I noticed today it asked me give them a phone number to send me a code. . . it should have had that number. . . but to be fair my account is in some sort of "freeze" and that might not be normal behavior. (Former employer transitioned some funds).
That’s the scary part. You think you did everything right and your account is more secure when in reality you made your account significantly weaker.
I then tried to login to Vanguard using the iPhone app. This is where there's a major security hole. The app will tell you that you need to enable 2FA in order to login. It then allows you to enable 2FA in the iPhone app. It gets better. It lists your currently registered phone numbers you can use, but it also allows you to enter a completely new phone number. I tried this with DS using his cell number. Sure enough, Vanguard texted him a 6 digit code, which after I entered, allowed me to access my Vanguard accounts and setup 2FA using his phone number. This entire process completely bypasses Yubikey.
So it sounds like this is still a problem even if I don't use the mobile app (and have no interest in doing so), just the website. Or am I missing something?
Correct. It doesn’t matter if you use the app.
By disabling SMS 2FA, you open a security vulnerability with the app that a hacker can exploit.
But a hacker must still know/guess my password, correct?
But a hacker must still know/guess my password, correct?
Well, this is all interesting, but quite honestly, I'd never heard of a YubiKey. I had to look it up. It actually looks like a good idea. No idea how it would interact with, for instance, Vanguard's own security.
I had to use one to log in to w*rk. They were glitchy and annoying in the manner as to which my former employer set them up.
I haven't noticed any glitches using my Yubikeys and I do need to use them at times. While you can still have your PC or phone "remembered" so you don't need to utilize the Security Key every time you log into a site secured with one, I purposely don't let sites remember my laptop as I take it when traveling so it is subject to loss or theft.
That means every time I use my laptop to log into a site secured by my Security Key, I have to drag it out and plug it in. It's not that big of a deal and it has worked smoothly for me every time. My only issue is the poor implementation on some web sites and the fact iPhone apps rarely implement the Security Key feature.
When I looked it up, it looked like a thumb drive or similar. Those things are glitchy sometimes too.
But if your laptop was stolen, and no Yubikey, some sites would then offer to send an SMS text to your phone (which a smart thief will steal when stealing the laptop).
Some phones will show the text even when the phone is locked.
I know for my Android I had to tell it in setting to not display text when phone is locked.
I'm at T-Mobile and have the same protection, but I'm not a 100% confident in T-Mobile's security. This is why I use a Google Voice number for SMS 2FA.
For Google Voice, I disabled the option to forward SMS to an e-mail address. If my e-mail is hacked/intercepted/redirected, then I don't want any codes in the e-mail. And it's easy enough to use the Google Voice app to get the text.