Vanguard with Yubikey is pointless

[badatmath]

I noticed today it asked me give them a phone number to send me a code. . . it should have had that number. . . but to be fair my account is in some sort of "freeze" and that might not be normal behavior. (Former employer transitioned some funds).

 

[Chuckanut]

That’s the scary part. You think you did everything right and your account is more secure when in reality you made your account significantly weaker.

Yes. Convenience and Security are at opposite ends of the see-saw.

 

[Cat-tirement]

I then tried to login to Vanguard using the iPhone app. This is where there's a major security hole. The app will tell you that you need to enable 2FA in order to login. It then allows you to enable 2FA in the iPhone app. It gets better. It lists your currently registered phone numbers you can use, but it also allows you to enter a completely new phone number. I tried this with DS using his cell number. Sure enough, Vanguard texted him a 6 digit code, which after I entered, allowed me to access my Vanguard accounts and setup 2FA using his phone number. This entire process completely bypasses Yubikey.

So it sounds like this is still a problem even if I don't use the mobile app (and have no interest in doing so), just the website. Or am I missing something?

 

[tulak]

So it sounds like this is still a problem even if I don't use the mobile app (and have no interest in doing so), just the website. Or am I missing something?

Correct. It doesn’t matter if you use the app.

By disabling SMS 2FA, you open a security vulnerability with the app that a hacker can exploit.

 

[RASAP]

Correct. It doesn’t matter if you use the app.

By disabling SMS 2FA, you open a security vulnerability with the app that a hacker can exploit.

But a hacker must still know/guess my password, correct?

 

[tulak]

But a hacker must still know/guess my password, correct?

Correct. You still need username/password. It only eliminates 2FA.

 

[gauss]

But a hacker must still know/guess my password, correct?

Or potentially Phish it from you, which is one of the prime drivers for 2FA in the first place.

-gauss

 

[RetMD21]

It seems like security theater. People who are concerned about sim hijacking are offered something that seems more secure but actually is less secure.

 

[badatmath]

Well, this is all interesting, but quite honestly, I'd never heard of a YubiKey. I had to look it up. It actually looks like a good idea. No idea how it would interact with, for instance, Vanguard's own security.

I had to use one to log in to w*rk. They were glitchy and annoying in the manner as to which my former employer set them up.

 

[Koolau]

I had to use one to log in to w*rk. They were glitchy and annoying in the manner as to which my former employer set them up.

When I looked it up, it looked like a thumb drive or similar. Those things are glitchy sometimes too.

 

[5Miler]

I haven't noticed any glitches using my Yubikeys and I do need to use them at times. While you can still have your PC or phone "remembered" so you don't need to utilize the Security Key every time you log into a site secured with one, I purposely don't let sites remember my laptop as I take it when traveling so it is subject to loss or theft.

That means every time I use my laptop to log into a site secured by my Security Key, I have to drag it out and plug it in. It's not that big of a deal and it has worked smoothly for me every time. My only issue is the poor implementation on some web sites and the fact iPhone apps rarely implement the Security Key feature.

 

[Sunset]

I haven't noticed any glitches using my Yubikeys and I do need to use them at times. While you can still have your PC or phone "remembered" so you don't need to utilize the Security Key every time you log into a site secured with one, I purposely don't let sites remember my laptop as I take it when traveling so it is subject to loss or theft.

That means every time I use my laptop to log into a site secured by my Security Key, I have to drag it out and plug it in. It's not that big of a deal and it has worked smoothly for me every time. My only issue is the poor implementation on some web sites and the fact iPhone apps rarely implement the Security Key feature.

But if your laptop was stolen, and no Yubikey, some sites would then offer to send an SMS text to your phone (which a smart thief will steal when stealing the laptop).

Some phones will show the text even when the phone is locked.
I know for my Android I had to tell it in setting to not display text when phone is locked.

 

[badatmath]

When I looked it up, it looked like a thumb drive or similar. Those things are glitchy sometimes too.

They were thinner and didn't seem to fit in the slot properly. Have heard w*rk has quit using them in favor of phone something or other - IDK if it is an app or what.

 

[RetMD21]

Authenticator apps are great although I have never had any glitches with U2F keys. I guess you have to insert them the right way.

 

[5Miler]

But if your laptop was stolen, and no Yubikey, some sites would then offer to send an SMS text to your phone (which a smart thief will steal when stealing the laptop).

Some phones will show the text even when the phone is locked.
I know for my Android I had to tell it in setting to not display text when phone is locked.

Yes, some sites will unfortunately offer the opportunity to use alternative 2 Factor identification methods which is why one of my major concerns is the poor implementation on some sites. Very similar to using the lost password procedure.

As to the phone stolen at the same time to allow stealing the SMS message, I use 1Password so have some pretty long and difficult passwords as I have no need to remember them myself. So, if someone stole my laptop and iPhone they would still need to know my User Name and password. If they can do all of that, they are pretty determined thieves. My accounts aren't worth all that effort other than my Vanguard accounts which is why I started using a Security Key in the first place.

I don't keep a Yubikey installed in my laptop although there are some Security Keys made that are low profile so they can be left inserted at all times. Some sites require my Yubikey PIN as well as a touch in order to access them. Implementation appears to be all over the map.

 

[5Miler]

I also use the Authenticator app in 1Password whenever possible to reduce reliance on SMS messages for 2FA but again, some sites don't works well or at all with them. I use the app in 1Password so I'm not locked out of my accounts if I lose a phone as I can use any laptop, PC or phone (doesn't even have to me mine) to gain access to my accounts. I "just" need my passphrase and my 25 digit Emergency Kit code or I can simply use my Apple watch.

 

[indiajust]

I have been using the online code generators. Sync your app on a device to generate the 30 to 60 second code. Cut/paste to login, in addition to the usual stuff.

Only issue is that code generation app is unique to one device. You have to have that device to login.

I have been debating merits of using a hardware key, not sure I can sync it with my automated login/pw generation application.

 

[RetMD21]

I'm at T-Mobile and have the same protection, but I'm not a 100% confident in T-Mobile's security. This is why I use a Google Voice number for SMS 2FA.

For Google Voice, I disabled the option to forward SMS to an e-mail address. If my e-mail is hacked/intercepted/redirected, then I don't want any codes in the e-mail. And it's easy enough to use the Google Voice app to get the text.

Harry Sit recommends exactly what you are doing with Google Voice. No forwarding to email etc.

I wouldn't bank on T-Mobile PIN codes since when I called last week they were happy to substitute the last 4 of my SSN.

There is some discussion on Harry's blog about this and back end issues at companies https://thefinancebuff.com/secure-email-password-reset-wire-fraud.html