vanguard lowered security of a usb key by allowing alternate logon

Discussion in 'privacy technology' started by paranoidbrowsing, Oct 19, 2019.

  1. paranoidbrowsing

    paranoidbrowsing Registered Member

    Joined:
    May 10, 2011
    Posts:
    8
    I was just reading vanguard (investment broker) 2FA options and was happy to see it supports yubico keys until I saw the following page that says if you don't have your security key, you can still logon using the security-code method (vanguard text a code to your phone which you then enter into their site).

    I thought one major advantage of using a hardware key is to prevent sim hijack. By allowing users to logon using a security code, doesn't it just totally destroyed this advantage? Or maybe I'm not understanding how this works.

    https://investor.vanguard.com/security/security-keys
     
  2. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,802
    Location:
    UK
    Yes, you're right to be concerned; attackers have succeeded in account take-over by forcing various account recovery mechanisms or alternative login mechanisms which are pitifully insecure, like SMS or email.

    A lot of financial providers in the UK have been introducing text code verifications to mobile phones which is fairly rubbish, and not even attempting proper 2FA (going upwards from Totp to U2F and Fido2).

    My opinion is that the only decent mechanism is the use of Fido and a one time pad you keep paper records of, for recovery purposes. For local client accounts I use a Yubikey and shorter password, but also have an admin account with a long-strong password (not 2FA), which allows recovery in case of key loss.
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,126
    Location:
    The Netherlands
    Very cool that they are offering this! But the way I understood is that you simply never must login from a non registered device, so this also means you don't need to have a security code. So hackers will not be able to login to your account without the Yubico key.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.