Vanguard with Yubikey is pointless

[tulak]

I know there are some members that use a Yubikey and possibly with Vanguard. I haven't seen this mentioned here, so I figured it's worth sharing. I experienced this myself and there's a long thread on Bogleheads where it's discussed.

I recently decided to up my security and ordered a couple of Yubikeys to play around with. Vanguard was one of the sites where I want to use Yubikeys. Setting this up was easy on Vanguard's website. I registered two Yubikeys with Vanguard, disabled Security Code, which is what Vanguard calls 2FA using a cellphone number.

Using the website, this works perfectly. No way to login to Vanguard without using one of the Yubikeys. If you try to login and don't have the Yubikey, then you're redirect to call Vanguard.

I then tried to login to Vanguard using the iPhone app. This is where there's a major security hole. The app will tell you that you need to enable 2FA in order to login. It then allows you to enable 2FA in the iPhone app. It gets better. It lists your currently registered phone numbers you can use, but it also allows you to enter a completely new phone number. I tried this with DS using his cell number. Sure enough, Vanguard texted him a 6 digit code, which after I entered, allowed me to access my Vanguard accounts and setup 2FA using his phone number. This entire process completely bypasses Yubikey.

This is a major security issue with Vanguard's implementation of using Yubikey with 2FA disabled.

To solve this problem, I re-enabled cellphone 2FA and use a Google Voice number. This avoids the problem where you're prompted to setup 2FA in the iPhone app. It's also safer than using a regular cellphone number.

This means it's pointless to use Yubikeys with Vanguard, since now you can bypass the Yubikey with a code sent to a cellphone number. It's a shame, since it seemed like a good solution. I can't believe that Vanguard botched it this badly.

Hopefully Vanguard will eventually fix this issue, but I'm skeptical. The thread on Bogleheads pointed out this issue in 2021.

 

[turbo89]

Yubikeys have Bluetooth capabilities (iPhone / Android will “sense” it). Did you check with vanguard to see if this functionality is available?

Net-net I agree, Yubikeys are a step back, but some additional food for thought.

 

[tulak]

Yubikeys have Bluetooth capabilities (iPhone / Android will “sense” it). Did you check with vanguard to see if this functionality is available?

Net-net I agree, Yubikeys are a step back, but some additional food for thought.

This misses the point. I have a Yubikey NFC and if I use Safari on the iPhone, the Yubikey works fine.

The problem is that you bypass the Yubikey if you use the Vanguard iOS app, which only supports Security Codes (2FA using a cellphone number). In the worst case, if you disabled Security Codes because you’re using Security Keys (aka, a Yubikey), then you’ve opened up a major security hole because of Vanguard’s iOS app implementation. And there’s a good chance you don’t even know you’ve opened up this vulnerability, since everything works fine with the website.

 

[gauss]

Thank you for this! I enabled FIDO2 security key authorization with a "Yubikey-like" device earlier this year after the Lastpass breach.

I have removed SMS 2FA as is the standard practice once a pair of security keys are registered.

I have verified that this appears to be a problem with the Android app as well. For months I have known that the Vanguard app will prompt me to reenable SMS security codes which I have avoided doing and just avoided Vanguard use on my phone.

My questions today is this: Do you know if I re-enable security codes with MY phone number, will the app no longer offer to add an arbitrary SMS number?
--
edit:
I just reread your post above and it appears that this is indeed the case.
--
Although far from secure, having at least SMS 2FA required on my GV phone number is a big step up from having effectively no 2FA (ie where the bad guy can enter any number for SMS 2FA as described in your post).

Thanks
-gauss

p.s. Fidelity is now saying on their web site that additional security options are coming soon. If they have a good Fido2 implementation along with their continued policies of no fees and the ability to household statements down to one, it may be time for me to leave Vanguard. The Vanguard Fido2 implementation, up to now, was a competitive advantage for me.

 

[jebmke]

this back door weakness is a known issue for a while, as you point out. This is why I never moved from SMS. SMS with a locked phone (SIM lock) may not be bullet proof but short of moving from VG it is probably the best we can do - for now.

 

[Chuckanut]

I would not call it useless, but Vanguard's isnsistance on using SMS codes also does water down the level of security.



Security has many level. Each additional thing you do, even if not perfect, increases the level of tech smarts a bad guy needs to crack into your accounts. The trick is to make is so hard that they will go to another account that uses passwords like monkey123 and no 2Fa at all.

 

[gauss]

^

Vanguard allows you to turn off SMS codes (which I did and is standard security practice) once I registered a couple of hardware security keys.

The grave flaw was that they would allow anyone to login (who albeit had the password) without the hardware security key. There was no need to receive a SMS security code on a phone that had been previously setup.

Essentially for those of us who thought they were setting up the strongest 2FA security had actually NO 2FA security.

-gauss

 

[jebmke]

^

Vanguard allows you to turn off SMS codes (which I did and is standard security practice) once I registered a couple of hardware security keys.

The grave flaw was that they would allow anyone to login (who albeit had the password) without the hardware security key. There was no need to receive a SMS security code on a phone that had been previously setup.

Essentially for those of us who thought they were setting up the strongest 2FA security had actually NO 2FA security.

-gauss

I don't follow this. Anyone can log in without the SMS code even though 2FA is set up with SMS?

 

[Sunset]

this back door weakness is a known issue for a while, as you point out. This is why I never moved from SMS. SMS with a locked phone (SIM lock) may not be bullet proof but short of moving from VG it is probably the best we can do - for now.

How does a person know if their SIM is locked ?

 

[imbatman]

There is always a path of least resistance and unfortunately it is usually Customer Service. I have MFA (time based code in app) setup at a broker and when I lost my phone and wanted to reinstall on a new phone, I got an agent who just needed my mother maiden name to assist. So no matter how hard we may try, it just takes one lazy agent to bypass everything.

 

[Koolau]

Well, this is all interesting, but quite honestly, I'd never heard of a YubiKey. I had to look it up. It actually looks like a good idea. No idea how it would interact with, for instance, Vanguard's own security.

 

[5Miler]

I also use Yubikeys for a security feature for many sites including Vanguard. While I was aware that the Yubikey did not work for the IOS app, I was not aware of the SMS hole mentioned by the OP. In hindsight, I suppose I should have investigated it further at the time. I was just so disappointed in the failure of the IOS app to utilize the Yubikey that I didn't go any further with it after that discovery.

I have found very few IOS apps will utilize Security Key features at this time. I even found a couple of sites that will only allow one Security Key to be set up on them. How risky is that with no backup device. Security Keys have been in use for many years but apparently haven't been taken seriously by many sites. Banks appear to be the least interested in taking advantage of these hardware keys.

Edited to say I misspoke above when I said banks appear to be least interested. Modify the to read Financial Institutions in general.

 

[gauss]

I don't follow this. Anyone can log in without the SMS code even though 2FA is set up with SMS?

When a hardware security device (or two) is registered, the standard practice is to disable any SMS 2FA in that the hardware security device is designed to be much more secure than SMS 2FA.

Leaving SMS 2FA enabled would negate the security advantages of purchasing and setting up a hardware security device because the weaker SMS 2FA is still available.

Now the problem with Vanguard is that if you run with the normal configuration of a hardware security device and no SMS 2FA then a person can login (when using the various phone apps) WITHOUT the security hardware device!!! and an offer to enable SMS 2FA is offered with a new phone number (if SMS 2FA is turned off).

Fortunately, turning SMS 2FA back on, which lowers the over all security when using a hardware security device, will prevent the bad guy from registering a new SMS phone number.

The grave flaw, IMHO, is that allegedly Vanguard should have been aware of the behavior of running with SMS disabled, but did not warn its customers.

-gauss

 

[gauss]

Well, this is all interesting, but quite honestly, I'd never heard of a YubiKey. I had to look it up. It actually looks like a good idea. No idea how it would interact with, for instance, Vanguard's own security.

And I also was not up on this a year ago -- but then the LastPass password manager lost all of their customers records to a bad guy.

For several months LastPass couldn't say which fields were encrypted and which ones weren't in the stolen database. Previously I thought everything was encrypted. As such I did a deep dive into password/login security in the aftermath of this and discovered that Vanguard was now supporting Yubikeys (aka FIDO2 SMS).

-gauss

 

[jebmke]

How does a person know if their SIM is locked ?

I did it online with Verizon

 

[jebmke]

When a hardware security device (or two) is registered, the standard practice is to disable any SMS 2FA in that the hardware security device is designed to be much more secure than SMS 2FA.

Leaving SMS 2FA enabled would negate the security advantages of purchasing and setting up a hardware security device because the weaker SMS 2FA is still available.

Now the problem with Vanguard is that if you run with the normal configuration of a hardware security device and no SMS 2FA then a person can login (when using the various phone apps) WITHOUT the security hardware device!!! and an offer to enable SMS 2FA is offered with a new phone number (if SMS 2FA is turned off).

Fortunately, turning SMS 2FA back on, which lowers the over all security when using a hardware security device, will prevent the bad guy from registering a new SMS phone number.

The grave flaw, IMHO, is that allegedly Vanguard should have been aware of the behavior of running with SMS disabled, but did not warn its customers.

-gauss

This sounds worse that doing SMS alone, to me.

 

[gauss]

^ I agree.
Most organizations will not let you login without a security key if your registered one and there is no other 2FA established. It appears that Vanguard has botched this.

 

[Chuckanut]

T-Mobile is setup so that if a change is made to a SIM card, for example it gets installed in a new phone, I get a text message and and email. I have a family member on the plan with me and the member got a new phone earlier this year, my email and text lit-up with messages about a new phone at this number. At first, I thought I was hit with a SIM SWAP but, then remembered something the child said about wanting a new phone. So, no harm, no foul.

 

[tulak]

Thank you for this! I enabled FIDO2 security key authorization with a "Yubikey-like" device earlier this year after the Lastpass breach.

I have removed SMS 2FA as is the standard practice once a pair of security keys are registered.

I have verified that this appears to be a problem with the Android app as well. For months I have known that the Vanguard app will prompt me to reenable SMS security codes which I have avoided doing and just avoided Vanguard use on my phone.

My questions today is this: Do you know if I re-enable security codes with MY phone number, will the app no longer offer to add an arbitrary SMS number?
--
edit:
I just reread your post above and it appears that this is indeed the case.
--
Although far from secure, having at least SMS 2FA required on my GV phone number is a big step up from having effectively no 2FA (ie where the bad guy can enter any number for SMS 2FA as described in your post).

Thanks
-gauss

p.s. Fidelity is now saying on their web site that additional security options are coming soon. If they have a good Fido2 implementation along with their continued policies of no fees and the ability to household statements down to one, it may be time for me to leave Vanguard. The Vanguard Fido2 implementation, up to now, was a competitive advantage for me.

Happy to help.

And yes, once you have SMS 2FA setup, the app won't prompt you to add a new number. Having SMS 2FA appears to close the security hole.

My solution for Vanguard is to use a Google Voice number for SMS 2FA authentication and then use the Yubikey with Google. This way I get indirect protection using the Yubikey. I don't use the Yubikey at Vanguard, since it doesn't offer any extra protection.

I read a rumor that Fidelity will support Yubikey in 2024. They already support Symantec VIP and from what I read, they implemented it the right way. I happily use both Vanguard and Fidelity, but I think about consolidating. Maybe this will be enough of a reason?

I would not call it useless, but Vanguard's isnsistance on using SMS codes also does water down the level of security.

Security has many level. Each additional thing you do, even if not perfect, increases the level of tech smarts a bad guy needs to crack into your accounts. The trick is to make is so hard that they will go to another account that uses passwords like monkey123 and no 2Fa at all.

My take is that you're as secure as your weakest link. What's the point of setting up a Yubikey if you can always fallback to SMS 2FA?

That's why I think setting up a Yubikey with Vanguard is pointless.

I would be curious to know if my thinking here is wrong. I've spent a lot of time of thinking about how to secure my accounts over the last couple of days and I can easily be missing something.

 

[Chuckanut]

https://www.reddit.com/r/personalfi...ads_up_vanguard_now_supports_securitykeyonly/

I just noticed this but apparently it's been this way since at least May. Before, you could register a physical security key (like Yubikey), but it would still let you get SMS codes to bypass the key, with no way to disable it. Which basically defeated the entire purpose.
However, now I noticed some additional security settings on the site. You can now disable "security codes" (sms codes) and only use a security key.

 

[tulak]

T-Mobile is setup so that if a change is made to a SIM card, for example it gets installed in a new phone, I get a text message and and email. I have a family member on the plan with me and the member got a new phone earlier this year, my email and text lit-up with messages about a new phone at this number. At first, I thought I was hit with a SIM SWAP but, then remembered something the child said about wanting a new phone. So, no harm, no foul.

I'm at T-Mobile and have the same protection, but I'm not a 100% confident in T-Mobile's security. This is why I use a Google Voice number for SMS 2FA.

For Google Voice, I disabled the option to forward SMS to an e-mail address. If my e-mail is hacked/intercepted/redirected, then I don't want any codes in the e-mail. And it's easy enough to use the Google Voice app to get the text.

 

[Echard]

I’m confused on sim lock. It seems like there are two types: on phone, and via the carrier. Which sim lock are you referencing?

 

[RetMD21]

.....Hopefully Vanguard will eventually fix this issue, but I'm skeptical. The thread on Bogleheads pointed out this issue in 2021.

Poor policies on Vanguard's part. I turned off the SMS 2 factor online but didn't realize that the phone app would offer to turn in on and even to an unknown phone number.

 

[jebmke]

I’m confused on sim lock. It seems like there are two types: on phone, and via the carrier. Which sim lock are you referencing?

I use the one at the carrier.

 

[tulak]

Poor policies on Vanguard's part. I turned off the SMS 2 factor online but didn't realize that the phone app would offer to turn in on and even to an unknown phone number.

That’s the scary part. You think you did everything right and your account is more secure when in reality you made your account significantly weaker.