Join Early Retirement Today
Reply
 
Thread Tools Search this Thread Display Modes
Anyone Use a U2F Security Key?
Old 07-13-2018, 09:33 AM   #1
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
TromboneAl's Avatar
 
Join Date: Jun 2006
Posts: 11,473
Anyone Use a U2F Security Key?

I ordered one of these for two reasons:

1. Someone in a book I'm writing uses one, and I want to have a feeling for how it works.

2. I'm paranoid about someone accessing my Vanguard account. Once someone tried to log in to it. The reps and I concluded that it was a result of someone having a login name that was similar to mine, but still, that woke me up.

When I get the key, I'm going to attach it to my Vanguard account.

__________________

__________________
Al
TromboneAl is offline   Reply With Quote
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!

Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!

You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!

Old 07-13-2018, 09:50 AM   #2
Full time employment: Posting here.
 
Join Date: Sep 2006
Posts: 787
Note that even if you set up a U2F security key on your Vanguard account, it can be bypassed.

https://www.bogleheads.org/forum/viewtopic.php?t=234202
__________________

JustCurious is offline   Reply With Quote
Old 07-13-2018, 10:43 AM   #3
Thinks s/he gets paid by the post
target2019's Avatar
 
Join Date: Dec 2008
Posts: 3,987
Quote:
Originally Posted by TromboneAl View Post
I ordered one of these for two reasons:

1. Someone in a book I'm writing uses one, and I want to have a feeling for how it works.

2. I'm paranoid about someone accessing my Vanguard account. Once someone tried to log in to it. The reps and I concluded that it was a result of someone having a login name that was similar to mine, but still, that woke me up.

When I get the key, I'm going to attach it to my Vanguard account.
A randomized login for account name is much better than what you are using. That is what I choose to use for accounts that allow this.
target2019 is offline   Reply With Quote
Old 07-13-2018, 10:54 AM   #4
Thinks s/he gets paid by the post
ExFlyBoy5's Avatar
 
Join Date: May 2013
Posts: 2,327
I personally have never tried such a thing, and I think the decent answer these days is two-tier authentication. I am kinda curious as to why security certificates aren't really a thing. When I was still in the AF, we used our ID card (called a common access card and had a chip in it) to access all government related accounts/applications. It was simple...you put your card into the reader and then you put in a 6-8 digit PIN and PRESTO you gained access to ALL THE SITES. I am not sure why this can't be used with private applications/websites... I would love to be able to do that.
__________________
Retired in 2014 at the Ripe Age of 40
Founder and Head Lounger @ The Life of Leisure Institute
ExFlyBoy5 is offline   Reply With Quote
Old 07-13-2018, 11:07 AM   #5
Thinks s/he gets paid by the post
grasshopper's Avatar
 
Join Date: Oct 2010
Posts: 1,762
I have 2 that I use for Vanguard, Google, Facebook. I have my Chromebook set up to log on with, along with username and password.
__________________
For me experiences are not good or bad, just different
grasshopper is offline   Reply With Quote
Old 07-13-2018, 11:54 AM   #6
Thinks s/he gets paid by the post
target2019's Avatar
 
Join Date: Dec 2008
Posts: 3,987
Quote:
Originally Posted by ExFlyBoy5 View Post
I personally have never tried such a thing, and I think the decent answer these days is two-tier authentication. I am kinda curious as to why security certificates aren't really a thing. When I was still in the AF, we used our ID card (called a common access card and had a chip in it) to access all government related accounts/applications. It was simple...you put your card into the reader and then you put in a 6-8 digit PIN and PRESTO you gained access to ALL THE SITES. I am not sure why this can't be used with private applications/websites... I would love to be able to do that.
For reference:
https://en.wikipedia.org/wiki/Common_Access_Card

CAC card is so great, it is being replaced:
https://defensesystems.com/articles/...placement.aspx

The support cost for a gov't solution must be up there. Replace it with something cheaper, and watch the cost skyrocket.

Symantec VIP works well. It's MFA. Schwab provided a token to me. Software app is available too.
https://vip.symantec.com/
target2019 is offline   Reply With Quote
Old 07-13-2018, 12:06 PM   #7
Thinks s/he gets paid by the post
 
Join Date: Aug 2013
Location: North
Posts: 1,052
Quote:
Originally Posted by ExFlyBoy5 View Post
I personally have never tried such a thing, and I think the decent answer these days is two-tier authentication. I am kinda curious as to why security certificates aren't really a thing. When I was still in the AF, we used our ID card (called a common access card and had a chip in it) to access all government related accounts/applications. It was simple...you put your card into the reader and then you put in a 6-8 digit PIN and PRESTO you gained access to ALL THE SITES. I am not sure why this can't be used with private applications/websites... I would love to be able to do that.

Everyone would need that 6digit number tattooed onto themselves (or the gaps we need to account for, think POA).


On top of that, everyone would need some way to tie this to their identity. Passwords are going away and 2factor is just the beginning.



The CIA has been working on some things that will be in the public domain next cpl years.
__________________
AA (Stock/Bond/Cash ): 99/0/1% MIX (Small/Mid/Large): 50/25/25% BLEND(US/Foreign): 100/0%, REIT (Real Estate Equity): 50% of Assets

FIRE in 2031 @ 50yrs old (+/- 2yrs) w/ a hypothetical $2.5mil portfolio, 3 appreciated homes worth $1.0mil and rental income to fund my gap years until RMD. Assets will go to an inherited IRA where I plan on watching the investments grow until I die or the trust gets executed.
kgtest is offline   Reply With Quote
Old 07-13-2018, 06:38 PM   #8
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
TromboneAl's Avatar
 
Join Date: Jun 2006
Posts: 11,473
Quote:
Originally Posted by JustCurious View Post
Note that even if you set up a U2F security key on your Vanguard account, it can be bypassed.

https://www.bogleheads.org/forum/viewtopic.php?t=234202
Yes, interesting thread. The gist of it is that Vanguard's policy is that if you don't have or lose your key, then they will send you the code via SMS.

Because of that, it's no more secure that using the standard SMS 2-factor security.

It is slightly more convenient, and if VG would have more consequences of not having your key, it would be more secure.

My key came today, but I can't implement it with VG until my new Tracfone phone that actually has coverage at my house arrives (tomorrow).

In the book, the key is just an excuse for a heist. The good guys can't get to the bad guys' data without a key, so they have to break in and find it.
__________________
Al
TromboneAl is offline   Reply With Quote
Old 07-13-2018, 07:03 PM   #9
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
easysurfer's Avatar
 
Join Date: Jun 2008
Posts: 8,656
I have never heard of a U2F key.

I do collect OTP QR scans for my authenticator app. My count now is up to 11 with one for Kickstarter as my most recent add.
__________________
Have you ever seen a headstone with these words
"If only I had spent more time at work" ... from "Busy Man" sung by Billy Ray Cyrus
easysurfer is offline   Reply With Quote
Old 07-13-2018, 11:44 PM   #10
Full time employment: Posting here.
 
Join Date: Jul 2011
Posts: 653
I use Yubikey. I wish all the sites had the option, as least as I understand the extra security it is suppose to provide. Although not as OP describes Vanguards implementation.
davef is offline   Reply With Quote
Old 07-14-2018, 05:52 AM   #11
Recycles dryer sheets
 
Join Date: Dec 2012
Posts: 266
Quote:
Originally Posted by TromboneAl View Post
Yes, interesting thread. The gist of it is that Vanguard's policy is that if you don't have or lose your key, then they will send you the code via SMS.

Because of that, it's no more secure that using the standard SMS 2-factor security.

It is slightly more convenient, and if VG would have more consequences of not having your key, it would be more secure.

My key came today, but I can't implement it with VG until my new Tracfone phone that actually has coverage at my house arrives (tomorrow).

In the book, the key is just an excuse for a heist. The good guys can't get to the bad guys' data without a key, so they have to break in and find it.
I use Yubi Key but it's not supported on all the sites I would like it to support. I'm a Tracfone guy too. What type of phone did you order? I'm due a new phone as well.
davismills is offline   Reply With Quote
Old 07-14-2018, 06:31 AM   #12
Moderator
braumeister's Avatar
 
Join Date: Feb 2010
Location: Northern Kentucky
Posts: 10,329
Quote:
Originally Posted by target2019 View Post
Symantec VIP works well.
Never heard of the U2F, but I use the Symantec VIP app on my phone for a couple of sites (Fidelity and USAA). That has worked well for me.
__________________
I thought growing old would take longer.
braumeister is offline   Reply With Quote
Old 07-14-2018, 07:01 AM   #13
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Apr 2013
Posts: 6,563
Quote:
Originally Posted by braumeister View Post
Never heard of the U2F, but I use the Symantec VIP app on my phone for a couple of sites (Fidelity and USAA). That has worked well for me.
We used them at Megacorp. Of course there's always a back door.
MRG is offline   Reply With Quote
Old 07-14-2018, 08:22 AM   #14
Thinks s/he gets paid by the post
target2019's Avatar
 
Join Date: Dec 2008
Posts: 3,987
Quote:
Originally Posted by braumeister View Post
Never heard of the U2F, but I use the Symantec VIP app on my phone for a couple of sites (Fidelity and USAA). That has worked well for me.
Universal Secondary Factor authentication. New standard.
I also have Duo app in my phone for work accounts. They call that U2F. VIP is U2F also.
Anyone need another ACRONYM?


https://www.symantec.com/connect/art...th-and-offline
target2019 is offline   Reply With Quote
Old 07-15-2018, 08:55 AM   #15
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
TromboneAl's Avatar
 
Join Date: Jun 2006
Posts: 11,473
Quote:
Originally Posted by davismills View Post
I use Yubi Key but it's not supported on all the sites I would like it to support. I'm a Tracfone guy too. What type of phone did you order? I'm due a new phone as well.
Galaxy J7 Sky Pro for $59 (refurbished). 5.5" screen. Recommended! Now DW and I both have one.

I just started this thread:

Tracfone is Better Now
__________________
Al
TromboneAl is offline   Reply With Quote
Old 07-15-2018, 10:03 AM   #16
Recycles dryer sheets
 
Join Date: Dec 2012
Posts: 266
Thanks Al. Just ordered one.
__________________

davismills is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Anyone use a Social Security advising service? Floridatennisplayer FIRE and Money 18 03-31-2017 06:46 PM
5 Key Things To Know About Social Security Retirement Benefits mickeyd FIRE and Money 9 02-03-2016 07:37 PM
New Google USB security key MichaelB Other topics 2 10-24-2014 09:25 AM
security from key-loggers Ed_The_Gypsy Life after FIRE 20 05-31-2008 05:14 PM

 

 
All times are GMT -6. The time now is 05:56 AM.
 
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2018, vBulletin Solutions, Inc.