Vanguard and Yubikey

[Chuckanut]

So, I was looking at Vanguard's 2FA and noticed it uses a Yubikey device.

Great? Maybe not.

A customer still has to also register for the text msg codes. if the Yubikey is unavailable then they use the text message method.

In my mind this defeats the purpose of the Yubikey which is to eliminate the text msg method entirely since it is less secure than a time based system like the Yubikey or an Authenticator app.

Comments?

 

[Alan]

Yesterday I traded in my iPhone for a new one and while it was relatively painless, simply retrieving the last backup from the iCloud to the new phone then Google Authenticator lost its contents for GMail, LastPass etc and although it was a bit of pain it turned out to be pretty easy to log on using the backup method of logging on with a code being sent to the phone on record. This tells me that a hacker armed with enough knowledge can bypass the authentication device.

The exception was HSBC which uses its own mobile app to generate an authentication code to make transactions to payees or banks that one has not previously set up and made transactions to. Without going into extensive details there was not a simple workaround by simply sending a text message to my phone.

ETA
I don't use Yubikey with Vanguard so don't know the process when losing it.

 

[easysurfer]

Been pondering 2FA setups the past couple days.

SSA 2FA has a bit of a chicken and egg thing going on too.

SSA has SMS only as 2FA with an option to get in by email as an alternate way.

But, if I lose my phone, I can get in by email. But if I use email as an option, then isn't that self-defeating? Then all some hacker needs is my email and password which is what the SMS text was supposed to prevent in the first place. Unless I'm missing something.

 

[Alan]

Been pondering 2FA setups the past couple days.

SSA 2FA has a bit of a chicken and egg thing going on too.

SSA has SMS only as 2FA with an option to get in by email as an alternate way.

But, if I lose my phone, I can get in by email. But if I use email as an option, then isn't that self-defeating? Then all some hacker needs is my email and password which is what the SMS text was supposed to prevent in the first place. Unless I'm missing something.

I use Gmail with 2FA using Google Authenticator so a hacker attempting to get into my SSA account would also have to get through my 2FA protection on my GMail. But as I just discovered, if I lose my Google Authenticator setup then I can restore it using a text message

 

[easysurfer]

I use Gmail with 2FA using Google Authenticator so a hacker attempting to get into my SSA account would also have to get through my 2FA protection on my GMail. But as I just discovered, if I lose my Google Authenticator setup then I can restore it using a text message

Really? That's pretty crazy.

On the SSA situation I mentioned, perhaps not that bad if the email verification has to go through the security questions. I may have to test out.

 

[MRG]

Really? That's pretty crazy.

On the SSA situation I mentioned, perhaps not that bad if the email verification has to go through the security questions. I may have to test out.

I just did this and I do believe you have to go though challenge questions after the 2FA.

 

[Chuckanut]

I use Gmail with 2FA using Google Authenticator so a hacker attempting to get into my SSA account would also have to get through my 2FA protection on my GMail. But as I just discovered, if I lose my Google Authenticator setup then I can restore it using a text message

With Google Authentictor you can print a list of one-time only authorization codes. Keep it in a vary safe place, and if you lose the Authenticator App or the device it's on, you have the key to get in and turn off 2FA or, better yet, reset it.

 

[Alan]

With Google Authentictor you can print a list of one-time only authorization codes. Keep it in a vary safe place, and if you lose the Authenticator App or the device it's on, you have the key to get in and turn off 2FA or, better yet, reset it.

I did do this. Problem is the safe place I put the list is back home in England

 

[easysurfer]

I just did this and I do believe you have to go though challenge questions after the 2FA.

I wanted to test this myself but couldn't. When trying to enable email to receive a code, I didn't even receive a code to do the initial enabling.

Been much longer than the at least two minutes wait. In fact, tried 3 times but no go.

I'll have to give a shot another time. I suppose, at the very least if I lose my phone, I can visit a SSA office .

 

[MRG]

I wanted to test this myself but couldn't. When trying to enable email to receive a code, I didn't even receive a code to do the initial enabling.

Been much longer than the at least two minutes wait. In fact, tried 3 times but no go.

I'll have to give a shot another time. I suppose, at the very least if I lose my phone, I can visit a SSA office .

I had a helpdesk person on the phone with me, who had just unlocked my account. My email was instant(well almost).

Good luck.

 

[easysurfer]

I had a helpdesk person on the phone with me, who had just unlocked my account. My email was instant(well almost).

Good luck.

Thanks. I went ahead and had some dinner. Just got back on now and see that the emails did arrive (though later than the 10 minutes, so the codes probably were expired). I'll have to try again another time. But not critical as I don't plan on losing my phone anytime soon .

 

[Chuckanut]

I did do this. Problem is the safe place I put the list is back home in England

Sheesh! MI6 already has the list.

and

The Russians already have the list. Ask them for the codes.

 

[Alan]

Sheesh! MI6 already has the list!

Yes indeed

 

[donheff]

All of this makes me wonder about SSA. I don't get SS (30+ years as a Fed) so don't pay a lot of attention. But DW will be filing for Medicare this year and SS next. I tried to setup a MySS account for her and was told they can't do it for this SSN. That reminded me that I had the same response when I tried it for myself a few years back (out of curiosity). It turned out that SS checks with the major credit bureaus to verify identity of users signing up for MySS accounts. We have our credit frozen so no go. Unfreezing would be a PITA.

My question to all of you gurus is how important is an online SS account? Can't she just sign up over the phone? Once a direct deposit is set up I can't see much reason for her to keep contacting SS.

 

[easysurfer]

All of this makes me wonder about SSA. I don't get SS (30+ years as a Fed) so don't pay a lot of attention. But DW will be filing for Medicare this year and SS next. I tried to setup a MySS account for her and was told they can't do it for this SSN. That reminded me that I had the same response when I tried it for myself a few years back (out of curiosity). It turned out that SS checks with the major credit bureaus to verify identity of users signing up for MySS accounts. We have our credit frozen so no go. Unfreezing would be a PITA.

My question to all of you gurus is how important is an online SS account? Can't she just sign up over the phone? Once a direct deposit is set up I can't see much reason for her to keep contacting SS.

I have a MySS account now mainly to download my SS future estimates. Also, I have an account so no imposter could sign up in my place. Might be more useful as I get older and more SS stuff applies to me. As for the unfreezing, my credit wasn't frozen at the time of signing up. But did do a thaw (unfreeze for a set time, then automatically frozen back) on one credit bureau when signing up for Obamacare. Did that online and was easy, but did cost about $10 in my state.

 

[donheff]

I have a MySS account now mainly to download my SS future estimates. Also, I have an account so no imposter could sign up in my place. Might be more useful as I get older and more SS stuff applies to me. As for the unfreezing, my credit wasn't frozen at the time of signing up. But did do a thaw (unfreeze for a set time, then automatically frozen back) on one credit bureau when signing up for Obamacare. Did that online and was easy, but did cost about $10 in my state.

Maybe SSA will tel me what bureau they check. Unfreezing one would be OK, all four would be a PITA.

 

[easysurfer]

Maybe SSA will tel me what bureau they check. Unfreezing one would be OK, all four would be a PITA.

Hopefully, they will tell you. As a last resort, you can also visit a SSA office to prove who you are and sign up without having to do any unfreezing. But depending on the place, can be nerve wracking too waiting in line.

 

[Chuckanut]

It turned out that SS checks with the major credit bureaus to verify identity of users signing up for MySS accounts. We have our credit frozen so no go. Unfreezing would be a PITA.

I don't want to be argumentative, but.... Why is unfreezing an account a PITA? It can be done in 5 minutes as long as you don't lose your Pin. Lose the Pin and it is a PITA, but still not as big a PITA as letting some criminal get control of your MySS account with the Feds.

 

[Sunset]

I don't want to be argumentative, but.... Why is unfreezing an account a PITA? It can be done in 5 minutes as long as you don't lose your Pin. Lose the Pin and it is a PITA, but still not as big a PITA as letting some criminal get control of your MySS account with the Feds.

Because in states like IL it costs $10 per credit bureau. So it would be $40.

 

[donheff]

I don't want to be argumentative, but.... Why is unfreezing an account a PITA? It can be done in 5 minutes as long as you don't lose your Pin. Lose the Pin and it is a PITA, but still not as big a PITA as letting some criminal get control of your MySS account with the Feds.

Because in states like IL it costs $10 per credit bureau. So it would be $40.

And you have to do it for three and now maybe even four credit bureaus. I have done it and it isn't a big deal but it is a Pita and I won't bother unless it makes it a lot easier for DW to file for SS.

 

[easysurfer]

Thanks. I went ahead and had some dinner. Just got back on now and see that the emails did arrive (though later than the 10 minutes, so the codes probably were expired). I'll have to try again another time. But not critical as I don't plan on losing my phone anytime soon .

Tried again this afternoon. No problem whatsoever. Got the email promptly. I think the SSA was down for maintenance around the weekend. Or maybe this is a regular banker's hours thing for them.