Yubikey only at Vanguard now possible.

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: Yubikey only at Vanguard now possible.

Post by anon_investor »

K72 wrote: Fri Jun 03, 2022 1:33 pm Finally got Vanguard 2FA set up using Yubikeys plus GV, and secured Google account with Yubikeys and no SMS 2FA. Confirmed the V mobile app uses GV for SMS 2FA and does not give a choice for another number. Couple of hiccups though:

- When I first tried to set up Yubikeys in Vanguard I already had a key inserted and got an error message. Had to remove the Yubikey and start over. Worked ok then.

- Before installing the mobile app I wanted to validate the phone number change to GV, but couldn't figure out an easy way to do it, so I deleted the Yubikeys, logged out, then logged back in to utilize 2FA SMS to the GV number. I then re-registered the Yubikeys. Kind of convoluted but got the job done
Congrats!
MrJedi
Posts: 3540
Joined: Wed May 06, 2020 11:42 am

Re: Yubikey only at Vanguard now possible.

Post by MrJedi »

K72 wrote: Fri Jun 03, 2022 1:33 pm - Before installing the mobile app I wanted to validate the phone number change to GV, but couldn't figure out an easy way to do it, so I deleted the Yubikeys, logged out, then logged back in to utilize 2FA SMS to the GV number. I then re-registered the Yubikeys. Kind of convoluted but got the job done
You can also just go to the website on a mobile device to prompt the SMS authentication.
Silence Dogood
Posts: 1660
Joined: Tue Feb 01, 2011 8:22 pm

Re: Update on Vanguard mobile app security

Post by Silence Dogood »

conundrum wrote: Sat May 21, 2022 2:18 pm In regards to Vanguard's Mobile app security I spoke with one of their IT team yesterday and he stated that at this time you could not change your 2 FA info on the app but had to use the website.
It's concerning that Vanguard's IT team is seemingly unaware of this issue.
Silence Dogood wrote: Wed Jul 21, 2021 11:49 am When I sign in using a web browser, I do not see any option to use a security code (SMS) as a backup (I looked carefully for it).

However, I just downloaded the mobile app to test this out...

Disappointingly, when I attempt to sign in, it prompts me to re-enable security codes. There is a drop-down menu that shows my phone number and another option that actually allows me to enter a new phone number to send a security code to. I did not actually go ahead and test that out, but presumably an attacker could actually enter any phone number and use that to get in. :shock:
Silence Dogood
Posts: 1660
Joined: Tue Feb 01, 2011 8:22 pm

Re: Yubikey only at Vanguard now possible.

Post by Silence Dogood »

anon_investor wrote: Mon May 23, 2022 6:46 pm
Silence Dogood wrote: Mon May 23, 2022 5:27 pm
Silence Dogood wrote: Tue Aug 24, 2021 6:48 pm Here are the things that Vanguard should fix:

...

3. Require the security key for every log in - but stop asking whether or not the device should be recognized.

Apparently Vanguard does require the security key to be used with every log in - which is best practice. However, for whatever reason, Vanguard continues to ask whether or not the device being used is private or public. Whichever option is chosen seems to not have any effect. This is a lower priority issue, since it's more of a design/aesthetic issue, but it should still be fixed.
To Vanguard's credit, they have fixed this specific issue.
So they fixed the cosmetic annoyance but not the actual security issue...
At least it's an indication that Vanguard might actually be listening to feedback.

For example:
Silence Dogood wrote: Tue Aug 24, 2021 6:48 pm Here are the things that Vanguard should fix:

1. Allow all clients to disable SMS after registering their security keys.

Some of us (including myself) are able to do this now.

As I noted earlier in this thread, I think it would be smart for Vanguard to require at least two security keys to be registered before allowing SMS to be disabled.
anon_investor wrote: Sun Dec 05, 2021 7:05 pm ...when I registered my Yubikey last week Vanguard had a message on the screen saying you had to have 2 security keys registered in order to disable SMS 2FA.
However, as you rightfully point out, Vanguard needs to fix the actual security issue.
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: Yubikey only at Vanguard now possible.

Post by anon_investor »

Silence Dogood wrote: Sun Jul 03, 2022 8:08 pm
anon_investor wrote: Mon May 23, 2022 6:46 pm
Silence Dogood wrote: Mon May 23, 2022 5:27 pm
Silence Dogood wrote: Tue Aug 24, 2021 6:48 pm Here are the things that Vanguard should fix:

...

3. Require the security key for every log in - but stop asking whether or not the device should be recognized.

Apparently Vanguard does require the security key to be used with every log in - which is best practice. However, for whatever reason, Vanguard continues to ask whether or not the device being used is private or public. Whichever option is chosen seems to not have any effect. This is a lower priority issue, since it's more of a design/aesthetic issue, but it should still be fixed.
To Vanguard's credit, they have fixed this specific issue.
So they fixed the cosmetic annoyance but not the actual security issue...
At least it's an indication that Vanguard might actually be listening to feedback.

For example:
Silence Dogood wrote: Tue Aug 24, 2021 6:48 pm Here are the things that Vanguard should fix:

1. Allow all clients to disable SMS after registering their security keys.

Some of us (including myself) are able to do this now.

As I noted earlier in this thread, I think it would be smart for Vanguard to require at least two security keys to be registered before allowing SMS to be disabled.
anon_investor wrote: Sun Dec 05, 2021 7:05 pm ...when I registered my Yubikey last week Vanguard had a message on the screen saying you had to have 2 security keys registered in order to disable SMS 2FA.
However, as you rightfully point out, Vanguard needs to fix the actual security issue.
Unfortunately that did not close the Vanguard mobile app security flaw, that allows someone to add a new mobile # for SMS 2FA if you do not already have one. So using a Google Voice # for SMS 2FA is still needed to close that loophole.
Silence Dogood
Posts: 1660
Joined: Tue Feb 01, 2011 8:22 pm

Re: Yubikey only at Vanguard now possible.

Post by Silence Dogood »

anon_investor wrote: Sun Jul 03, 2022 8:11 pm Unfortunately that did not close the Vanguard mobile app security flaw, that allows someone to add a new mobile # for SMS 2FA if you do not already have one.
Correct - Vanguard needs to fix the security flaw with their mobile app (I notified them about this last July).

As I've mentioned repeatedly, the quick fix - that Vanguard should implement immediately - would be to get rid of the ability to enter any new phone number to send a code to (only allow the selection of a phone number already on file). The best solution would be to implement Yubikey support for the mobile app.

What is tragic is that Vanguard is so close to getting this right - and actually being ahead of the competition (at the vanguard of, if you will) but the security flaw with the mobile app is so egregious that they've managed to snatch defeat from the jaws of victory.
Northern Flicker
Posts: 15371
Joined: Fri Apr 10, 2015 12:29 am

Re: Yubikey only at Vanguard now possible.

Post by Northern Flicker »

anon_investor wrote: Sun Jul 03, 2022 8:11 pm
Silence Dogood wrote: Sun Jul 03, 2022 8:08 pm
anon_investor wrote: Mon May 23, 2022 6:46 pm
Silence Dogood wrote: Mon May 23, 2022 5:27 pm
Silence Dogood wrote: Tue Aug 24, 2021 6:48 pm Here are the things that Vanguard should fix:

...

3. Require the security key for every log in - but stop asking whether or not the device should be recognized.

Apparently Vanguard does require the security key to be used with every log in - which is best practice. However, for whatever reason, Vanguard continues to ask whether or not the device being used is private or public. Whichever option is chosen seems to not have any effect. This is a lower priority issue, since it's more of a design/aesthetic issue, but it should still be fixed.
To Vanguard's credit, they have fixed this specific issue.
So they fixed the cosmetic annoyance but not the actual security issue...
At least it's an indication that Vanguard might actually be listening to feedback.

For example:
Silence Dogood wrote: Tue Aug 24, 2021 6:48 pm Here are the things that Vanguard should fix:

1. Allow all clients to disable SMS after registering their security keys.

Some of us (including myself) are able to do this now.

As I noted earlier in this thread, I think it would be smart for Vanguard to require at least two security keys to be registered before allowing SMS to be disabled.
anon_investor wrote: Sun Dec 05, 2021 7:05 pm ...when I registered my Yubikey last week Vanguard had a message on the screen saying you had to have 2 security keys registered in order to disable SMS 2FA.
However, as you rightfully point out, Vanguard needs to fix the actual security issue.
Unfortunately that did not close the Vanguard mobile app security flaw, that allows someone to add a new mobile # for SMS 2FA if you do not already have one. So using a Google Voice # for SMS 2FA is still needed to close that loophole.
It is needed to have a secure 2FA on the mobile app. The fact that a thief could add their own number for 2FA after gaining access to your account would be one of the more minor issues you would be facing if a thief gained access to your account.
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: Yubikey only at Vanguard now possible.

Post by anon_investor »

Northern Flicker wrote: Mon Jul 04, 2022 4:51 pm
anon_investor wrote: Sun Jul 03, 2022 8:11 pm
Silence Dogood wrote: Sun Jul 03, 2022 8:08 pm
anon_investor wrote: Mon May 23, 2022 6:46 pm
Silence Dogood wrote: Mon May 23, 2022 5:27 pm

To Vanguard's credit, they have fixed this specific issue.
So they fixed the cosmetic annoyance but not the actual security issue...
At least it's an indication that Vanguard might actually be listening to feedback.

For example:
Silence Dogood wrote: Tue Aug 24, 2021 6:48 pm Here are the things that Vanguard should fix:

1. Allow all clients to disable SMS after registering their security keys.

Some of us (including myself) are able to do this now.

As I noted earlier in this thread, I think it would be smart for Vanguard to require at least two security keys to be registered before allowing SMS to be disabled.
anon_investor wrote: Sun Dec 05, 2021 7:05 pm ...when I registered my Yubikey last week Vanguard had a message on the screen saying you had to have 2 security keys registered in order to disable SMS 2FA.
However, as you rightfully point out, Vanguard needs to fix the actual security issue.
Unfortunately that did not close the Vanguard mobile app security flaw, that allows someone to add a new mobile # for SMS 2FA if you do not already have one. So using a Google Voice # for SMS 2FA is still needed to close that loophole.
It is needed to have a secure 2FA on the mobile app. The fact that a thief could add their own number for 2FA after gaining access to your account would be one of the more minor issues you would be facing if a thief gained access to your account.
The security flaw means the bad guys only need your user name and password if you don't have SMS 2FA set up. Yubikey won't help.
Northern Flicker
Posts: 15371
Joined: Fri Apr 10, 2015 12:29 am

Re: Yubikey only at Vanguard now possible.

Post by Northern Flicker »

anon_investor wrote: Mon Jul 04, 2022 5:21 pm
Northern Flicker wrote: Mon Jul 04, 2022 4:51 pm It is needed to have a secure 2FA on the mobile app. The fact that a thief could add their own number for 2FA after gaining access to your account would be one of the more minor issues you would be facing if a thief gained access to your account.
The security flaw means the bad guys only need your user name and password if you don't have SMS 2FA set up. Yubikey won't help.
Yes, that is the concern. My point was that the fact that they can register their own phone number if they successfully broke in to the account is not really a security flaw. The flaw is not having 2FA for the app despite having registered Yubikeys unless a text code SMS also is enabled.

There is a simple bandaid to close the vulnerability, which is just not to allow logins from the app if no SMS 2FA is enabled. The login process has to check for the 2FA method after the password is confirmed regardless. If it finds none enabled, it should just fail the authentication instead of having it succeed. But Vanguard, like most brokers, seems ok with users not having 2FA enabled.
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: Yubikey only at Vanguard now possible.

Post by anon_investor »

Northern Flicker wrote: Mon Jul 04, 2022 8:07 pm
anon_investor wrote: Mon Jul 04, 2022 5:21 pm
Northern Flicker wrote: Mon Jul 04, 2022 4:51 pm It is needed to have a secure 2FA on the mobile app. The fact that a thief could add their own number for 2FA after gaining access to your account would be one of the more minor issues you would be facing if a thief gained access to your account.
The security flaw means the bad guys only need your user name and password if you don't have SMS 2FA set up. Yubikey won't help.
Yes, that is the concern. My point was that the fact that they can register their own phone number if they successfully broke in to the account is not really a security flaw. The flaw is not having 2FA for the app despite having registered Yubikeys unless a text code SMS also is enabled.

There is a simple bandaid to close the vulnerability, which is just not to allow logins from the app if no SMS 2FA is enabled. The login process has to check for the 2FA method after the password is confirmed regardless. If it finds none enabled, it should just fail the authentication instead of having it succeed. But Vanguard, like most brokers, seems ok with users not having 2FA enabled.
Vanguard needs to fix a lot of stuff in their "new" mobile app...
gavinsiu
Posts: 4544
Joined: Sun Nov 14, 2021 11:42 am

Re: Yubikey only at Vanguard now possible.

Post by gavinsiu »

How have you been able to remove SMS from your account. I have registered 3 keys, one for my wife, one for myself, and a backup. Vanguard won't let me remove the SMS until I remove my keys.

I have contacted Vanguard a few times, but the help desk often don't understand my request.
cyclist
Posts: 322
Joined: Fri Jun 21, 2013 9:04 am

Registering a Yubikey 5C NFC via Windows 11 at Vanguard?

Post by cyclist »

[Thread merged into here --adminLadyGeek]

Mine work fine when I try them on Yubikey's test site, but I haven't been able to register them at Vanguard. The latest production builds of Brave and Chrome both fail to register the key with a message indicating that a security key can't be registered now (and to please try later).

Later doesn't help. Yuibikey confirms that this model is supposed to be supported. Vanguard front-line support was a tad less than informed; 55 minutes later I finally reached a tech support specialist who is researching the issue with no estimated time for resolution.

I see that the 5 CI keys are not supported by Vanguard. Anyone been successful from a Windows machine with a 5C NFC?

Cyclist
User avatar
LadyGeek
Site Admin
Posts: 95704
Joined: Sat Dec 20, 2008 4:34 pm
Location: Philadelphia
Contact:

Re: Yubikey only at Vanguard now possible.

Post by LadyGeek »

I merged cyclist's thread into the ongoing discussion. The combined thread is in the Personal Consumer Issues forum.

(Thanks to the member who reported the post and explained what's wrong.)
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
User avatar
kevinf
Posts: 849
Joined: Mon Aug 05, 2019 11:35 pm

Re: Registering a Yubikey 5C NFC via Windows 11 at Vanguard?

Post by kevinf »

cyclist wrote: Sat Jul 23, 2022 5:55 pm [Thread merged into here --adminLadyGeek]

Mine work fine when I try them on Yubikey's test site, but I haven't been able to register them at Vanguard. The latest production builds of Brave and Chrome both fail to register the key with a message indicating that a security key can't be registered now (and to please try later).

Later doesn't help. Yuibikey confirms that this model is supposed to be supported. Vanguard front-line support was a tad less than informed; 55 minutes later I finally reached a tech support specialist who is researching the issue with no estimated time for resolution.

I see that the 5 CI keys are not supported by Vanguard. Anyone been successful from a Windows machine with a 5C NFC?

Cyclist
Disable your adblockers and script-blockers for Vanguard's site and try again.
cyclist
Posts: 322
Joined: Fri Jun 21, 2013 9:04 am

Re: Registering a Yubikey 5C NFC via Windows 11 at Vanguard?

Post by cyclist »

kevinf wrote: Sat Jul 23, 2022 7:04 pm Disable your adblockers and script-blockers for Vanguard's site and try again.
Thanks, but that doesn't do it. Neither does allowing popups (or redirects, for that matter).

Cyclist
sfly510
Posts: 53
Joined: Tue Feb 12, 2019 8:23 am

Re: Registering a Yubikey 5C NFC via Windows 11 at Vanguard?

Post by sfly510 »

cyclist wrote: Sat Jul 23, 2022 9:13 pm
kevinf wrote: Sat Jul 23, 2022 7:04 pm Disable your adblockers and script-blockers for Vanguard's site and try again.
Thanks, but that doesn't do it. Neither does allowing popups (or redirects, for that matter).

Cyclist
Try removing spaces (etc) from your key label. They have somewhat strict format requirements for the key label but don't tell you that's why it fails.
cyclist
Posts: 322
Joined: Fri Jun 21, 2013 9:04 am

Re: Registering a Yubikey 5C NFC via Windows 11 at Vanguard?

Post by cyclist »

sfly510 wrote: Sun Jul 24, 2022 6:36 am Try removing spaces (etc) from your key label. They have somewhat strict format requirements for the key label but don't tell you that's why it fails.
Thanks, but that’s not the issue either.

I’m still hoping to hear from folks who have tried working with this specific model of Yubikey, the 5C NFC, on a Windows machine (preferably Windows 11).

Cyclist
Silence Dogood
Posts: 1660
Joined: Tue Feb 01, 2011 8:22 pm

Re: Yubikey only at Vanguard now possible.

Post by Silence Dogood »

cyclist wrote: Sat Jul 23, 2022 5:55 pm [Thread merged into here --adminLadyGeek]

Mine work fine when I try them on Yubikey's test site, but I haven't been able to register them at Vanguard. The latest production builds of Brave and Chrome both fail to register the key with a message indicating that a security key can't be registered now (and to please try later).

Later doesn't help. Yuibikey confirms that this model is supposed to be supported. Vanguard front-line support was a tad less than informed; 55 minutes later I finally reached a tech support specialist who is researching the issue with no estimated time for resolution.

I see that the 5 CI keys are not supported by Vanguard. Anyone been successful from a Windows machine with a 5C NFC?

Cyclist
I can confirm that the YubiKey 5C NFC works with Vanguard (MacOS, Linux, Windows).

When I registered my keys with Vanguard (a little over a year ago), it was super easy.

I primarily use Mozilla Firefox - I am certain that I was using Firefox when I first registered my keys.
cyclist
Posts: 322
Joined: Fri Jun 21, 2013 9:04 am

Re: Yubikey only at Vanguard now possible.

Post by cyclist »

Silence Dogood wrote: Sun Jul 24, 2022 10:22 am I can confirm that the YubiKey 5C NFC works with Vanguard (MacOS, Linux, Windows).

When I registered my keys with Vanguard (a little over a year ago), it was super easy.

I primarily use Mozilla Firefox - I am certain that I was using Firefox when I first registered my keys.
Thanks, that was exactly what I was hoping to hear.

It's not working for me with Firefox on Windows either, so there must be some other issue. (Did you register your keys on a Windows 11 machine?)

Cyclist
Bagels
Posts: 145
Joined: Mon Apr 12, 2021 9:08 am

Re: Yubikey only at Vanguard now possible.

Post by Bagels »

I have read the first 3 pages of this thread in full and then jumped to the 10th to see if the backdoor had been sealed. (Nope).

Also, I was surprised to see no mention of security questions. Have they been dropped because Vanguard is committed to using this (admittedly weak, deprecated) system of codes by SMS?

I remember locking myself out of Vanguard a very long time ago by forgetting the answers to my security questions (because they were fake answers). This was before everyone owned a cellphone. Maybe Vg got tired of dealing with that and decided to just implement SMS codes partly for that reason. If so, true security has taken a back seat to convenience, moving on to the next customer call.

I do wonder how hard it would be for an institution like Vanguard to work with apps like Authy and make SMS deletable for Yubikey users and users of authenticator apps alike. Come on Vanguard, get it done!
missing [b]madsinger[/b]’s monthly reports
Gaston
Posts: 1220
Joined: Wed Aug 21, 2013 7:12 pm

Vanguard + Yubikey

Post by Gaston »

[Thread merged into here --admin LadyGeek]

I was thinking of using a Yubikey with my Vanguard account. But when I read the attached, it seems the key only works with web access, and you'll still receive a 2FA code texted to your mobile number if you use Vanguard's mobile app. That seems to defeat the purpose of having a Yubikey. Am I missing something? Thx.

https://icedrive.net/s/ay7WgyWPvXg8QX99Tua2YZ78D7XP
“My opinions are just that - opinions.”
jebmke
Posts: 25479
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: Vanguard + Yubikey

Post by jebmke »

Gaston wrote: Mon Jul 25, 2022 11:09 am I was thinking of using a Yubikey with my Vanguard account. But when I read the attached, it seems the key only works with web access, and you'll still receive a 2FA code texted to your mobile number if you use Vanguard's mobile app. That seems to defeat the purpose of having a Yubikey. Am I missing something? Thx.

https://icedrive.net/s/ay7WgyWPvXg8QX99Tua2YZ78D7XP
Good question. But my mobile phone requires a separate log in (or FaceID) so there is another factor involved. I don't use mobile devices for financial sites.

With an iPhone there is also another feature called Screen Time which can be used to lock an individual app (set screen time to zero).
Don't trust me, look it up. https://www.irs.gov/forms-instructions-and-publications
User avatar
changingtimes
Posts: 483
Joined: Mon Jul 24, 2017 9:28 am

Re: Vanguard + Yubikey

Post by changingtimes »

Gaston wrote: Mon Jul 25, 2022 11:09 am I was thinking of using a Yubikey with my Vanguard account. But when I read the attached, it seems the key only works with web access, and you'll still receive a 2FA code texted to your mobile number if you use Vanguard's mobile app. That seems to defeat the purpose of having a Yubikey. Am I missing something? Thx.

https://icedrive.net/s/ay7WgyWPvXg8QX99Tua2YZ78D7XP
The current Android version of the Vanguard app allows a fingerprint sign-in, and not having to receive a text anymore.
User avatar
LadyGeek
Site Admin
Posts: 95704
Joined: Sat Dec 20, 2008 4:34 pm
Location: Philadelphia
Contact:

Re: Yubikey only at Vanguard now possible.

Post by LadyGeek »

I merged Gaston's thread into the ongoing discussion. The combined thread is in the Personal Consumer Issues forum (website).

(Thanks to the member who reported the post and provided a link to this thread.)
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
Gaston
Posts: 1220
Joined: Wed Aug 21, 2013 7:12 pm

Re: Yubikey only at Vanguard now possible.

Post by Gaston »

Bagels wrote: Sun Jul 24, 2022 1:33 pm I do wonder how hard it would be for an institution like Vanguard to work with apps like Authy and make SMS deletable for Yubikey users and users of authenticator apps alike. Come on Vanguard, get it done!
I certainly agree that Vanguard should adopt security keys or authenticator apps for two-factor authentication, both for web access and for access via the Vanguard mobile app. Simply put, SMS for 2FA is an insecure medium.

The people at Vanguard are clever, so I assume it's mostly a question of prioritizing IT spending for an enhancement of this type. Longer term, we'll see if the password-less initiative sponsored by the FIDO Alliance (Apple + Google + Microsoft) makes this discussion mute.
“My opinions are just that - opinions.”
Silence Dogood
Posts: 1660
Joined: Tue Feb 01, 2011 8:22 pm

Re: Yubikey only at Vanguard now possible.

Post by Silence Dogood »

Bagels wrote: Sun Jul 24, 2022 1:33 pm Come on Vanguard, get it done!
I think the most effective thing we can all do is to call Vanguard and let them know that this is important to us. The more they hear about this from their clients, the more likely they are to prioritize this.

I think keeping the request clear and concise is beneficial - "Please implement Yubikey support for the Vanguard mobile app."
User avatar
bertilak
Posts: 10726
Joined: Tue Aug 02, 2011 5:23 pm
Location: East of the Pecos, West of the Mississippi

Re: Vanguard + Yubikey

Post by bertilak »

changingtimes wrote: Mon Jul 25, 2022 11:37 am
Gaston wrote: Mon Jul 25, 2022 11:09 am I was thinking of using a Yubikey with my Vanguard account. But when I read the attached, it seems the key only works with web access, and you'll still receive a 2FA code texted to your mobile number if you use Vanguard's mobile app. That seems to defeat the purpose of having a Yubikey. Am I missing something? Thx.

https://icedrive.net/s/ay7WgyWPvXg8QX99Tua2YZ78D7XP
The current Android version of the Vanguard app allows a fingerprint sign-in, and not having to receive a text anymore.
Yes, I use both: YubiKey on laptop and fingerprint on smart phone.
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker (aka S.O.B.), the Cowboy Poet
Gaston
Posts: 1220
Joined: Wed Aug 21, 2013 7:12 pm

Re: Yubikey only at Vanguard now possible.

Post by Gaston »

Silence Dogood wrote: Tue Jul 26, 2022 5:24 pm I think the most effective thing we can all do is to call Vanguard and let them know that this is important to us. The more they hear about this from their clients, the more likely they are to prioritize this.
I agree. Let’s all try to convey this message to a Vanguard rep.
“My opinions are just that - opinions.”
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: Yubikey only at Vanguard now possible.

Post by anon_investor »

When I logged into Vanguard today on my computer with my Yubikey, it has a message to re-register it and now I had to add a passcode. That does make it feel a bit more secure, you need to know my user name, password, have my Yubikey and my Yubikey pass code OR access to my GV SMS.
User avatar
Tubes
Posts: 1883
Joined: Wed Apr 22, 2020 6:33 am

Re: Yubikey only at Vanguard now possible.

Post by Tubes »

anon_investor wrote: Thu Jul 28, 2022 10:57 pm When I logged into Vanguard today on my computer with my Yubikey, it has a message to re-register it and now I had to add a passcode. That does make it feel a bit more secure, you need to know my user name, password, have my Yubikey and my Yubikey pass code OR access to my GV SMS.
Yes, got this today. I don't have time for a mistake so I deferred. So it was a simple process?
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: Yubikey only at Vanguard now possible.

Post by anon_investor »

Tubes wrote: Fri Jul 29, 2022 7:33 am
anon_investor wrote: Thu Jul 28, 2022 10:57 pm When I logged into Vanguard today on my computer with my Yubikey, it has a message to re-register it and now I had to add a passcode. That does make it feel a bit more secure, you need to know my user name, password, have my Yubikey and my Yubikey pass code OR access to my GV SMS.
Yes, got this today. I don't have time for a mistake so I deferred. So it was a simple process?
Yes, you basically have to re-register your YubiKey and create a PIN. But be careful typing it in, because they don't ask you to reverify your PIN.
User avatar
bertilak
Posts: 10726
Joined: Tue Aug 02, 2011 5:23 pm
Location: East of the Pecos, West of the Mississippi

Re: Yubikey only at Vanguard now possible.

Post by bertilak »

Tubes wrote: Fri Jul 29, 2022 7:33 am
anon_investor wrote: Thu Jul 28, 2022 10:57 pm When I logged into Vanguard today on my computer with my Yubikey, it has a message to re-register it and now I had to add a passcode. That does make it feel a bit more secure, you need to know my user name, password, have my Yubikey and my Yubikey pass code OR access to my GV SMS.
Yes, got this today. I don't have time for a mistake so I deferred. So it was a simple process?
I just tried it and it didn't go well. I got through the process and thought it worked because it logged me in. But the next time I tried to log in it failed saying it couldn't read the security pin. I had two keys configured and both resulted in the same error.

There were two things I didn't understand (but muddled through anyway)
  • It asked me to name the keys. I put in yubi5nano and yubi5nfc as those are the two types of keys I have. I don't know why this is needed but I guess it can't hurt.
  • It asked me for a pin. I simply touched the key which gave me the big long OITP numbers. BUT then it asked me to touch the key which again put in a big long OTP number.
Now I am locked out. I'll request a security code and start over.
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker (aka S.O.B.), the Cowboy Poet
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: Yubikey only at Vanguard now possible.

Post by anon_investor »

bertilak wrote: Fri Jul 29, 2022 7:56 am
Tubes wrote: Fri Jul 29, 2022 7:33 am
anon_investor wrote: Thu Jul 28, 2022 10:57 pm When I logged into Vanguard today on my computer with my Yubikey, it has a message to re-register it and now I had to add a passcode. That does make it feel a bit more secure, you need to know my user name, password, have my Yubikey and my Yubikey pass code OR access to my GV SMS.
Yes, got this today. I don't have time for a mistake so I deferred. So it was a simple process?
I just tried it and it didn't go well. I got through the process and thought it worked because it logged me in. But the next time I tried to log in it failed saying it couldn't read the security pin. I had two keys configured and both resulted in the same error.

There were two things I didn't understand (but muddled through anyway)
  • It asked me to name the keys. I put in yubi5nano and yubi5nfc as those are the two types of keys I have. I don't know why this is needed but I guess it can't hurt.
  • It asked me for a pin. I simply touched the key which gave me the big long OITP numbers. BUT then it asked me to touch the key which again put in a big long OTP number.
Now I am locked out. I'll request a security code and start over.
You need to type in a PIN with your keyboard. Then everytime you login you will have to type in that same PIN as well as touching your Yubikey.
User avatar
bertilak
Posts: 10726
Joined: Tue Aug 02, 2011 5:23 pm
Location: East of the Pecos, West of the Mississippi

Re: Yubikey only at Vanguard now possible.

Post by bertilak »

anon_investor wrote: Fri Jul 29, 2022 7:58 am
bertilak wrote: Fri Jul 29, 2022 7:56 am Now I am locked out. I'll request a security code and start over.
You need to type in a PIN with your keyboard. Then every time you login you will have to type in that same PIN as well as touching your Yubikey.
Yeah, just went through the process again and all is well. The PIN thing got me confused; I touched the key when asked for a PIN. Since that gets you a unique string each time, there was no way to re-enter the same pin the next time it was asked for.

Now (with the pin) it really is "multi factor." I created a 4-digit PIN. I hope that's the kind of thing I was supposed to come up with.
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker (aka S.O.B.), the Cowboy Poet
User avatar
anon_investor
Posts: 15122
Joined: Mon Jun 03, 2019 1:43 pm

Re: Yubikey only at Vanguard now possible.

Post by anon_investor »

bertilak wrote: Fri Jul 29, 2022 8:07 am
anon_investor wrote: Fri Jul 29, 2022 7:58 am
bertilak wrote: Fri Jul 29, 2022 7:56 am Now I am locked out. I'll request a security code and start over.
You need to type in a PIN with your keyboard. Then every time you login you will have to type in that same PIN as well as touching your Yubikey.
Yeah, just went through the process again and all is well. The PIN thing got me confused; I touched the key when asked for a PIN. Since that gets you a unique string each time, there was no way to re-enter the same pin the next time it was asked for.

Now (with the pin) it really is "multi factor." I created a 4-digit PIN. I hope that's the kind of thing I was supposed to come up with.
Now just don't forget the PIN!
stocknoob4111
Posts: 3509
Joined: Sun Jan 07, 2018 11:52 am

Re: Yubikey only at Vanguard now possible.

Post by stocknoob4111 »

what happens if you lose your Yubikey? Can't someone just use that to login? With my phone it's secured with biometric.
User avatar
bertilak
Posts: 10726
Joined: Tue Aug 02, 2011 5:23 pm
Location: East of the Pecos, West of the Mississippi

Re: Yubikey only at Vanguard now possible.

Post by bertilak »

bertilak wrote: Fri Jul 29, 2022 7:56 am It asked me to name the keys. I put in yubi5nano and yubi5nfc as those are the two types of keys I have. I don't know why this is needed but I guess it can't hurt.
I get it now. By giving the keys names, you know which one to deactivate if you lose it.
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker (aka S.O.B.), the Cowboy Poet
Diluted Waters
Posts: 262
Joined: Sun Sep 13, 2020 7:35 pm

Re: Yubikey only at Vanguard now possible.

Post by Diluted Waters »

stocknoob4111 wrote: Fri Jul 29, 2022 8:47 am what happens if you lose your Yubikey? Can't someone just use that to login? With my phone it's secured with biometric.
Phone accounts can be hijacked and used to execute password recovery schemes to gain access to accounts. Search the web for SIM swapping for more.
stocknoob4111
Posts: 3509
Joined: Sun Jan 07, 2018 11:52 am

Re: Yubikey only at Vanguard now possible.

Post by stocknoob4111 »

Diluted Waters wrote: Fri Jul 29, 2022 10:20 am Phone accounts can be hijacked and used to execute password recovery schemes to gain access to accounts. Search the web for SIM swapping for more.
yeah, familiar with the SIM hijack but I switched my primary number to Google Voice now. To me it looks like using GV + securing your Google account with the authenticator should be secure enough. The only issue is with customer service and social engineering. Not much can be done about that i'm afraid.
cyclist
Posts: 322
Joined: Fri Jun 21, 2013 9:04 am

Re: Yubikey only at Vanguard now possible.

Post by cyclist »

FYI, Vanguard Web Technical Support has concluded that they do not support the Yubikey 5C NFC. Phooey.

It ought to work because they are now focusing on FIDO2 support, which that key includes.

They suggest I try another model of key.

Cyclist
User avatar
kevinf
Posts: 849
Joined: Mon Aug 05, 2019 11:35 pm

Re: Yubikey only at Vanguard now possible.

Post by kevinf »

stocknoob4111 wrote: Fri Jul 29, 2022 8:47 am what happens if you lose your Yubikey? Can't someone just use that to login? With my phone it's secured with biometric.
No, they still need your username and password ("something you know") and the Security Key ("something you have").

The key isn't specific to one service either, so how would someone that picked your Yubikey up off the ground know what services/websites that key works with? The only thing they get is a free Yubikey.
User avatar
bertilak
Posts: 10726
Joined: Tue Aug 02, 2011 5:23 pm
Location: East of the Pecos, West of the Mississippi

Re: Yubikey only at Vanguard now possible.

Post by bertilak »

cyclist wrote: Fri Jul 29, 2022 2:15 pm FYI, Vanguard Web Technical Support has concluded that they do not support the Yubikey 5C NFC. Phooey.

It ought to work because they are now focusing on FIDO2 support, which that key includes.

They suggest I try another model of key.

Cyclist
I have a Yubikey 5C NFC -- just looked at the packaging and the Yubikey Manager to be sure. It works as I expect, even after reconfiguring it to comply with the new PIN method.

So, I am confused!
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker (aka S.O.B.), the Cowboy Poet
cyclist
Posts: 322
Joined: Fri Jun 21, 2013 9:04 am

Re: Yubikey only at Vanguard now possible.

Post by cyclist »

bertilak wrote: Fri Jul 29, 2022 3:09 pm So, I am confused!
I suspect there may be a bit of confusion about this at Vanguard as well.

Perhaps they made a change that now prevents those keys from registering? Or there is something about my Windows 11 laptop configuration that they can’t handle (and that they don’t want to take the time to figure out)?

Those keys work for me elsewhere, just not for Vanguard. Sigh.

Cyclist
StrongMBS
Posts: 67
Joined: Sat Jan 14, 2017 1:38 pm

Re: Yubikey only at Vanguard now possible.

Post by StrongMBS »

Much of the interact with a FIDO2 security key is with the browser. So, the question is what browser are you using and is it up to date? I have seen warnings (although I have not verified) that if Chrome has an outstanding update the FIDO2/WebAuthn functionality will not work properly.
User avatar
bertilak
Posts: 10726
Joined: Tue Aug 02, 2011 5:23 pm
Location: East of the Pecos, West of the Mississippi

Re: Yubikey only at Vanguard now possible.

Post by bertilak »

StrongMBS wrote: Fri Jul 29, 2022 5:08 pm Much of the interact with a FIDO2 security key is with the browser. So, the question is what browser are you using and is it up to date? I have seen warnings (although I have not verified) that if Chrome has an outstanding update the FIDO2/WebAuthn functionality will not work properly.
It works for me. I use Microsoft Edge which is a chrome derivative.

Windows does tend to keep things updated.
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker (aka S.O.B.), the Cowboy Poet
mouth
Posts: 654
Joined: Sun Apr 19, 2015 6:40 am

Re: Yubikey only at Vanguard now possible.

Post by mouth »

Hmmm so I tried deleting one of my keys, then re-registered it from the same key management page and it didn't seem to ask for a pin. So I guess they are still allowing old-style registrations that way?
StrongMBS
Posts: 67
Joined: Sat Jan 14, 2017 1:38 pm

Re: Yubikey only at Vanguard now possible.

Post by StrongMBS »

mouth wrote: Fri Jul 29, 2022 7:14 pm Hmmm so I tried deleting one of my keys, then re-registered it from the same key management page and it didn't seem to ask for a pin. So, I guess they are still allowing old-style registrations that way?
What kind of key was it? Does it support FIDO2? I believe there is a flaw in their programing, and it will let you register a key that does not support FIDO2 pin functionality and not ask for a PIN. Since it let me register a Yubico Neo (an old key type that only support FIDO/U2F and not FIDO2/WebAuthn), I would be cautious counting on these keys to work after the September 20th cutoff date.
mouth
Posts: 654
Joined: Sun Apr 19, 2015 6:40 am

Re: Yubikey only at Vanguard now possible.

Post by mouth »

StrongMBS wrote: Fri Jul 29, 2022 7:39 pm
mouth wrote: Fri Jul 29, 2022 7:14 pm Hmmm so I tried deleting one of my keys, then re-registered it from the same key management page and it didn't seem to ask for a pin. So, I guess they are still allowing old-style registrations that way?
What kind of key was it? Does it support FIDO2? I believe there is a flaw in their programing, and it will let you register a key that does not support FIDO2 pin functionality and not ask for a PIN. Since it let me register a Yubico Neo (an old key type that only support FIDO/U2F and not FIDO2/WebAuthn), I would be cautious counting on these keys to work after the September 20th cutoff date.
It is a YubiKey 5 NFC (not a 5c); website says it supported FIDO2.
I'm using FF 104.b03 but I also tried MS Edge 103.0.1264.77 (Official build) (64-bit) and got the same error. Both are supposed to support FIDO2

And yes that's my worry come 20 Sep if this can't be figured out.

ETA: I'm not sure I ran into the bug you describe but instead I was re-registering my key on the old site (old format) where they also send you to delete keys, but the failure was happening on the new updated site where it uses the terminology about "upgrading" my key. The old formatted site makes no overt mention of upgrading or FIDO2 though their terms of service do mention FIDO2

ETA2: and it appears as if things are working correctly here https://webauthn.bin.coffee/

ETA3: has anyone had any better luck setting a PIN via Yubi Manager first? I'm reluctant to try quite yet until I do more research.
tlveik
Posts: 53
Joined: Sun Jan 16, 2022 9:18 pm

Re: Yubikey only at Vanguard now possible.

Post by tlveik »

mouth wrote: Fri Jul 29, 2022 8:08 pm
StrongMBS wrote: Fri Jul 29, 2022 7:39 pm
mouth wrote: Fri Jul 29, 2022 7:14 pm Hmmm so I tried deleting one of my keys, then re-registered it from the same key management page and it didn't seem to ask for a pin. So, I guess they are still allowing old-style registrations that way?
What kind of key was it? Does it support FIDO2? I believe there is a flaw in their programing, and it will let you register a key that does not support FIDO2 pin functionality and not ask for a PIN. Since it let me register a Yubico Neo (an old key type that only support FIDO/U2F and not FIDO2/WebAuthn), I would be cautious counting on these keys to work after the September 20th cutoff date.
It is a YubiKey 5 NFC (not a 5c); website says it supported FIDO2.
I'm using FF 104.b03 but I also tried MS Edge 103.0.1264.77 (Official build) (64-bit) and got the same error. Both are supposed to support FIDO2

And yes that's my worry come 20 Sep if this can't be figured out.

ETA: I'm not sure I ran into the bug you describe but instead I was re-registering my key on the old site (old format) where they also send you to delete keys, but the failure was happening on the new updated site where it uses the terminology about "upgrading" my key. The old formatted site makes no overt mention of upgrading or FIDO2 though their terms of service do mention FIDO2

ETA2: and it appears as if things are working correctly here https://webauthn.bin.coffee/

ETA3: has anyone had any better luck setting a PIN via Yubi Manager first? I'm reluctant to try quite yet until I do more research.
I believe that if the key already has a fido2 pin in it then you won't be asked to enter and then reenter a new pin when you register the key. I have used Yubi Manager to change a pin and that does work and the Vanguard login works with the new pin.
stocknoob4111
Posts: 3509
Joined: Sun Jan 07, 2018 11:52 am

Re: Yubikey only at Vanguard now possible.

Post by stocknoob4111 »

No biometric keys are supported, am I reading it right?

https://www.yubico.com/works-with-yubik ... 20accounts.

would prefer to use a Yubikey that has additional biometric verification

https://www.yubico.com/products/yubikey-bio-series/
Post Reply