Cool thanks, USB C is the future! I wonder if there will be any Cyber Monday sales on this or other Yubikeys.TJat wrote: ↑Sat Nov 06, 2021 7:58 amIt does. I have that one and the nano usb. To my knowledge, the only modern yubikey that vanguard does not support is the 5CI. They claim it’s because that is a “mobile” key.anon_investor wrote: ↑Sat Nov 06, 2021 7:36 am Does anyone know if this new USB C Yubikey works with Vanguard?
Yubico FIDO Security Key C NFC:
https://www.amazon.com/dp/B09HJBL6F3
Yubikey only at Vanguard now possible.
- anon_investor
- Posts: 15122
- Joined: Mon Jun 03, 2019 1:43 pm
Re: Yubikey only at Vanguard now possible.
-
- Posts: 1660
- Joined: Tue Feb 01, 2011 8:22 pm
Re: Yubikey only at Vanguard now possible.
Are those who previously weren't allowed to disable SMS able to now?Silence Dogood wrote: ↑Tue Aug 24, 2021 6:48 pm Allow all clients to disable SMS after registering their security keys.
Some of us (including myself) are able to do this now.
As I noted earlier in this thread, I think it would be smart for Vanguard to require at least two security keys to be registered before allowing SMS to be disabled.
- anon_investor
- Posts: 15122
- Joined: Mon Jun 03, 2019 1:43 pm
Re: Yubikey only at Vanguard now possible.
I didn't try it, but when I registered my Yubikey last week Vanguard had a message on the screen saying you had to have 2 security keys registered in order to disable SMS 2FA.Silence Dogood wrote: ↑Sun Dec 05, 2021 6:32 pmAre those who previously weren't allowed to disable SMS able to now?Silence Dogood wrote: ↑Tue Aug 24, 2021 6:48 pm Allow all clients to disable SMS after registering their security keys.
Some of us (including myself) are able to do this now.
As I noted earlier in this thread, I think it would be smart for Vanguard to require at least two security keys to be registered before allowing SMS to be disabled.
-
- Posts: 1660
- Joined: Tue Feb 01, 2011 8:22 pm
Re: Yubikey only at Vanguard now possible.
Thanks for reporting back, anon_investor.anon_investor wrote: ↑Sun Dec 05, 2021 7:05 pmI didn't try it, but when I registered my Yubikey last week Vanguard had a message on the screen saying you had to have 2 security keys registered in order to disable SMS 2FA.Silence Dogood wrote: ↑Sun Dec 05, 2021 6:32 pmAre those who previously weren't allowed to disable SMS able to now?Silence Dogood wrote: ↑Tue Aug 24, 2021 6:48 pm Allow all clients to disable SMS after registering their security keys.
Some of us (including myself) are able to do this now.
As I noted earlier in this thread, I think it would be smart for Vanguard to require at least two security keys to be registered before allowing SMS to be disabled.
If true, then it looks like Vanguard took my advice (I have made them aware of my suggestions).
However, unfortunately, I've heard back from another Boglehead (via private message) who reports that he's still not allowed to disable SMS.
Re: Yubikey only at Vanguard now possible.
I recently bought two Yubikeys specifically for my Vanguard account. After registering the two keys I was able to disable SMS 2FA. It worked fine on the website, however I would not advise disabling SMS 2FA because of the behavior in the mobile application. It actually downgrades your security when you disable SMS 2FA after registering two Yubikeys. The reason for this is the user flow on the mobile app.Silence Dogood wrote: ↑Mon Dec 20, 2021 8:04 pmThanks for reporting back, anon_investor.anon_investor wrote: ↑Sun Dec 05, 2021 7:05 pmI didn't try it, but when I registered my Yubikey last week Vanguard had a message on the screen saying you had to have 2 security keys registered in order to disable SMS 2FA.Silence Dogood wrote: ↑Sun Dec 05, 2021 6:32 pmAre those who previously weren't allowed to disable SMS able to now?Silence Dogood wrote: ↑Tue Aug 24, 2021 6:48 pm Allow all clients to disable SMS after registering their security keys.
Some of us (including myself) are able to do this now.
As I noted earlier in this thread, I think it would be smart for Vanguard to require at least two security keys to be registered before allowing SMS to be disabled.
If true, then it looks like Vanguard took my advice (I have made them aware of my suggestions).
However, unfortunately, I've heard back from another Boglehead (via private message) who reports that he's still not allowed to disable SMS.
1. If you install the mobile app it will allow you to login only with your username and password.
2. It will then prompt you to setup SMS 2FA. You are forced to setup SMS 2FA in order to use the mobile app.
3. The worst part comes next. When you go through the user flow on the mobile app to setup SMS 2FA it will allow you to choose your registered cellphone number or to add ANY new number.
If a hacker or someone close to you that is not trustworthy has your username and password they can basically re-direct the SMS 2FA to their own cellphone number and access your account.
Therefore, I recommend keeping SMS 2FA enabled and use a Google voice number for the SMS 2FA. Secure Google voice with the Yubikeys. That is basically the workaround discussed previously to get around the problem.
- anon_investor
- Posts: 15122
- Joined: Mon Jun 03, 2019 1:43 pm
Re: Yubikey only at Vanguard now possible.
Yep, the mobile app is the weak point.saver1 wrote: ↑Mon Dec 20, 2021 9:54 pmI recently bought two Yubikeys specifically for my Vanguard account. After registering the two keys I was able to disable SMS 2FA. It worked fine on the website, however I would not advise disabling SMS 2FA because of the behavior in the mobile application. It actually downgrades your security when you disable SMS 2FA after registering two Yubikeys. The reason for this is the user flow on the mobile app.Silence Dogood wrote: ↑Mon Dec 20, 2021 8:04 pmThanks for reporting back, anon_investor.anon_investor wrote: ↑Sun Dec 05, 2021 7:05 pmI didn't try it, but when I registered my Yubikey last week Vanguard had a message on the screen saying you had to have 2 security keys registered in order to disable SMS 2FA.Silence Dogood wrote: ↑Sun Dec 05, 2021 6:32 pmAre those who previously weren't allowed to disable SMS able to now?Silence Dogood wrote: ↑Tue Aug 24, 2021 6:48 pm Allow all clients to disable SMS after registering their security keys.
Some of us (including myself) are able to do this now.
As I noted earlier in this thread, I think it would be smart for Vanguard to require at least two security keys to be registered before allowing SMS to be disabled.
If true, then it looks like Vanguard took my advice (I have made them aware of my suggestions).
However, unfortunately, I've heard back from another Boglehead (via private message) who reports that he's still not allowed to disable SMS.
1. If you install the mobile app it will allow you to login only with your username and password.
2. It will then prompt you to setup SMS 2FA. You are forced to setup SMS 2FA in order to use the mobile app.
3. The worst part comes next. When you go through the user flow on the mobile app to setup SMS 2FA it will allow you to choose your registered cellphone number or to add ANY new number.
If a hacker or someone close to you that is not trustworthy has your username and password they can basically re-direct the SMS 2FA to their own cellphone number and access your account.
Therefore, I recommend keeping SMS 2FA enabled and use a Google voice number for the SMS 2FA. Secure Google voice with the Yubikeys. That is basically the workaround discussed previously to get around the problem.
-
- Posts: 1660
- Joined: Tue Feb 01, 2011 8:22 pm
Re: Yubikey only at Vanguard now possible.
I reported these issues to Vanguard this past summer (see my earlier posts in this thread - for example, here and here).saver1 wrote: ↑Mon Dec 20, 2021 9:54 pm I recently bought two Yubikeys specifically for my Vanguard account. After registering the two keys I was able to disable SMS 2FA. It worked fine on the website, however I would not advise disabling SMS 2FA because of the behavior in the mobile application. It actually downgrades your security when you disable SMS 2FA after registering two Yubikeys. The reason for this is the user flow on the mobile app.
1. If you install the mobile app it will allow you to login only with your username and password.
2. It will then prompt you to setup SMS 2FA. You are forced to setup SMS 2FA in order to use the mobile app.
3. The worst part comes next. When you go through the user flow on the mobile app to setup SMS 2FA it will allow you to choose your registered cellphone number or to add ANY new number.
If a hacker or someone close to you that is not trustworthy has your username and password they can basically re-direct the SMS 2FA to their own cellphone number and access your account.
Therefore, I recommend keeping SMS 2FA enabled and use a Google voice number for the SMS 2FA. Secure Google voice with the Yubikeys. That is basically the workaround discussed previously to get around the problem.
The fact that these issues still haven't been fixed is very concerning.
At the very least, Vanguard can and should get rid of the ability to add any new phone number for sending security codes to when using the mobile app (i.e., only allow existing phone numbers on file). That should not take long to implement.
- anon_investor
- Posts: 15122
- Joined: Mon Jun 03, 2019 1:43 pm
Re: Yubikey only at Vanguard now possible.
Have you seen how terrible the new mobile app is? I have 0 confidence in Vanguard fixing anything. As others have eariler suggested I have utilized the Yubikey + GV# SMS 2FA set up. I wish Vanguard woud move to a Yubikey + authenticator app set up.Silence Dogood wrote: ↑Wed Dec 22, 2021 10:02 amI reported these issues to Vanguard this past summer (see my earlier posts in this thread - for example, here and here).saver1 wrote: ↑Mon Dec 20, 2021 9:54 pm I recently bought two Yubikeys specifically for my Vanguard account. After registering the two keys I was able to disable SMS 2FA. It worked fine on the website, however I would not advise disabling SMS 2FA because of the behavior in the mobile application. It actually downgrades your security when you disable SMS 2FA after registering two Yubikeys. The reason for this is the user flow on the mobile app.
1. If you install the mobile app it will allow you to login only with your username and password.
2. It will then prompt you to setup SMS 2FA. You are forced to setup SMS 2FA in order to use the mobile app.
3. The worst part comes next. When you go through the user flow on the mobile app to setup SMS 2FA it will allow you to choose your registered cellphone number or to add ANY new number.
If a hacker or someone close to you that is not trustworthy has your username and password they can basically re-direct the SMS 2FA to their own cellphone number and access your account.
Therefore, I recommend keeping SMS 2FA enabled and use a Google voice number for the SMS 2FA. Secure Google voice with the Yubikeys. That is basically the workaround discussed previously to get around the problem.
The fact that these issues still haven't been fixed is very concerning.
At the very least, Vanguard can and should get rid of the ability to add any new phone number for sending security codes to when using the mobile app (i.e., only allow existing phone numbers on file). That should not take long to implement.
-
- Posts: 1660
- Joined: Tue Feb 01, 2011 8:22 pm
Re: Yubikey only at Vanguard now possible.
My only experiences with the Vanguard mobile app has been a few times over this past year - in order to test out the two-factor authentication (hence my discovery of the issue back in the summer). Each time I tried it out, I never actually logged in and I uninstalled it immediately afterwards.anon_investor wrote: ↑Wed Dec 22, 2021 10:07 amHave you seen how terrible the new mobile app is? I have 0 confidence in Vanguard fixing anything. As others have eariler suggested I have utilized the Yubikey + GV# SMS 2FA set up. I wish Vanguard woud move to a Yubikey + authenticator app set up.Silence Dogood wrote: ↑Wed Dec 22, 2021 10:02 amI reported these issues to Vanguard this past summer (see my earlier posts in this thread - for example, here and here).saver1 wrote: ↑Mon Dec 20, 2021 9:54 pm I recently bought two Yubikeys specifically for my Vanguard account. After registering the two keys I was able to disable SMS 2FA. It worked fine on the website, however I would not advise disabling SMS 2FA because of the behavior in the mobile application. It actually downgrades your security when you disable SMS 2FA after registering two Yubikeys. The reason for this is the user flow on the mobile app.
1. If you install the mobile app it will allow you to login only with your username and password.
2. It will then prompt you to setup SMS 2FA. You are forced to setup SMS 2FA in order to use the mobile app.
3. The worst part comes next. When you go through the user flow on the mobile app to setup SMS 2FA it will allow you to choose your registered cellphone number or to add ANY new number.
If a hacker or someone close to you that is not trustworthy has your username and password they can basically re-direct the SMS 2FA to their own cellphone number and access your account.
Therefore, I recommend keeping SMS 2FA enabled and use a Google voice number for the SMS 2FA. Secure Google voice with the Yubikeys. That is basically the workaround discussed previously to get around the problem.
The fact that these issues still haven't been fixed is very concerning.
At the very least, Vanguard can and should get rid of the ability to add any new phone number for sending security codes to when using the mobile app (i.e., only allow existing phone numbers on file). That should not take long to implement.
Yubikeys are perfectly capable of working with mobile apps; I don't see any reason why Yubikey-only can't be an option.
- anon_investor
- Posts: 15122
- Joined: Mon Jun 03, 2019 1:43 pm
Re: Yubikey only at Vanguard now possible.
Well making the Vanguard mobile app support Yubikey would be another option.Silence Dogood wrote: ↑Wed Dec 22, 2021 10:25 amMy only experiences with the Vanguard mobile app has been a few times over this past year - in order to test out the two-factor authentication (hence my discovery of the issue back in the summer). Each time I tried it out, I never actually logged in and I uninstalled it immediately afterwards.anon_investor wrote: ↑Wed Dec 22, 2021 10:07 amHave you seen how terrible the new mobile app is? I have 0 confidence in Vanguard fixing anything. As others have eariler suggested I have utilized the Yubikey + GV# SMS 2FA set up. I wish Vanguard woud move to a Yubikey + authenticator app set up.Silence Dogood wrote: ↑Wed Dec 22, 2021 10:02 amI reported these issues to Vanguard this past summer (see my earlier posts in this thread - for example, here and here).saver1 wrote: ↑Mon Dec 20, 2021 9:54 pm I recently bought two Yubikeys specifically for my Vanguard account. After registering the two keys I was able to disable SMS 2FA. It worked fine on the website, however I would not advise disabling SMS 2FA because of the behavior in the mobile application. It actually downgrades your security when you disable SMS 2FA after registering two Yubikeys. The reason for this is the user flow on the mobile app.
1. If you install the mobile app it will allow you to login only with your username and password.
2. It will then prompt you to setup SMS 2FA. You are forced to setup SMS 2FA in order to use the mobile app.
3. The worst part comes next. When you go through the user flow on the mobile app to setup SMS 2FA it will allow you to choose your registered cellphone number or to add ANY new number.
If a hacker or someone close to you that is not trustworthy has your username and password they can basically re-direct the SMS 2FA to their own cellphone number and access your account.
Therefore, I recommend keeping SMS 2FA enabled and use a Google voice number for the SMS 2FA. Secure Google voice with the Yubikeys. That is basically the workaround discussed previously to get around the problem.
The fact that these issues still haven't been fixed is very concerning.
At the very least, Vanguard can and should get rid of the ability to add any new phone number for sending security codes to when using the mobile app (i.e., only allow existing phone numbers on file). That should not take long to implement.
Yubikeys are perfectly capable of working with mobile apps; I don't see any reason why Yubikey-only can't be an option.
-
- Posts: 2843
- Joined: Wed Feb 12, 2014 9:58 pm
Re: Yubikey only at Vanguard now possible.
The Vanguard mobile app doesn’t support Vanguard mutual fund accounts or many basic functions for brokerage accounts either. I wouldn’t count on Yubikey support.anon_investor wrote: ↑Wed Dec 22, 2021 12:03 pmWell making the Vanguard mobile app support Yubikey would be another option.Silence Dogood wrote: ↑Wed Dec 22, 2021 10:25 amMy only experiences with the Vanguard mobile app has been a few times over this past year - in order to test out the two-factor authentication (hence my discovery of the issue back in the summer). Each time I tried it out, I never actually logged in and I uninstalled it immediately afterwards.anon_investor wrote: ↑Wed Dec 22, 2021 10:07 amHave you seen how terrible the new mobile app is? I have 0 confidence in Vanguard fixing anything. As others have eariler suggested I have utilized the Yubikey + GV# SMS 2FA set up. I wish Vanguard woud move to a Yubikey + authenticator app set up.Silence Dogood wrote: ↑Wed Dec 22, 2021 10:02 amI reported these issues to Vanguard this past summer (see my earlier posts in this thread - for example, here and here).saver1 wrote: ↑Mon Dec 20, 2021 9:54 pm I recently bought two Yubikeys specifically for my Vanguard account. After registering the two keys I was able to disable SMS 2FA. It worked fine on the website, however I would not advise disabling SMS 2FA because of the behavior in the mobile application. It actually downgrades your security when you disable SMS 2FA after registering two Yubikeys. The reason for this is the user flow on the mobile app.
1. If you install the mobile app it will allow you to login only with your username and password.
2. It will then prompt you to setup SMS 2FA. You are forced to setup SMS 2FA in order to use the mobile app.
3. The worst part comes next. When you go through the user flow on the mobile app to setup SMS 2FA it will allow you to choose your registered cellphone number or to add ANY new number.
If a hacker or someone close to you that is not trustworthy has your username and password they can basically re-direct the SMS 2FA to their own cellphone number and access your account.
Therefore, I recommend keeping SMS 2FA enabled and use a Google voice number for the SMS 2FA. Secure Google voice with the Yubikeys. That is basically the workaround discussed previously to get around the problem.
The fact that these issues still haven't been fixed is very concerning.
At the very least, Vanguard can and should get rid of the ability to add any new phone number for sending security codes to when using the mobile app (i.e., only allow existing phone numbers on file). That should not take long to implement.
Yubikeys are perfectly capable of working with mobile apps; I don't see any reason why Yubikey-only can't be an option.
- anon_investor
- Posts: 15122
- Joined: Mon Jun 03, 2019 1:43 pm
Re: Yubikey only at Vanguard now possible.
The "new" mobile app is horrible, you can't view individual tax lots (neeed for TLH), you can't fund a mutual fund purchase from a bank account (you have to first transfer from your bank account to you settlement found).criticalmass wrote: ↑Wed Dec 22, 2021 12:37 pmThe Vanguard mobile app doesn’t support Vanguard mutual fund accounts or many basic functions for brokerage accounts either. I wouldn’t count on Yubikey support.anon_investor wrote: ↑Wed Dec 22, 2021 12:03 pmWell making the Vanguard mobile app support Yubikey would be another option.Silence Dogood wrote: ↑Wed Dec 22, 2021 10:25 amMy only experiences with the Vanguard mobile app has been a few times over this past year - in order to test out the two-factor authentication (hence my discovery of the issue back in the summer). Each time I tried it out, I never actually logged in and I uninstalled it immediately afterwards.anon_investor wrote: ↑Wed Dec 22, 2021 10:07 amHave you seen how terrible the new mobile app is? I have 0 confidence in Vanguard fixing anything. As others have eariler suggested I have utilized the Yubikey + GV# SMS 2FA set up. I wish Vanguard woud move to a Yubikey + authenticator app set up.Silence Dogood wrote: ↑Wed Dec 22, 2021 10:02 am
I reported these issues to Vanguard this past summer (see my earlier posts in this thread - for example, here and here).
The fact that these issues still haven't been fixed is very concerning.
At the very least, Vanguard can and should get rid of the ability to add any new phone number for sending security codes to when using the mobile app (i.e., only allow existing phone numbers on file). That should not take long to implement.
Yubikeys are perfectly capable of working with mobile apps; I don't see any reason why Yubikey-only can't be an option.
Re: Yubikey only at Vanguard now possible.
Yes, I agree that the mobile app is quite bad. One thing to consider is that Vanguard is probably following the Agile Scrum software development model, which means they have released a minimally functional product and will be adding new features incrementally. Keep giving them feedback on the app through the support section and be patient. Hopefully, they will fix a lot of these issues over time. If they don't, then we should consider other options such as going to a different brokerage. If they ignore fixing these issues with the mobile app and the website it will be to their disadvantage. The increased customers transitioning out of Vanguard to other brokerages will catch up to them to the point where they will not be able to ignore it any longer.anon_investor wrote: ↑Wed Dec 22, 2021 1:06 pmThe "new" mobile app is horrible, you can't view individual tax lots (neeed for TLH), you can't fund a mutual fund purchase from a bank account (you have to first transfer from your bank account to you settlement found).criticalmass wrote: ↑Wed Dec 22, 2021 12:37 pmThe Vanguard mobile app doesn’t support Vanguard mutual fund accounts or many basic functions for brokerage accounts either. I wouldn’t count on Yubikey support.anon_investor wrote: ↑Wed Dec 22, 2021 12:03 pmWell making the Vanguard mobile app support Yubikey would be another option.Silence Dogood wrote: ↑Wed Dec 22, 2021 10:25 amMy only experiences with the Vanguard mobile app has been a few times over this past year - in order to test out the two-factor authentication (hence my discovery of the issue back in the summer). Each time I tried it out, I never actually logged in and I uninstalled it immediately afterwards.anon_investor wrote: ↑Wed Dec 22, 2021 10:07 am
Have you seen how terrible the new mobile app is? I have 0 confidence in Vanguard fixing anything. As others have eariler suggested I have utilized the Yubikey + GV# SMS 2FA set up. I wish Vanguard woud move to a Yubikey + authenticator app set up.
Yubikeys are perfectly capable of working with mobile apps; I don't see any reason why Yubikey-only can't be an option.
-
- Posts: 1660
- Joined: Tue Feb 01, 2011 8:22 pm
Re: Yubikey only at Vanguard now possible.
To be clear, I'm not counting on Yubikey support any time soon [for the Vanguard mobile app].
Here are the suggestions I provided to Vanguard:
But as I wrote earlier today:Silence Dogood wrote: ↑Tue Aug 24, 2021 6:48 pm Here are the things that Vanguard should fix:
1. Allow all clients to disable SMS after registering their security keys.
Some of us (including myself) are able to do this now.
As I noted earlier in this thread, I think it would be smart for Vanguard to require at least two security keys to be registered before allowing SMS to be disabled.
2. Longer term, the mobile apps should be made to work with security keys. In the meantime, the mobile apps should be disabled for those who've disabled SMS.
This could work in a similar way to how the "restrict access to recognized devices" option currently works.
3. Require the security key for every log in - but stop asking whether or not the device should be recognized.
Apparently Vanguard does require the security key to be used with every log in - which is best practice. However, for whatever reason, Vanguard continues to ask whether or not the device being used is private or public. Whichever option is chosen seems to not have any effect. This is a lower priority issue, since it's more of a design/aesthetic issue, but it should still be fixed.
Silence Dogood wrote: ↑Wed Dec 22, 2021 10:02 am At the very least, Vanguard can and should get rid of the ability to add any new phone number for sending security codes to when using the mobile app (i.e., only allow existing phone numbers on file). That should not take long to implement.
Last edited by Silence Dogood on Fri Jan 21, 2022 6:23 pm, edited 1 time in total.
- anon_investor
- Posts: 15122
- Joined: Mon Jun 03, 2019 1:43 pm
Re: Yubikey only at Vanguard now possible.
I don't want to be Vanguard's guinea pig. They already had this terrible app as a beta test called "Beacon" for well over a year. I have already submitted my negative feedback to Vanguard. I have already stopped investing new money in my taxable account at Vanguard for now while I try other brokerages. Fidelity's app seems to meet my needs, Merrill Edge, not so much.saver1 wrote: ↑Wed Dec 22, 2021 1:53 pmYes, I agree that the mobile app is quite bad. One thing to consider is that Vanguard is probably following the Agile Scrum software development model, which means they have released a minimally functional product and will be adding new features incrementally. Keep giving them feedback on the app through the support section and be patient. Hopefully, they will fix a lot of these issues over time. If they don't, then we should consider other options such as going to a different brokerage. If they ignore fixing these issues with the mobile app and the website it will be to their disadvantage. The increased customers transitioning out of Vanguard to other brokerages will catch up to them to the point where they will not be able to ignore it any longer.anon_investor wrote: ↑Wed Dec 22, 2021 1:06 pmThe "new" mobile app is horrible, you can't view individual tax lots (neeed for TLH), you can't fund a mutual fund purchase from a bank account (you have to first transfer from your bank account to you settlement found).criticalmass wrote: ↑Wed Dec 22, 2021 12:37 pmThe Vanguard mobile app doesn’t support Vanguard mutual fund accounts or many basic functions for brokerage accounts either. I wouldn’t count on Yubikey support.anon_investor wrote: ↑Wed Dec 22, 2021 12:03 pmWell making the Vanguard mobile app support Yubikey would be another option.Silence Dogood wrote: ↑Wed Dec 22, 2021 10:25 am
My only experiences with the Vanguard mobile app has been a few times over this past year - in order to test out the two-factor authentication (hence my discovery of the issue back in the summer). Each time I tried it out, I never actually logged in and I uninstalled it immediately afterwards.
Yubikeys are perfectly capable of working with mobile apps; I don't see any reason why Yubikey-only can't be an option.
Re: Yubikey only at Vanguard now possible.
The Vanguard phone app does support biometric(fingerprint) login on newer phones. Which is what I have been using. I have no issues with login credentials.
I also use a vpn to protect data transfers on my phone and computer.
I do agree the app is horrible to do anything so log in just to check balances.
I also use a vpn to protect data transfers on my phone and computer.
I do agree the app is horrible to do anything so log in just to check balances.
Re: Yubikey only at Vanguard now possible.
Just wanted to chime in with my experience with the mobile app. Vanguard has my mobile number but I have 2 yubikeys set up. When logging in with the mobile app for the first time, it prompted me to set up fingerprint login (good). It then stated I needed to set up security codes (ok). It gave me the option to use my existing number (good) OR add a new number (VERY BAD). So, it appears that even if you have a phone number in their system, you can still bypass that number and add a new number the first time you install the app.
That's just so mind-bogglingly stupid (and dangerous). It's enough to make me leave them. They want me to use their ETFs anyway, I can do that just as well at a place like Fidelity.
That's just so mind-bogglingly stupid (and dangerous). It's enough to make me leave them. They want me to use their ETFs anyway, I can do that just as well at a place like Fidelity.
Re: Yubikey only at Vanguard now possible.
What do they do when you request a password reset?
Re: Yubikey only at Vanguard now possible.
I was able to register 2 security keys and disable the text/SMS option. Previously I have my logins restricted to one computer. Is this restriction still necessary? I ask because with the restriction I get locked out once a month or so and have to call in. I have no interest in the mobile app. Is there any risk of the mobile app if I never sign up?
Thanks,
Drum
Thanks,
Drum
- anon_investor
- Posts: 15122
- Joined: Mon Jun 03, 2019 1:43 pm
Re: Yubikey only at Vanguard now possible.
Yes, there is still a risk with the mobile app. If someone else installs the mobile app and tries to login with your user name and password, Vanguard will use whatever phone number you have on file as the 2FA. While still unlikely, if someone has your user name and password, and access to your phone number (e.g. SIM swap, etc.), they could access your account.conundrum wrote: ↑Fri Jan 21, 2022 1:39 pm I was able to register 2 security keys and disable the text/SMS option. Previously I have my logins restricted to one computer. Is this restriction still necessary? I ask because with the restriction I get locked out once a month or so and have to call in. I have no interest in the mobile app. Is there any risk of the mobile app if I never sign up?
Thanks,
Drum
Personally, because I want to use the mobile app, I just use a Google Voice number for my SMS 2FA, so I have closed that loophole. My Goolge account is secured by a Yubikey.
Re: Yubikey only at Vanguard now possible.
Is there anyway to block the ability to have a mobile account at Vanguard?
Re: Yubikey only at Vanguard now possible.
Or would it be best to leave the computer restriction access on? Can you use Yubikeys and the computer access restrictions at the same time?
Thanks,
Drum
Thanks,
Drum
Re: Yubikey only at Vanguard now possible.
If you use Yubikey (which is in its way the same as computer restriction--Yubikey restriction) and Google voice for SMS, you should be good without computer access restriction.
The other option is switch to Fidelity and use an authenticator to log in. Can't believe Vanguard does not offer that.
Re: Yubikey only at Vanguard now possible.
I know you asked a subsequent question, but regarding this one above, I don't think so. It's an interesting question; not sure how one would define "mobile account." Perhaps you mean "mobile device" or "mobile app" ?
Given that mobile devices are just computers that let you access Vanguard via an app or its website via a browser. I don't think a custodian would offer a feature to let you block based on whether a browser is being used on a mobile device versus desktop. But they could more easily offer an option to prevent access via app, or vice versa only allow access via an app; unlikely to happen in any case.
- anon_investor
- Posts: 15122
- Joined: Mon Jun 03, 2019 1:43 pm
Re: Yubikey only at Vanguard now possible.
You’d expect Vanguard to offer a fully functional mobile app too… but nope.cowdogman wrote: ↑Fri Jan 21, 2022 6:09 pmIf you use Yubikey (which is in its way the same as computer restriction--Yubikey restriction) and Google voice for SMS, you should be good without computer access restriction.
The other option is switch to Fidelity and use an authenticator to log in. Can't believe Vanguard does not offer that.
-
- Posts: 1660
- Joined: Tue Feb 01, 2011 8:22 pm
Re: Yubikey only at Vanguard now possible.
I just checked - unfortunately, there is still an option to "Enter a new number".Silence Dogood wrote: ↑Wed Dec 22, 2021 2:41 pmTo be clear, I'm not counting on Yubikey support any time soon [for the Vanguard mobile app].
Here are the suggestions I provided to Vanguard:
But as I wrote earlier today:Silence Dogood wrote: ↑Tue Aug 24, 2021 6:48 pm Here are the things that Vanguard should fix:
1. Allow all clients to disable SMS after registering their security keys.
Some of us (including myself) are able to do this now.
As I noted earlier in this thread, I think it would be smart for Vanguard to require at least two security keys to be registered before allowing SMS to be disabled.
2. Longer term, the mobile apps should be made to work with security keys. In the meantime, the mobile apps should be disabled for those who've disabled SMS.
This could work in a similar way to how the "restrict access to recognized devices" option currently works.
3. Require the security key for every log in - but stop asking whether or not the device should be recognized.
Apparently Vanguard does require the security key to be used with every log in - which is best practice. However, for whatever reason, Vanguard continues to ask whether or not the device being used is private or public. Whichever option is chosen seems to not have any effect. This is a lower priority issue, since it's more of a design/aesthetic issue, but it should still be fixed.
Silence Dogood wrote: ↑Wed Dec 22, 2021 10:02 am At the very least, Vanguard can and should get rid of the ability to add any new phone number for sending security codes to when using the mobile app (i.e., only allow existing phone numbers on file). That should not take long to implement.
Re: Vanguard 2-factor authentication becoming mandatory and available for non-US
[Posts merged into here from: Vanguard 2-factor authentication becoming mandatory and available for non-US --admin LadyGeek]
You can now disable "secure codes" entirely if you add two U2F hardware keys.
You can now disable "secure codes" entirely if you add two U2F hardware keys.
- southerndoc
- Posts: 1266
- Joined: Wed Apr 22, 2009 7:07 pm
- Location: Atlanta
Re: Vanguard 2-factor authentication becoming mandatory and available for non-US
How do you disable the SMS text messaging and only allow Yubikeys?
-
- Posts: 630
- Joined: Wed Mar 04, 2009 9:48 pm
Re: Vanguard 2-factor authentication becoming mandatory and available for non-US
It is currently not possible to do this safely. You can do it but then anyone can get in with just the password using the app.southerndoc wrote: ↑Fri Mar 04, 2022 12:13 am How do you disable the SMS text messaging and only allow Yubikeys?
- southerndoc
- Posts: 1266
- Joined: Wed Apr 22, 2009 7:07 pm
- Location: Atlanta
Re: Vanguard 2-factor authentication becoming mandatory and available for non-US
I wasn't planning on it until I read where @Lucent said you could disable secure codes if you have 2 U2F keys. I have 3. Would like to disable SMS texting and require a Yubikey 100% of the time.
Re: Vanguard 2-factor authentication becoming mandatory and available for non-US
Suppose you can't use your Yubikey - suppose it physically fails. What is the recovery path? You'd need a path outside the crypto token won't you?HawkeyePierce wrote: ↑Wed Apr 29, 2020 10:08 pm ...
Now if Vanguard will just let customers use *only* Yubikeys without the phone fallback.
-
- Posts: 2843
- Joined: Wed Feb 12, 2014 9:58 pm
Re: Vanguard 2-factor authentication becoming mandatory and available for non-US
Sure, you could call Vanguard and use their automated voice authentication, which is what they use to authenticate for wires. They can also followup with security questions. Voila.edgeagg wrote: ↑Fri Mar 04, 2022 9:14 amSuppose you can't use your Yubikey - suppose it physically fails. What is the recovery path? You'd need a path outside the crypto token won't you?HawkeyePierce wrote: ↑Wed Apr 29, 2020 10:08 pm ...
Now if Vanguard will just let customers use *only* Yubikeys without the phone fallback.
-
- Posts: 1660
- Joined: Tue Feb 01, 2011 8:22 pm
Re: Vanguard 2-factor authentication becoming mandatory and available for non-US
My understanding is that Vanguard now requires at least two security keys to be registered before allowing SMS to be disabled.edgeagg wrote: ↑Fri Mar 04, 2022 9:14 amSuppose you can't use your Yubikey - suppose it physically fails. What is the recovery path? You'd need a path outside the crypto token won't you?HawkeyePierce wrote: ↑Wed Apr 29, 2020 10:08 pm ...
Now if Vanguard will just let customers use *only* Yubikeys without the phone fallback.
However, please see this post regarding a serious security flaw with the Vanguard mobile app.
Last edited by Silence Dogood on Fri Mar 04, 2022 8:10 pm, edited 2 times in total.
-
- Posts: 66
- Joined: Fri Mar 15, 2019 11:38 pm
Re: Vanguard 2-factor authentication becoming mandatory and available for non-US
I use Yubikeys with Vanguard, and no SMS (I've never given them my cell number). My "backup" is to have them call my home phone (old fashioned land-line) and speak the secret code to me. Only hassle getting this to work was that I had to fake my browser agent, since their website insisted that I had to use Chrome (spoiler: Firefox works fine).Silence Dogood wrote: ↑Fri Mar 04, 2022 7:09 pmMy understanding is that Vanguard requires at least two security keys to be registered before allowing SMS to be disabled.edgeagg wrote: ↑Fri Mar 04, 2022 9:14 amSuppose you can't use your Yubikey - suppose it physically fails. What is the recovery path? You'd need a path outside the crypto token won't you?HawkeyePierce wrote: ↑Wed Apr 29, 2020 10:08 pm ...
Now if Vanguard will just let customers use *only* Yubikeys without the phone fallback.
Re: Yubikey only at Vanguard now possible.
I moved a post and ensuing discussion by new member Lucent into this thread from Vanguard 2-factor authentication becoming mandatory and available for non-US.
-
- Posts: 15363
- Joined: Fri Apr 10, 2015 12:29 am
Re: Yubikey only at Vanguard now possible.
Having a service remember your computer is not the equivalent of using a Yubikey in the level of security enhancement achieved.cowdogman wrote: If you use Yubikey (which is in its way the same as computer restriction--Yubikey restriction)
Re: Yubikey only at Vanguard now possible.
Yes, I agree, but they are getting at the same thing--restricting access to a specific computer--the one Vanguard remembers or the one that has the Yubikey inserted.Northern Flicker wrote: ↑Sat Mar 05, 2022 1:31 amHaving a service remember your computer is not the equivalent of using a Yubikey in the level of security enhancement achieved.cowdogman wrote: If you use Yubikey (which is in its way the same as computer restriction--Yubikey restriction)
Re: Yubikey only at Vanguard now possible.
With the current issues with the security of the mobile app we are using both yubikeys ( and disabling the SMS option) AND the computer restriction. I would rather just use the yubikey but until there is better security on the mobile app or a way to block the app I will do both.
Drum
Drum
-
- Posts: 2352
- Joined: Tue Mar 05, 2019 9:29 pm
- Location: Colorado
Re: Yubikey only at Vanguard now possible.
They are not even remotely equivalent.cowdogman wrote: ↑Tue Mar 08, 2022 10:44 amYes, I agree, but they are getting at the same thing--restricting access to a specific computer--the one Vanguard remembers or the one that has the Yubikey inserted.Northern Flicker wrote: ↑Sat Mar 05, 2022 1:31 amHaving a service remember your computer is not the equivalent of using a Yubikey in the level of security enhancement achieved.cowdogman wrote: If you use Yubikey (which is in its way the same as computer restriction--Yubikey restriction)
- anon_investor
- Posts: 15122
- Joined: Mon Jun 03, 2019 1:43 pm
Re: Yubikey only at Vanguard now possible.
Using a Google Voice number with a Google account secured by a Yubikey as the SMS 2FA for your Vanguard account and Yubikey as the other 2FA option for your Vanguard account is the only way to really secure your Vanguard account at this time.conundrum wrote: ↑Tue Mar 08, 2022 12:03 pm With the current issues with the security of the mobile app we are using both yubikeys ( and disabling the SMS option) AND the computer restriction. I would rather just use the yubikey but until there is better security on the mobile app or a way to block the app I will do both.
Drum
Re: Yubikey only at Vanguard now possible.
It would seem that using the Yubikey and the computer/device restriction would be as secure as the google voice option. I understand the advantage of using google voice rather then SMS for 2FA but am not understanding why that would be better then restricting the devices/computer to only one computer dedicated to financial transactions?
Drum
Drum
- anon_investor
- Posts: 15122
- Joined: Mon Jun 03, 2019 1:43 pm
Re: Yubikey only at Vanguard now possible.
The single computer/device restriction has been reported by some BHs as having issues and not working right, locking people out of their account as the designated computer/device is not remembered. I would also suggest not leaving the SMS 2FA blank, which would bypass the risk of the security loophole with the mobile app when there is no SMS 2FA in place; in case for some reason the single computer/device restriction some how gets deactivated.conundrum wrote: ↑Tue Mar 08, 2022 12:50 pm It would seem that using the Yubikey and the computer/device restriction would be as secure as the google voice option. I understand the advantage of using google voice rather then SMS for 2FA but am not understanding why that would be better then restricting the devices/computer to only one computer dedicated to financial transactions?
Drum
Re: Yubikey only at Vanguard now possible.
With the ability to “add a new number” on the mobile app as noted by Silence Dogood above wouldn’t the computer restriction be safer? It would seem the ability to add a new number would limit the effectiveness of using google voice as your 2 FA number?
- anon_investor
- Posts: 15122
- Joined: Mon Jun 03, 2019 1:43 pm
Re: Yubikey only at Vanguard now possible.
You can only "add a new number" if there is no number aready listed for SMS 2FA. So if you have a Google Voice number listed for SMS 2FA, then it will won't give you an option to add a new number.
Re: Yubikey only at Vanguard now possible.
I agree, it's not the same at all.
-
- Posts: 15363
- Joined: Fri Apr 10, 2015 12:29 am
Re: Vanguard 2-factor authentication becoming mandatory and available for non-US
You can register 2 yubikeys in case 1 fails.edgeagg wrote: ↑Fri Mar 04, 2022 9:14 amSuppose you can't use your Yubikey - suppose it physically fails. What is the recovery path? You'd need a path outside the crypto token won't you?HawkeyePierce wrote: ↑Wed Apr 29, 2020 10:08 pm ...
Now if Vanguard will just let customers use *only* Yubikeys without the phone fallback.
-
- Posts: 15363
- Joined: Fri Apr 10, 2015 12:29 am
Re: Yubikey only at Vanguard now possible.
The Yubikey implements challenge-response authentication, which prevents various man-in-the-middle attacks and various trojan horse attacks. This is significantly more robust security than even an Authenticator app, much less remembering a computer or SMS 2FA.cowdogman wrote: ↑Tue Mar 08, 2022 10:44 amYes, I agree, but they are getting at the same thing--restricting access to a specific computer--the one Vanguard remembers or the one that has the Yubikey inserted.Northern Flicker wrote: ↑Sat Mar 05, 2022 1:31 amHaving a service remember your computer is not the equivalent of using a Yubikey in the level of security enhancement achieved.cowdogman wrote: If you use Yubikey (which is in its way the same as computer restriction--Yubikey restriction)
Re: Vanguard 2-factor authentication becoming mandatory and available for non-US
The point I am making here is that the recovery path has to be set up at the same time that the primary (yubikey) path is set up and has to be (deally) more secure than the primary path since it re-establishes trust in a new primary path. It may be less convenient of course, but that isn't a problem since it is used for one time recovery. The design of security ceremonies (yes, that is a real technical term) is a pretty well studied area of cs security research and one that requires real user testing to see if the ceremony works.Northern Flicker wrote: ↑Wed Mar 09, 2022 3:17 amYou can register 2 yubikeys in case 1 fails.edgeagg wrote: ↑Fri Mar 04, 2022 9:14 amSuppose you can't use your Yubikey - suppose it physically fails. What is the recovery path? You'd need a path outside the crypto token won't you?HawkeyePierce wrote: ↑Wed Apr 29, 2020 10:08 pm ...
Now if Vanguard will just let customers use *only* Yubikeys without the phone fallback.
In the specific case used by VG, they have decided to lower the security of the recovery step, thus forcing users to come up with their own ceremony hacks to have a recovery path that provides availability with equivalent (or higher) security.
Of these hacks:
1) Voice print based recovery: I've no idea how secure this is, since VG has never published anything on the actual security of their implementation or efforts to penetration test this. Seems very woo-woo to me in the absence of better data.
2) Secondary (recovery) yubikey: This seems promising, but has 2 problems: How do you know the secondary yubikey works without using it regularly? Correlated failures can happen (like your house being destroyed - something that actually happened in my case). But a fireproof safe might be sufficient.
3) Single purpose phone #: You have to make sure that you remember this number and need a way to ensure that it is available only to you when your regular # is hacked and that is also available - the landline fails under the house destruction scenario rendering the secondary path unavailable.
I wonder if a tertiary recovery via a notary public and a government issued ID would be accepted by VG. But of all the proposals, I might go with the secondary yubikey.
Like others, I find it surprising & disappointing that a company that manages trillions of dollars in investments doesn't appear to know of fairly well understood security concepts, leading individual users to come up with their own security protocols.
EDIT: Carl Ellison's original ceremony paper (https://eprint.iacr.org/2007/399.pdf)
-
- Posts: 15363
- Joined: Fri Apr 10, 2015 12:29 am
Re: Yubikey only at Vanguard now possible.
You should set up two yubikeys and rotate them, say quarterly or every 6 months. Authentication reset is the achilles heal of every internet-facing service I use. I am not aware of many if any financial institutions that get it right.
I have been permanently locked out of google accounts when trying to reset a password despite having 2FA enabled as the most robust mechanism for authenticating the reset, so I don't think google has exactly nailed it either.
Key management and distribution is a difficult problem for a user base distributed around the internet.
I have been permanently locked out of google accounts when trying to reset a password despite having 2FA enabled as the most robust mechanism for authenticating the reset, so I don't think google has exactly nailed it either.
Key management and distribution is a difficult problem for a user base distributed around the internet.
Re: Yubikey only at Vanguard now possible.
Please explain. I agreed above that they are not equivalent but are getting at the same thing. Specifically, would use both (1) computer restriction and (2) Yubikey? If so (or not), why?HawkeyePierce wrote: ↑Tue Mar 08, 2022 12:24 pmThey are not even remotely equivalent.cowdogman wrote: ↑Tue Mar 08, 2022 10:44 amYes, I agree, but they are getting at the same thing--restricting access to a specific computer--the one Vanguard remembers or the one that has the Yubikey inserted.Northern Flicker wrote: ↑Sat Mar 05, 2022 1:31 amHaving a service remember your computer is not the equivalent of using a Yubikey in the level of security enhancement achieved.cowdogman wrote: If you use Yubikey (which is in its way the same as computer restriction--Yubikey restriction)