This is a little crazy. I can stop someone from logging into my web email account because it requires a 6-digit code that changes every 30 seconds (gmail 2-step verification), but I can’t stop someone from logging into my Vanguard account if they got my user name and password.
Some places ask those stupid security questions. What’s your favorite blah? My favorite changes. What was my favorite when I signed up ten years ago? What’s the first name of your maternal grandfather? None of your business! Where should I keep a list of all the answers I made up for each place?
Fortunately some companies have better senses. They do it the right way by offering security tokens for 2-factor authentication.
E*Trade has been offering the security token for at least 10 years. Nowadays you can also get the token on your mobile phone or computer. Just fire up a VeriSign/Symantec app and you will have your code. You add the 6-digit code to the end of your password when you log in.
More info from E*Trade:
Schwab also offers free security tokens to its customers. It’s also from VeriSign/Symantec.
Although Schwab doesn’t show the mobile or desktop app option on its website, I bet the same free Symantec VIP Access app also works.
More info from Schwab: use a token.
Fidelity doesn’t advertise security tokens on its website, but if you call customer service, they will tell you how to do it. If the rep you speak to isn’t familiar with this, ask for “Electronic Channel Support” or call the number shown in the screenshot below.
Like Schwab and E*Trade, Fidelity also uses Symantec. You can get either a physical token or just use the free Symantec VIP Access mobile or desktop app. Customer Service will give you a special toll-free number to call. The rep there will link your security token to your account.
Unlike E*Trade, you don’t append the code to the end of your password. You log in as usual and then you are prompted for the code on the next page.
One Token Does It All
If you have accounts at more than one place, you can register the same token ID with all places. I’m not a security expert. I don’t see much risk in doing so. Symantec tells you how to do that. I take it to mean it’s OK.
Vanguard doesn’t use a hardware token or a mobile app token. You can have it send you a code by text message. If you don’t have or like text messages, you can get a Google Voice number. Text messages sent to the Google Voice number will show up in the Google Voice app.
To enroll, click on My Account -> Account Maintenance. Then scroll down and look for “Security Code” on the right hand side.
What About Others?
Why don’t more financial institutions offer 2-factor authentication with security tokens?
There’s clearly a cost involved. Symantec says this about its service:
Symantec Validation and ID Protection Service is priced as a service, with customers subscribing on either a per-user or a per-transaction basis. Customers can choose to pay based on either the number of active users each month, a specified number of users for a year, or the monthly volume of validation transactions. Customers have the option of deploying hardware tokens at an additional cost per token.
Then there’s customer service cost in resetting lockouts or lost tokens. That’s why none of the companies offer the token as default. You get it only if you care enough about security.
If you have accounts at Fidelity, Schwab, E*Trade, or Vanguard, get the free hardware token, use the free mobile or desktop app, or enroll to receive random codes by text message.
[Photo credit: Flickr user Edwin Sarmiento]