This is a little crazy. I can stop someone from logging into my web email account because it requires a 6-digit code that changes every 30 seconds (gmail 2-step verification), but I can’t stop someone from logging into my Vanguard account if they got my user name and password.
Some places ask those stupid security questions. What’s your favorite blah? My favorite changes. What was my favorite when I signed up ten years ago? What’s the first name of your maternal grandfather? None of your business! Where should I keep a list of all the answers I made up for each place?
Fortunately some companies have better senses. They do it the right way by offering security tokens for 2-factor authentication.
E*Trade has been offering the security token for at least 10 years. Nowadays you can also get the token on your mobile phone or computer. Just fire up a VeriSign/Symantec app and you will have your code. You add the 6-digit code to the end of your password when you log in.
More info from E*Trade:
Schwab also offers free security tokens to its customers. It’s also from VeriSign/Symantec.
Although Schwab doesn’t show the mobile or desktop app option on its website, I bet the same free Symantec VIP Access app also works.
More info from Schwab: use a token.
Fidelity offers free soft tokens using the Symantec VIP Access app. If the rep you speak to isn’t familiar with this, ask for “Electronic Channel Support” or mention “extra login security.”
After you install the Symantec VIP Access app, Customer Service will link your security token ID to your account.
Unlike E*Trade, you don’t append the code to the end of your password. You log in as usual and then you are prompted for the code on the next page.
One Token Does It All
If you have accounts at more than one place, you can register the same token ID with all places. I’m not a security expert. I don’t see much risk in doing so. Symantec tells you how to do that. I take it to mean it’s OK.
Vanguard doesn’t use a hardware token or a mobile app token. You can have it send you a code by text message. If you don’t have or like text messages, you can get a Google Voice number. Text messages sent to the Google Voice number will show up in the Google Voice app.
To enroll, click on My Account -> Account Maintenance. Then scroll down and look for “Security Code” on the right hand side.
What About Others?
Why don’t more financial institutions offer 2-factor authentication with security tokens?
There’s clearly a cost involved. Symantec says this about its service:
Symantec Validation and ID Protection Service is priced as a service, with customers subscribing on either a per-user or a per-transaction basis. Customers can choose to pay based on either the number of active users each month, a specified number of users for a year, or the monthly volume of validation transactions. Customers have the option of deploying hardware tokens at an additional cost per token.
Then there’s customer service cost in resetting lockouts or lost tokens. That’s why none of the companies offer the token as default. You get it only if you care enough about security.
If you have accounts at Fidelity, Schwab, E*Trade, or Vanguard, get the free hardware token, use the free mobile or desktop app, or enroll to receive random codes by text message.
[Photo credit: Flickr user Edwin Sarmiento]
Instant diversification in a low-cost ETF portfolio. Convenient and disciplined with automatic rebalancing. Minimize your taxes. Betterment.com.