Join Early Retirement Today
Reply
 
Thread Tools Search this Thread Display Modes
YubiKey and LastPass
Old 09-12-2017, 10:08 PM   #1
Full time employment: Posting here.
 
Join Date: Mar 2008
Posts: 625
YubiKey and LastPass

Given the most recent hack with Equifax, I have decided to take the extra step of securing Vanguard funds. I already use the 2 factor text the code thing, but want to step it up.

So my question is this for those that use YubiKey: I use LastPass. Should I setup Vanguard SEPARATELY with the YubiKey or is it just as secure if I login with lastpass YubiKey with Vanguard?

Any other advice in general with the Yubi would be appreciated. I ordered mine on Amazon and it should be here soon!
__________________

__________________
bizlady is offline   Reply With Quote
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!

Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!

You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!

Old 09-12-2017, 10:56 PM   #2
Thinks s/he gets paid by the post
Sunset's Avatar
 
Join Date: Jul 2014
Location: Chicago
Posts: 4,057
I don't know what this yubiKey is, but you can set your vanguard account to require a different pin number every time.
They will text it to your cell phone, each time you log in. (or you can have it when a different computer logs in).
Then you enter the pin to finish the login process.
__________________

__________________
Sunset is offline   Reply With Quote
Old 09-13-2017, 06:01 AM   #3
Full time employment: Posting here.
 
Join Date: Jul 2011
Posts: 537
I know enough to be dangerous. Given a choice of 2 factor with a code sent from Vangaurd or provided by Yubikey, I would go with Yubikey. It is more sophisticated and should provide more protection. I also like that it is under my control and I do not rely on the site provider to send a code.
__________________
davef is offline   Reply With Quote
Old 09-13-2017, 08:58 AM   #4
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Chuckanut's Avatar
 
Join Date: Aug 2011
Location: West of the Mississippi
Posts: 6,115
Two factor codes sent to a phone are inherently unsafe because text messaging is inherently insecure.
__________________
The worst decisions are usually made in times of anger and impatience.
Chuckanut is offline   Reply With Quote
Old 09-13-2017, 10:02 AM   #5
Thinks s/he gets paid by the post
 
Join Date: Aug 2004
Location: Laurel, MD
Posts: 2,780
Quote:
Originally Posted by Chuckanut View Post
Two factor codes sent to a phone are inherently unsafe because text messaging is inherently insecure.


Could you please explain this? I know SMS is not secure for a permanent password but what is danger of texting a one time use PIN that expires after a set time?
__________________
...with no reasonable expectation for ER, I'm just here auditing the AP class.Retired 8/1/15.
jazz4cash is offline   Reply With Quote
Old 09-13-2017, 01:57 PM   #6
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Chuckanut's Avatar
 
Join Date: Aug 2011
Location: West of the Mississippi
Posts: 6,115
Quote:
Originally Posted by jazz4cash View Post
Could you please explain this? I know SMS is not secure for a permanent password but what is danger of texting a one time use PIN that expires after a set time?
Cell phone companies make it to easy for bad guys to call them up and say "Hi, this is jazz4cash. I dropped my phone off a 1200 foot cliff while vacationing in Wyoming. I would like to order a new phone with a new sim card and please port my current phone number to it."

The Equifax fiasco has made it easy for them to know a lot about you and answer the questions they use to make certain you are you.

Then they get control of your id's and and lock you out.

Certainly 2FA with a text message is still safer than no 2FA. But, having a time-based random number generator (either software or a device) is safer yet.

https://www.forbes.com/sites/laurash.../#25cd9128360f

2 Investigators: Fraudsters Can Steal Your Phone Number — And More — Through ‘Porting’ « CBS Chicago

https://www.fastcompany.com/40432975...g-linked-to-it
__________________
The worst decisions are usually made in times of anger and impatience.
Chuckanut is offline   Reply With Quote
Old 09-13-2017, 02:04 PM   #7
Recycles dryer sheets
 
Join Date: May 2012
Posts: 89
Here is a good article explaining why sms is not safe.
https://www.forbes.com/forbes/welcom...ww.google.com/

Yubikey or some sort of authentication software like google authenticator or VIP Access are good choices. Schwab and Fidelity offer such since is much harder for hackers to have your passwords for your account and phone and more importantly the actual device to retrieve the codes.
__________________
hlfo718 is offline   Reply With Quote
Old 09-13-2017, 02:32 PM   #8
Thinks s/he gets paid by the post
JoeWras's Avatar
 
Join Date: Sep 2012
Posts: 2,282
Quote:
Originally Posted by Chuckanut View Post
Certainly 2FA with a text message is still safer than no 2FA. But, having a time-based random number generator (either software or a device) is safer yet.
And everybody wants their own device.

I got one for E*Trade. I've resisted getting one for other accounts because they are easy to lose.

Sometimes I think we have no hope against the bad guys.
__________________
JoeWras is online now   Reply With Quote
Old 09-13-2017, 03:05 PM   #9
Recycles dryer sheets
 
Join Date: Apr 2010
Posts: 407
Consider "Computer access restrictions" option, seems very effective.
__________________
“The problem with the world is that the intelligent people are full of doubt, while the stupid people are full of confidence.”

(—Charles Bukowski)
wanaberetiree is offline   Reply With Quote
Old 09-13-2017, 04:41 PM   #10
Thinks s/he gets paid by the post
Cobra9777's Avatar
 
Join Date: Jul 2012
Location: Texas
Posts: 1,092
I've thought about getting a YubiKey as added protection for my password manager, which is PasswordSafe. I have PasswordSafe installed on my desktop, laptop, and cell phone. I recently lost a phone that had the app on it. Even though I have a very strong master password, I spent an hour or two changing all my passwords. I like the idea of a YubiKey as a second level of physical security for that and possibly other applications as well. Just haven't done it yet.

Fidelity uses VIP Access, which is far more secure than texting or emailing pins, essentially equivalent to hardware-based 2FA. In addition to knowing my Fidelity ID and password, a thief would need to be in possession of my smartphone and my right index finger. In addition, I recently signed up for Fidelity MyVoice, which is their new voice recognition technology. So in theory, a thief who calls Fidelity pretending to me will not get access to anything, even if they have all the correct credentials and security Q&A.

I like owning Vanguard ETFs at Fidelity.
__________________
Retired at 52 in July 2013. On to better things...
AA: 55% stock, 15% real estate, 27% bonds, 3% cash
WR: 2.0% SI: 2 pensions, some rental income, SS later
Cobra9777 is offline   Reply With Quote
Old 09-14-2017, 08:33 AM   #11
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Chuckanut's Avatar
 
Join Date: Aug 2011
Location: West of the Mississippi
Posts: 6,115
Quote:
Originally Posted by JoeWras View Post
And everybody wants their own device.

I got one for E*Trade. I've resisted getting one for other accounts because they are easy to lose.

Sometimes I think we have no hope against the bad guys.
So E*Trade requires you to have a custom device made just for their service?
__________________
The worst decisions are usually made in times of anger and impatience.
Chuckanut is offline   Reply With Quote
Old 09-14-2017, 08:34 AM   #12
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Chuckanut's Avatar
 
Join Date: Aug 2011
Location: West of the Mississippi
Posts: 6,115
This might help if one is seeking info on who uses 2FA?

Quote:
List of websites and whether or not they support 2FA.
https://twofactorauth.org/
__________________
The worst decisions are usually made in times of anger and impatience.
Chuckanut is offline   Reply With Quote
Old 09-14-2017, 08:40 AM   #13
Thinks s/he gets paid by the post
JoeWras's Avatar
 
Join Date: Sep 2012
Posts: 2,282
Quote:
Originally Posted by Chuckanut View Post
So E*Trade requires you to have a custom device made just for their service?
They used to, if you chose 2 factor.

Apparently they now have an application. I guess that means an app for every service.

The device (a little dongle on your keyring) is probably the ultimate in 2 factor. The thief would need to physically compromise you and the device. The device creates a code unique to each person, so using another one won't work.
Attached Images
File Type: jpg etoken.JPG (11.5 KB, 121 views)
__________________
JoeWras is online now   Reply With Quote
Old 09-14-2017, 10:01 AM   #14
Full time employment: Posting here.
GTFan's Avatar
 
Join Date: Apr 2013
Location: Atlanta
Posts: 599
Quote:
Originally Posted by Chuckanut View Post
Certainly 2FA with a text message is still safer than no 2FA. But, having a time-based random number generator (either software or a device) is safer yet.
Yep, until you run into the cold truth that no one wants multiple dongles and/or software solutions to this problem. So 2FA will inherently have issues.
__________________
GTFan is offline   Reply With Quote
Old 09-14-2017, 11:33 AM   #15
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
easysurfer's Avatar
 
Join Date: Jun 2008
Posts: 7,680
Quote:
Originally Posted by GTFan View Post
Yep, until you run into the cold truth that no one wants multiple dongles and/or software solutions to this problem. So 2FA will inherently have issues.
My wish is that most places flock to use Google Authenticator (compatible) QR scans. The thought of multiple dongles to accomplish pretty much the same thing sounds a lot like the tiny keyring reward cards. Can get cumbersome pretty quickly.
__________________
Have you ever seen a headstone with these words
"If only I had spent more time at work" ... from "Busy Man" sung by Billy Ray Cyrus
easysurfer is online now   Reply With Quote
Old 09-14-2017, 12:07 PM   #16
Confused about dryer sheets
 
Join Date: Sep 2017
Posts: 1
Is anyone aware of data regarding the frequency of major mutual fund companies like Vanguard being hacked and customers actually losing assets? Other than cases where legit passwords were stolen....Does this actually happen?
__________________
burnt is offline   Reply With Quote
Old 09-15-2017, 08:12 AM   #17
Dryer sheet aficionado
 
Join Date: Oct 2006
Posts: 47
Yubikey at vanguard is somewhat useless because they simply default to their other security measures if the key is lost. I posed this scenario to them directly.
__________________
I'm sorry if I ask questions that are too nosy/personal.
Scout is offline   Reply With Quote
Old 09-15-2017, 07:46 PM   #18
Thinks s/he gets paid by the post
target2019's Avatar
 
Join Date: Dec 2008
Posts: 3,610
Interesting wiki page, that has a matrix of threat coverage for authentication.

https://en.wikipedia.org/wiki/Compar...tion_solutions
__________________
target2019 is offline   Reply With Quote
Old 09-15-2017, 08:03 PM   #19
Full time employment: Posting here.
 
Join Date: Mar 2008
Posts: 625
Bought the yubikey and want to secure by password manager LastPass along with Vanguard. But it seems I have to activate yet another verifier if I still want access to LP with my iPhone as an authorized device. Too darn complicated to wade through tonight.....
Just seems it should not be this confusing for the nontechnical!
__________________
bizlady is offline   Reply With Quote
Old 09-16-2017, 11:23 AM   #20
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
easysurfer's Avatar
 
Join Date: Jun 2008
Posts: 7,680
Quote:
Originally Posted by bizlady View Post
Bought the yubikey and want to secure by password manager LastPass along with Vanguard. But it seems I have to activate yet another verifier if I still want access to LP with my iPhone as an authorized device. Too darn complicated to wade through tonight.....
Just seems it should not be this confusing for the nontechnical!
Seems there's always a balance between ease of use vs security confusion.

You aren't alone. I sort of wasted my morning today trying to get more organized with my 2FA settings attempting to create a spreadsheet with columns of what I use (OTP App, SMS, email, backup codes, and so on). Finally I gave up and condensed the spreadsheet to my accounts and the primary method used for those accounts. Not perfect, but better than nothing.
__________________

__________________
Have you ever seen a headstone with these words
"If only I had spent more time at work" ... from "Busy Man" sung by Billy Ray Cyrus
easysurfer is online now   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Lastpass and Dashlane ?s Katsmeow Other topics 10 07-05-2017 02:28 PM
LastPass Users Vulnerable to Devastating Phishing Attack ClockWatcher Other topics 60 01-29-2016 01:33 PM
LastPass hacked MichaelB Other topics 25 06-19-2015 12:54 PM

 

 
All times are GMT -6. The time now is 01:39 PM.
 
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.