 2022 7:33 amYes, got this today. I don't have time for a mistake so I deferred. So it was a simple process?anon_investor wrote: ↑Thu Jul 28, 2022 10:57 pm When I logged into Vanguard today on my computer with my Yubikey, it has a message to re-register it and now I had to add a passcode. That does make it feel a bit more secure, you need to know my user name, password, have my Yubikey and my Yubikey pass code OR access to my GV SMS.
- bertilak
- Posts: 10726
- Joined: Tue Aug 02, 2011 5:23 pm
- Location: East of the Pecos, West of the Mississippi
Re: Yubikey only at Vanguard now possible.
I just tried it and it didn't go well. I got through the process and thought it worked because it logged me in. But the next time I tried to log in it failed saying it couldn't read the security pin. I had two keys configured and both resulted in the same error.Tubes wrote: ↑Fri Jul 29, 2022 7:33 amYes, got this today. I don't have time for a mistake so I deferred. So it was a simple process?anon_investor wrote: ↑Thu Jul 28, 2022 10:57 pm When I logged into Vanguard today on my computer with my Yubikey, it has a message to re-register it and now I had to add a passcode. That does make it feel a bit more secure, you need to know my user name, password, have my Yubikey and my Yubikey pass code OR access to my GV SMS.
There were two things I didn't understand (but muddled through anyway)
- It asked me to name the keys. I put in yubi5nano and yubi5nfc as those are the two types of keys I have. I don't know why this is needed but I guess it can't hurt.
- It asked me for a pin. I simply touched the key which gave me the big long OITP numbers. BUT then it asked me to touch the key which again put in a big long OTP number.
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker (aka S.O.B.), the Cowboy Poet
- anon_investor
- Posts: 15122
- Joined: Mon Jun 03, 2019 1:43 pm
Re: Yubikey only at Vanguard now possible.
You need to type in a PIN with your keyboard. Then everytime you login you will have to type in that same PIN as well as touching your Yubikey.bertilak wrote: ↑Fri Jul 29, 2022 7:56 amI just tried it and it didn't go well. I got through the process and thought it worked because it logged me in. But the next time I tried to log in it failed saying it couldn't read the security pin. I had two keys configured and both resulted in the same error.Tubes wrote: ↑Fri Jul 29, 2022 7:33 amYes, got this today. I don't have time for a mistake so I deferred. So it was a simple process?anon_investor wrote: ↑Thu Jul 28, 2022 10:57 pm When I logged into Vanguard today on my computer with my Yubikey, it has a message to re-register it and now I had to add a passcode. That does make it feel a bit more secure, you need to know my user name, password, have my Yubikey and my Yubikey pass code OR access to my GV SMS.
There were two things I didn't understand (but muddled through anyway)Now I am locked out. I'll request a security code and start over.
- It asked me to name the keys. I put in yubi5nano and yubi5nfc as those are the two types of keys I have. I don't know why this is needed but I guess it can't hurt.
- It asked me for a pin. I simply touched the key which gave me the big long OITP numbers. BUT then it asked me to touch the key which again put in a big long OTP number.
- bertilak
- Posts: 10726
- Joined: Tue Aug 02, 2011 5:23 pm
- Location: East of the Pecos, West of the Mississippi
Re: Yubikey only at Vanguard now possible.
Yeah, just went through the process again and all is well. The PIN thing got me confused; I touched the key when asked for a PIN. Since that gets you a unique string each time, there was no way to re-enter the same pin the next time it was asked for.anon_investor wrote: ↑Fri Jul 29, 2022 7:58 amYou need to type in a PIN with your keyboard. Then every time you login you will have to type in that same PIN as well as touching your Yubikey.
Now (with the pin) it really is "multi factor." I created a 4-digit PIN. I hope that's the kind of thing I was supposed to come up with.
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker (aka S.O.B.), the Cowboy Poet
- anon_investor
- Posts: 15122
- Joined: Mon Jun 03, 2019 1:43 pm
Re: Yubikey only at Vanguard now possible.
Now just don't forget the PIN!bertilak wrote: ↑Fri Jul 29, 2022 8:07 amYeah, just went through the process again and all is well. The PIN thing got me confused; I touched the key when asked for a PIN. Since that gets you a unique string each time, there was no way to re-enter the same pin the next time it was asked for.anon_investor wrote: ↑Fri Jul 29, 2022 7:58 amYou need to type in a PIN with your keyboard. Then every time you login you will have to type in that same PIN as well as touching your Yubikey.
Now (with the pin) it really is "multi factor." I created a 4-digit PIN. I hope that's the kind of thing I was supposed to come up with.
-
- Posts: 3509
- Joined: Sun Jan 07, 2018 11:52 am
Re: Yubikey only at Vanguard now possible.
what happens if you lose your Yubikey? Can't someone just use that to login? With my phone it's secured with biometric.
- bertilak
- Posts: 10726
- Joined: Tue Aug 02, 2011 5:23 pm
- Location: East of the Pecos, West of the Mississippi
Re: Yubikey only at Vanguard now possible.
I get it now. By giving the keys names, you know which one to deactivate if you lose it.
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker (aka S.O.B.), the Cowboy Poet
-
- Posts: 262
- Joined: Sun Sep 13, 2020 7:35 pm
Re: Yubikey only at Vanguard now possible.
Phone accounts can be hijacked and used to execute password recovery schemes to gain access to accounts. Search the web for SIM swapping for more.stocknoob4111 wrote: ↑Fri Jul 29, 2022 8:47 am what happens if you lose your Yubikey? Can't someone just use that to login? With my phone it's secured with biometric.
-
- Posts: 3509
- Joined: Sun Jan 07, 2018 11:52 am
Re: Yubikey only at Vanguard now possible.
yeah, familiar with the SIM hijack but I switched my primary number to Google Voice now. To me it looks like using GV + securing your Google account with the authenticator should be secure enough. The only issue is with customer service and social engineering. Not much can be done about that i'm afraid.Diluted Waters wrote: ↑Fri Jul 29, 2022 10:20 am Phone accounts can be hijacked and used to execute password recovery schemes to gain access to accounts. Search the web for SIM swapping for more.
Re: Yubikey only at Vanguard now possible.
FYI, Vanguard Web Technical Support has concluded that they do not support the Yubikey 5C NFC. Phooey.
It ought to work because they are now focusing on FIDO2 support, which that key includes.
They suggest I try another model of key.
Cyclist
It ought to work because they are now focusing on FIDO2 support, which that key includes.
They suggest I try another model of key.
Cyclist
Re: Yubikey only at Vanguard now possible.
No, they still need your username and password ("something you know") and the Security Key ("something you have").stocknoob4111 wrote: ↑Fri Jul 29, 2022 8:47 am what happens if you lose your Yubikey? Can't someone just use that to login? With my phone it's secured with biometric.
The key isn't specific to one service either, so how would someone that picked your Yubikey up off the ground know what services/websites that key works with? The only thing they get is a free Yubikey.
- bertilak
- Posts: 10726
- Joined: Tue Aug 02, 2011 5:23 pm
- Location: East of the Pecos, West of the Mississippi
Re: Yubikey only at Vanguard now possible.
I have a Yubikey 5C NFC -- just looked at the packaging and the Yubikey Manager to be sure. It works as I expect, even after reconfiguring it to comply with the new PIN method.
So, I am confused!
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker (aka S.O.B.), the Cowboy Poet
Re: Yubikey only at Vanguard now possible.
I suspect there may be a bit of confusion about this at Vanguard as well.
Perhaps they made a change that now prevents those keys from registering? Or there is something about my Windows 11 laptop configuration that they can’t handle (and that they don’t want to take the time to figure out)?
Those keys work for me elsewhere, just not for Vanguard. Sigh.
Cyclist
Re: Yubikey only at Vanguard now possible.
Much of the interact with a FIDO2 security key is with the browser. So, the question is what browser are you using and is it up to date? I have seen warnings (although I have not verified) that if Chrome has an outstanding update the FIDO2/WebAuthn functionality will not work properly.
- bertilak
- Posts: 10726
- Joined: Tue Aug 02, 2011 5:23 pm
- Location: East of the Pecos, West of the Mississippi
Re: Yubikey only at Vanguard now possible.
It works for me. I use Microsoft Edge which is a chrome derivative.StrongMBS wrote: ↑Fri Jul 29, 2022 5:08 pm Much of the interact with a FIDO2 security key is with the browser. So, the question is what browser are you using and is it up to date? I have seen warnings (although I have not verified) that if Chrome has an outstanding update the FIDO2/WebAuthn functionality will not work properly.
Windows does tend to keep things updated.
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker (aka S.O.B.), the Cowboy Poet
Re: Yubikey only at Vanguard now possible.
Hmmm so I tried deleting one of my keys, then re-registered it from the same key management page and it didn't seem to ask for a pin. So I guess they are still allowing old-style registrations that way?
Re: Yubikey only at Vanguard now possible.
What kind of key was it? Does it support FIDO2? I believe there is a flaw in their programing, and it will let you register a key that does not support FIDO2 pin functionality and not ask for a PIN. Since it let me register a Yubico Neo (an old key type that only support FIDO/U2F and not FIDO2/WebAuthn), I would be cautious counting on these keys to work after the September 20th cutoff date.
Re: Yubikey only at Vanguard now possible.
It is a YubiKey 5 NFC (not a 5c); website says it supported FIDO2.StrongMBS wrote: ↑Fri Jul 29, 2022 7:39 pmWhat kind of key was it? Does it support FIDO2? I believe there is a flaw in their programing, and it will let you register a key that does not support FIDO2 pin functionality and not ask for a PIN. Since it let me register a Yubico Neo (an old key type that only support FIDO/U2F and not FIDO2/WebAuthn), I would be cautious counting on these keys to work after the September 20th cutoff date.
I'm using FF 104.b03 but I also tried MS Edge 103.0.1264.77 (Official build) (64-bit) and got the same error. Both are supposed to support FIDO2
And yes that's my worry come 20 Sep if this can't be figured out.
ETA: I'm not sure I ran into the bug you describe but instead I was re-registering my key on the old site (old format) where they also send you to delete keys, but the failure was happening on the new updated site where it uses the terminology about "upgrading" my key. The old formatted site makes no overt mention of upgrading or FIDO2 though their terms of service do mention FIDO2
ETA2: and it appears as if things are working correctly here https://webauthn.bin.coffee/
ETA3: has anyone had any better luck setting a PIN via Yubi Manager first? I'm reluctant to try quite yet until I do more research.
Re: Yubikey only at Vanguard now possible.
I believe that if the key already has a fido2 pin in it then you won't be asked to enter and then reenter a new pin when you register the key. I have used Yubi Manager to change a pin and that does work and the Vanguard login works with the new pin.mouth wrote: ↑Fri Jul 29, 2022 8:08 pmIt is a YubiKey 5 NFC (not a 5c); website says it supported FIDO2.StrongMBS wrote: ↑Fri Jul 29, 2022 7:39 pmWhat kind of key was it? Does it support FIDO2? I believe there is a flaw in their programing, and it will let you register a key that does not support FIDO2 pin functionality and not ask for a PIN. Since it let me register a Yubico Neo (an old key type that only support FIDO/U2F and not FIDO2/WebAuthn), I would be cautious counting on these keys to work after the September 20th cutoff date.
I'm using FF 104.b03 but I also tried MS Edge 103.0.1264.77 (Official build) (64-bit) and got the same error. Both are supposed to support FIDO2
And yes that's my worry come 20 Sep if this can't be figured out.
ETA: I'm not sure I ran into the bug you describe but instead I was re-registering my key on the old site (old format) where they also send you to delete keys, but the failure was happening on the new updated site where it uses the terminology about "upgrading" my key. The old formatted site makes no overt mention of upgrading or FIDO2 though their terms of service do mention FIDO2
ETA2: and it appears as if things are working correctly here https://webauthn.bin.coffee/
ETA3: has anyone had any better luck setting a PIN via Yubi Manager first? I'm reluctant to try quite yet until I do more research.
-
- Posts: 3509
- Joined: Sun Jan 07, 2018 11:52 am
Re: Yubikey only at Vanguard now possible.
No biometric keys are supported, am I reading it right?
https://www.yubico.com/works-with-yubik ... 20accounts.
would prefer to use a Yubikey that has additional biometric verification
https://www.yubico.com/products/yubikey-bio-series/
https://www.yubico.com/works-with-yubik ... 20accounts.
would prefer to use a Yubikey that has additional biometric verification
https://www.yubico.com/products/yubikey-bio-series/