Anyone Use a U2F Security Key?

[TromboneAl]

I ordered one of these for two reasons:

1. Someone in a book I'm writing uses one, and I want to have a feeling for how it works.

2. I'm paranoid about someone accessing my Vanguard account. Once someone tried to log in to it. The reps and I concluded that it was a result of someone having a login name that was similar to mine, but still, that woke me up.

When I get the key, I'm going to attach it to my Vanguard account.

 

[JustCurious]

Note that even if you set up a U2F security key on your Vanguard account, it can be bypassed.

https://www.bogleheads.org/forum/viewtopic.php?t=234202

 

[target2019]

I ordered one of these for two reasons:

1. Someone in a book I'm writing uses one, and I want to have a feeling for how it works.

2. I'm paranoid about someone accessing my Vanguard account. Once someone tried to log in to it. The reps and I concluded that it was a result of someone having a login name that was similar to mine, but still, that woke me up.

When I get the key, I'm going to attach it to my Vanguard account.

A randomized login for account name is much better than what you are using. That is what I choose to use for accounts that allow this.

 

[ExFlyBoy5]

I personally have never tried such a thing, and I think the decent answer these days is two-tier authentication. I am kinda curious as to why security certificates aren't really a thing. When I was still in the AF, we used our ID card (called a common access card and had a chip in it) to access all government related accounts/applications. It was simple...you put your card into the reader and then you put in a 6-8 digit PIN and PRESTO you gained access to ALL THE SITES. I am not sure why this can't be used with private applications/websites... I would love to be able to do that.

 

[grasshopper]

I have 2 that I use for Vanguard, Google, Facebook. I have my Chromebook set up to log on with, along with username and password.

 

[target2019]

I personally have never tried such a thing, and I think the decent answer these days is two-tier authentication. I am kinda curious as to why security certificates aren't really a thing. When I was still in the AF, we used our ID card (called a common access card and had a chip in it) to access all government related accounts/applications. It was simple...you put your card into the reader and then you put in a 6-8 digit PIN and PRESTO you gained access to ALL THE SITES. I am not sure why this can't be used with private applications/websites... I would love to be able to do that.

For reference:
https://en.wikipedia.org/wiki/Common_Access_Card

CAC card is so great, it is being replaced:
https://defensesystems.com/articles/2018/05/16/cac-disa-replacement.aspx

The support cost for a gov't solution must be up there. Replace it with something cheaper, and watch the cost skyrocket.

Symantec VIP works well. It's MFA. Schwab provided a token to me. Software app is available too.
https://vip.symantec.com/

 

[kgtest]

I personally have never tried such a thing, and I think the decent answer these days is two-tier authentication. I am kinda curious as to why security certificates aren't really a thing. When I was still in the AF, we used our ID card (called a common access card and had a chip in it) to access all government related accounts/applications. It was simple...you put your card into the reader and then you put in a 6-8 digit PIN and PRESTO you gained access to ALL THE SITES. I am not sure why this can't be used with private applications/websites... I would love to be able to do that.

Everyone would need that 6digit number tattooed onto themselves (or the gaps we need to account for, think POA).


On top of that, everyone would need some way to tie this to their identity. Passwords are going away and 2factor is just the beginning.



The CIA has been working on some things that will be in the public domain next cpl years.

 

[TromboneAl]

Note that even if you set up a U2F security key on your Vanguard account, it can be bypassed.

https://www.bogleheads.org/forum/viewtopic.php?t=234202

Yes, interesting thread. The gist of it is that Vanguard's policy is that if you don't have or lose your key, then they will send you the code via SMS.

Because of that, it's no more secure that using the standard SMS 2-factor security.

It is slightly more convenient, and if VG would have more consequences of not having your key, it would be more secure.

My key came today, but I can't implement it with VG until my new Tracfone phone that actually has coverage at my house arrives (tomorrow).

In the book, the key is just an excuse for a heist. The good guys can't get to the bad guys' data without a key, so they have to break in and find it.

 

[easysurfer]

I have never heard of a U2F key.

I do collect OTP QR scans for my authenticator app. My count now is up to 11 with one for Kickstarter as my most recent add.

 

[savory]

I use Yubikey. I wish all the sites had the option, as least as I understand the extra security it is suppose to provide. Although not as OP describes Vanguards implementation.

 

[davismills]

Yes, interesting thread. The gist of it is that Vanguard's policy is that if you don't have or lose your key, then they will send you the code via SMS.

Because of that, it's no more secure that using the standard SMS 2-factor security.

It is slightly more convenient, and if VG would have more consequences of not having your key, it would be more secure.

My key came today, but I can't implement it with VG until my new Tracfone phone that actually has coverage at my house arrives (tomorrow).

In the book, the key is just an excuse for a heist. The good guys can't get to the bad guys' data without a key, so they have to break in and find it.

I use Yubi Key but it's not supported on all the sites I would like it to support. I'm a Tracfone guy too. What type of phone did you order? I'm due a new phone as well.

 

[braumeister]

Symantec VIP works well.

Never heard of the U2F, but I use the Symantec VIP app on my phone for a couple of sites (Fidelity and USAA). That has worked well for me.

 

[MRG]

Never heard of the U2F, but I use the Symantec VIP app on my phone for a couple of sites (Fidelity and USAA). That has worked well for me.

We used them at Megacorp. Of course there's always a back door.

 

[target2019]

Never heard of the U2F, but I use the Symantec VIP app on my phone for a couple of sites (Fidelity and USAA). That has worked well for me.

Universal Secondary Factor authentication. New standard.
I also have Duo app in my phone for work accounts. They call that U2F. VIP is U2F also.
Anyone need another ACRONYM?


https://www.symantec.com/connect/ar...p-security-keys-authenticate-both-and-offline

 

[TromboneAl]

I use Yubi Key but it's not supported on all the sites I would like it to support. I'm a Tracfone guy too. What type of phone did you order? I'm due a new phone as well.

Galaxy J7 Sky Pro for $59 (refurbished). 5.5" screen. Recommended! Now DW and I both have one.

I just started this thread:

http://www.early-retirement.org/forums/f27/tracfone-is-better-now-92870.html#post2078582

 

[davismills]

Thanks Al. Just ordered one.