Beware of Vanguard's "restrict access from unrecognized devices" setting

[Sojourner]

Just a heads up for fellow Vanguard users. I recently enabled the "restrict access from unrecognized devices" security feature in my accounts. Seemed like a good way to add an additional layer of security. I typically only ever use my desktop web browser or my laptop browser to log into Vanguard, so I figured those two "recognized" browsers would continue to work normally for me, which was just what I wanted.

Well... turns out this "feature" isn't quite ready for prime time. I was able to log into Vanguard from my desktop exactly once after I turned the setting on (about a week ago). This morning, however, every time I tried to login from either of the supposedly good/recognized web browsers, my logins failed with the message "We don't recognize this computer or device." After trying all manner of workarounds to get the Vanguard site to recognize the browsers, I ended up having to dig around on the site to find a telephone support number (it's pretty well hidden), call, and finally get the setting reversed so that I could login.

It's pretty mind boggling that a security feature like this could be rolled out to the public in such a buggy state. My environment is very "plain vanilla", so I'd think that my exact configuration (OS, browser version, etc.) would certainly have been high on the list of important ones to thoroughly test. Guess not.

Anyway, TLDR: Save yourself the hassle and don't enable this feature until they fix it.

 

[jebmke]

This was prominently displayed in the screen describing this feature

Keep in mind that if you select "Restrict unrecognized computers, browsers, aggregation service, or mobile devices from accessing my accounts," you won't be able to access your accounts from new locations or a new computer or device because they won't be recognized. Also, if you change browsers or delete cookies or offline content, your computer may become unrecognized. To access your accounts using an unrecognized device, you'll need to disable this feature from a recognized device.

 

[Piper20]

I’ve had this feature on for years. If Vanguard doesn’t recognize my computer they call my landline and give me a code, 6 digits I think, to enable me to login in. An update to the browser may cause Vanguard to not recognize the device or a change in IP address. Sometimes no reason at all.

 

[GenXguy]

I’ve had this feature on for years. If Vanguard doesn’t recognize my computer they call my landline and give me a code, 6 digits I think, to enable me to login in. An update to the browser may cause Vanguard to not recognize the device or a change in IP address. Sometimes no reason at all.

That's a different feature where it uses the additional layer of authentication for the unrecognized device. I've been using that one as well, and it send me the text to get authenticated from an unrecognized device. The feature mentioned in this thread says, "To access your accounts using an unrecognized device, you'll need to disable this feature from a recognized device."

 

[Sojourner]

This was prominently displayed in the screen describing this feature

Thanks, I'm well aware of that. The problem is that I did nothing to cause my previously recognized browsers to become "unrecognized", and therefore I was completely locked out of my Vanguard accounts for no apparent reason. And my overall point was that Vanguard did not test the feature adequately if it's this easy (and common, undoubtedly) to have browsers/devices become unrecognized.

 

[Sojourner]

The feature mentioned in this thread says, "To access your accounts using an unrecognized device, you'll need to disable this feature from a recognized device."

Exactly, and therein lies the problem. Both of the browsers I'd been using to log into Vanguard routinely, prior to activating this feature, suddenly became "unrecognized" today, about a week after I enabled it. Pretty clearly some sort of bug in their system, IMHO. I was a web developer for many years in my w*rking days, so I'm no slouch when it comes to understanding the behind-the-scenes details of how this kind of stuff works. I'm certain I didn't do anything (especially to two different browsers on two different computers) that should have caused Vanguard to suddenly not recognize them.

 

[Dd852]

Vanguard must use fast-exploding cookies. I go through security, check the box during the 2FA saying this is a private computer and will be used again… and routinely a couple of days later it isn’t recognized and I have to get the text with a code again. It’s a hassle…but so is having an account compromised so I’ve just sucked it up.

 

[jebmke]

Thanks, I'm well aware of that. The problem is that I did nothing to cause my previously recognized browsers to become "unrecognized", and therefore I was completely locked out of my Vanguard accounts for no apparent reason. And my overall point was that Vanguard did not test the feature adequately if it's this easy (and common, undoubtedly) to have browsers/devices become unrecognized.

The warning seems to imply that one can only use one browser, unless I am reading it incorrectly.

 

[all4j]

Thanks for the heads up! I've had similar problems with Vanguard before, but not to that level of severity. In my case, I think I may have either used a 'incognito' mode, run a virus scan to clean some tracking cookies, etc. A couple of times, it has seemed to work during the day, but once powered down I've had to start over. Hasn't risen to the level of me trying to take my time to contact them and/or debug their stuff. May well be a design problem and/or poor documentation regarding how strict it is

 

[Walt34]

Vanguard must use fast-exploding cookies. I go through security, check the box during the 2FA saying this is a private computer and will be used again… and routinely a couple of days later it isn’t recognized and I have to get the text with a code again.

That happens here too so you're not the only one.

 

[lucky penny]

This might be related:

I only log in to Vanguard using 2FA from my home computer, with Safari, & whenever i do VG asks "Remember this device?" & asks me to check either:

--Yes, I plan to log in from this device in the future
OR
--No, this is a public or shared device.​

Though I always check the first option, they continue to ask that question every single time I log in & it's a little annoying. Why ask?? It doesn't seem to make any difference since they don't seem to remember my computer anyway.

EDITED TO ADD: Yup, just saw the preceding posts noting this & see I'm not the only one. "Fast-exploding cookies" is an interesting concept!

 

[Sojourner]

Vanguard must use fast-exploding cookies. I go through security, check the box during the 2FA saying this is a private computer and will be used again… and routinely a couple of days later it isn’t recognized and I have to get the text with a code again. It’s a hassle…but so is having an account compromised so I’ve just sucked it up.

Yeah, I have noticed that kind of behavior too, from time to time. Fast-exploding cookies are not bad, in and of themselves, but they're very bad when coupled with something like "block all login access from unrecognized devices". Hopefully Vanguard developers aren't that dense.

The warning seems to imply that one can only use one browser, unless I am reading it incorrectly.

I don't read it that way. I think a "recognized" device is one you've used to successfully login and you checked the box that says "Remember this device" or something to that effect.

 

[RetMD21]

Thanks for the warning! Usually I add whatever new security feature I notice. I always 2 factor in with a security key for either of my 2 devices. I turned off text 2 factor and I think I have enough security for now

 

[Texas Proud]

Vanguard enabled the code entry on my account without me wanting to do it...


I get maybe one extra time for them remembering my computer but it always goes back to the code... I want to disable...


It is a pain when I want to get into my sister's account to do something... I have to call her and let her know when I am doing it and them wait for the code... a real pain...

 

[5Miler]

It is a pain when I want to get into my sister's account to do something... I have to call her and let her know when I am doing it and them wait for the code... a real pain...

At Vanguard you should be able to submit a form to enable "Agent Authorization" which will allow you to act in your sister's behalf. I haven't done it but believe it should enable you to log in on separate credentials which should alleviate this issue. Again, haven't done it myself so making a large assumption here as far as the separate credentials.

 

[jollystomper]

At Vanguard you should be able to submit a form to enable "Agent Authorization" which will allow you to act in your sister's behalf. I haven't done it but believe it should enable you to log in on separate credentials which should alleviate this issue. Again, haven't done it myself so making a large assumption here as far as the separate credentials.

I have this authorization for DW's Vanguard account. I log into my account with my credentials and can also see and act on her accounts, no need for me to log in with her credentials.

 

[oldtimer]

At Vanguard you should be able to submit a form to enable "Agent Authorization" which will allow you to act in your sister's behalf. I haven't done it but believe it should enable you to log in on separate credentials which should alleviate this issue. Again, haven't done it myself so making a large assumption here as far as the separate credentials.

With Agent Authorization you will see the other person's accounts when you log in as yourself. Both sets of accounts will show up. No need to log in under the other person's credentials. However, there are a couple levels of authorizations. The Full Authorization allows the greatest capability, though there is 1 or 2 non-typical things it won't allow you to do.

 

[racy]

@Sojourner Did you have VPN enabled?

 

[Rianne]

With Agent Authorization you will see the other person's accounts when you log in as yourself. Both sets of accounts will show up. No need to log in under the other person's credentials. However, there are a couple levels of authorizations. The Full Authorization allows the greatest capability, though there is 1 or 2 non-typical things it won't allow you to do.

We have this and had to fill out the form online, print it, take it to a notary public, have 2 witnesses, and send that back in by snail mail. It was a hassle but understood. DH/me can see and act on all our accounts including buying, selling, and deposits to our checking accounts. We trust each other, I'm 99.99% sure about that

 

[Sojourner]

@Sojourner Did you have VPN enabled?

I do use VPN from time to time (especially on my laptop while traveling), but when I enabled the "restrict access" setting I made sure I wasn't using it. Plus, the fact that both of the browsers on both of the computers I used became "unrecognized" after I enabled the setting makes me think it's just a buggy, poorly tested feature. The Vanguard developers should know that static IP addresses aren't guaranteed for the vast majority of end users, so a simple change in IP address should not be enough to completely lock someone out of their Vanguard accounts.

 

[jebmke]

I have this authorization for DW's Vanguard account. I log into my account with my credentials and can also see and act on her accounts, no need for me to log in with her credentials.

Yes; it is likely a violation of the online terms with Vanguard if someone is using another person's credentials to access the account.

There have also been many cases where VG will not honor a traditional POA and require an agency authorization for POA holders.

 

[Texas Proud]

At Vanguard you should be able to submit a form to enable "Agent Authorization" which will allow you to act in your sister's behalf. I haven't done it but believe it should enable you to log in on separate credentials which should alleviate this issue. Again, haven't done it myself so making a large assumption here as far as the separate credentials.

I could, but I do not do that much with my sister's account... not worth the trouble...

 

[jebmke]

I could, but I do not do that much with my sister's account... not worth the trouble...

Just be aware that if something happens, they can refuse to honor their terms since the account security policy has been violated. Maybe it is a small chance but why risk it.

 

[OldFartz]

Exactly, and therein lies the problem. Both of the browsers I'd been using to log into Vanguard routinely, prior to activating this feature, suddenly became "unrecognized" today, about a week after I enabled it. Pretty clearly some sort of bug in their system, IMHO. I was a web developer for many years in my w*rking days, so I'm no slouch when it comes to understanding the behind-the-scenes details of how this kind of stuff works. I'm certain I didn't do anything (especially to two different browsers on two different computers) that should have caused Vanguard to suddenly not recognize them.

- Right- I too have a bit of time doing development under my belt. What strikes me is that the page offering this setting doesn't explain how you get it if you DO pick that option. It looks like, as you've found out, it is an additional layer on top of MFA. ...But that page should explain then how you log in the first time from an UNtrusted device.

 

[FindingForward]

I do use VPN from time to time (especially on my laptop while traveling), but when I enabled the "restrict access" setting I made sure I wasn't using it. Plus, the fact that both of the browsers on both of the computers I used became "unrecognized" after I enabled the setting makes me think it's just a buggy, poorly tested feature. The Vanguard developers should know that static IP addresses aren't guaranteed for the vast majority of end users, so a simple change in IP address should not be enough to completely lock someone out of their Vanguard accounts.

I have zero IT or dev experience, other than from the consumer side, but I can tell you that if you're on Windows platform and both your computers receive automatic security or version updates, that will often create this issue. Same for browser updates like chrome.

Windows just released their monthly update this past week: different brokerage, but this used to happen to me after an update. Finally had to disable.