I know there are some members that use a Yubikey and possibly with Vanguard. I haven't seen this mentioned here, so I figured it's worth sharing. I experienced this myself and there's a long thread on Bogleheads where it's discussed.
I recently decided to up my security and ordered a couple of Yubikeys to play around with. Vanguard was one of the sites where I want to use Yubikeys. Setting this up was easy on Vanguard's website. I registered two Yubikeys with Vanguard, disabled Security Code, which is what Vanguard calls 2FA using a cellphone number.
Using the website, this works perfectly. No way to login to Vanguard without using one of the Yubikeys. If you try to login and don't have the Yubikey, then you're redirect to call Vanguard.
I then tried to login to Vanguard using the iPhone app. This is where there's a major security hole. The app will tell you that you need to enable 2FA in order to login. It then allows you to enable 2FA in the iPhone app. It gets better. It lists your currently registered phone numbers you can use, but it also allows you to enter a completely new phone number. I tried this with DS using his cell number. Sure enough, Vanguard texted him a 6 digit code, which after I entered, allowed me to access my Vanguard accounts and setup 2FA using his phone number. This entire process completely bypasses Yubikey.
This is a major security issue with Vanguard's implementation of using Yubikey with 2FA disabled.
To solve this problem, I re-enabled cellphone 2FA and use a Google Voice number. This avoids the problem where you're prompted to setup 2FA in the iPhone app. It's also safer than using a regular cellphone number.
This means it's pointless to use Yubikeys with Vanguard, since now you can bypass the Yubikey with a code sent to a cellphone number. It's a shame, since it seemed like a good solution. I can't believe that Vanguard botched it this badly.
Hopefully Vanguard will eventually fix this issue, but I'm skeptical. The thread on Bogleheads pointed out this issue in 2021.
I recently decided to up my security and ordered a couple of Yubikeys to play around with. Vanguard was one of the sites where I want to use Yubikeys. Setting this up was easy on Vanguard's website. I registered two Yubikeys with Vanguard, disabled Security Code, which is what Vanguard calls 2FA using a cellphone number.
Using the website, this works perfectly. No way to login to Vanguard without using one of the Yubikeys. If you try to login and don't have the Yubikey, then you're redirect to call Vanguard.
I then tried to login to Vanguard using the iPhone app. This is where there's a major security hole. The app will tell you that you need to enable 2FA in order to login. It then allows you to enable 2FA in the iPhone app. It gets better. It lists your currently registered phone numbers you can use, but it also allows you to enter a completely new phone number. I tried this with DS using his cell number. Sure enough, Vanguard texted him a 6 digit code, which after I entered, allowed me to access my Vanguard accounts and setup 2FA using his phone number. This entire process completely bypasses Yubikey.
This is a major security issue with Vanguard's implementation of using Yubikey with 2FA disabled.
To solve this problem, I re-enabled cellphone 2FA and use a Google Voice number. This avoids the problem where you're prompted to setup 2FA in the iPhone app. It's also safer than using a regular cellphone number.
This means it's pointless to use Yubikeys with Vanguard, since now you can bypass the Yubikey with a code sent to a cellphone number. It's a shame, since it seemed like a good solution. I can't believe that Vanguard botched it this badly.
Hopefully Vanguard will eventually fix this issue, but I'm skeptical. The thread on Bogleheads pointed out this issue in 2021.