Protect Your Investment Accounts With A Security Token: Fidelity, Schwab, E*Trade, Vanguard

This is a little crazy. I can stop someone from logging into my web email account because it requires a 6-digit code that changes every 30 seconds (gmail 2-step verification), but I can’t stop someone from logging into my Vanguard account if they got my user name and password.

Some places ask those stupid security questions. What’s your favorite blah? My favorite changes. What was my favorite when I signed up ten years ago? What’s the first name of your maternal grandfather? None of your business! Where should I keep a list of all the answers I made up for each place?

Fortunately some companies have better senses. They do it the right way by offering security tokens for 2-factor authentication.

E*Trade

E*Trade has been offering the security token for at least 10 years. Nowadays you can also get the token on your mobile phone or computer. Just fire up a VeriSign/Symantec app and you will have your code. You add the 6-digit code to the end of your password when you log in.

More info from E*Trade:

Schwab

Schwab also offers free security tokens to its customers. It’s also from VeriSign/Symantec.

Although Schwab doesn’t show the mobile or desktop app option on its website, I bet the same free Symantec VIP Access app also works.

More info from Schwab: use a token.

Fidelity

Fidelity doesn’t advertise security tokens on its website, but if you call customer service, they will tell you how to do it. If the rep you speak to isn’t familiar with this, ask for “Electronic Channel Support” or call the number shown in the screenshot below.

Like Schwab and E*Trade, Fidelity also uses Symantec. You can get either a physical token or just use the free Symantec VIP Access mobile or desktop app. Customer Service will give you a special toll-free number to call. The rep there will link your security token to your account.

Unlike E*Trade, you don’t append the code to the end of your password. You log in as usual and then you are prompted for the code on the next page.

One Token Does It All

If you have accounts at more than one place, you can register the same token ID with all places. I’m not a security expert. I don’t see much risk in doing so. Symantec tells you how to do that. I take it to mean it’s OK.

Vanguard

Vanguard doesn’t use a hardware token or a mobile app token. You can have it send you a code by text message. If you don’t have or like text messages, you can get a Google Voice number. Text messages sent to the Google Voice number will show up in the Google Voice app.

To enroll, click on My Account -> Account Maintenance. Then scroll down and look for “Security Code” on the right hand side.

What About Others?

Why don’t more financial institutions offer 2-factor authentication with security tokens?

There’s clearly a cost involved. Symantec says this about its service:

Symantec Validation and ID Protection Service is priced as a service, with customers subscribing on either a per-user or a per-transaction basis. Customers can choose to pay based on either the number of active users each month, a specified number of users for a year, or the monthly volume of validation transactions. Customers have the option of deploying hardware tokens at an additional cost per token.

Then there’s customer service cost in resetting lockouts or lost tokens. That’s why none of the companies offer the token as default. You get it only if you care enough about security.

If you have accounts at Fidelity, Schwab, E*Trade, or Vanguard, get the free hardware token, use the free mobile or desktop app, or enroll to receive random codes by text message.

[Photo credit: Flickr user Edwin Sarmiento]

See All Your Accounts In One Place

Track your net worth, asset allocation, and portfolio performance with free financial tools from Personal Capital.

FREE E-mail Newsletter

Join over 3,000 readers and get new articles by e-mail:

No spam. Unsubscribe any time.

Comments

  1. Sanjay says

    The workaround in case of Vanguard is to limit login from one trusted device only. A bit restrictive but a reasonable compromise in absence of 2-factor.

    “Restrict account access from unrecognized computers” option is available from your Vanguard Account Profile page, then click on “Computer access restrictions”

  2. Alskar says

    @Sanjay:

    Vanguard recognizes your computer via its MAC address. It is trivially easy to spoof a MAC address, if you know what it should be. Since your computer broadcast’s its MAC address, it’s not that hard to discover it. Vanguard is offering what security experts call “Security Theater”; which is the appearance of security without much actual security. Those “Safe Keys” images are Security Theater of the first order. Stupid. Vanguard needs to check the calendar, realize it’s the 21st century and do something about security.

    FWIW, I closed my Vanguard account because of their lax stance on security. At the time they had a maximum password length of 10 character and upper and lower characters were treated as equivalent. I have been told that they now allow passwords up to 20 characters in length. I have no idea if they are still treating up and lower characters as equivalent.

    @Harry:

    I’m glad you were finally able to get your Fidelity account setup with the VIP token. Here’s a tip: The VIP Access app you download to your cellphone is prone to crashing; particularly on Android. When it crashes there is no way to get your original token ID back. This means you have to reload the app and call customer service to have your account unlocked and your new token ID setup on your accounts. This has happened to my brother on his Android phone twice. Painful. I’m using a VIP token from Yubikey (http://www.yubico.com/products/yubikey-hardware/yubikey-vip/). It was $25. It fits on my keychain, has no battery and has survived daily usage in my pocket for a year now. I’m a big fan of my Yubikey VIP. It is very robust and doesn’t require that my phone be charged.

    @All:

    The biggest security risk is the ease of which a thief can reset one’s password by calling or emailing to have your password reset. Until we demand that this security hole be fixed, all the authentication in the world isn’t going to help.

    FWIW, Ebay, PayPal and First Technology Credit Union all have Symantec VIP Access enabled on their systems. I’m surprised that more online banks and financial institutions don’t offer this option.

  3. Erik says

    Vanguard could easily start with a simple SMS two-factor. I would enjoy it if they implemented Time-based One-time Passwords (TOTP) and I could utilize the Google Authenticator app.

  4. Dave R says

    Alas, many of these institutions will not work with Mint or the various other transaction aggregating sites… well, they can work if you choose to modify Mint’s settings and re-enter your passwords every time. That’s too much of a hassle for me.

    An additional option is to use LastPass, Keepass, Dashlane, or another of the many password management tools. As a security professional myself, I highly recommend using one of them for generating and storing passwords. You can easily manage unique long random passwords for all websites that require password authentication. Further, some of these password management tools can be configured to utilize two-factor authentication, so you have some equivalence to using two-factor for each individual financial institution.

    • Steve says

      Some financial institutions have a separate password for aggregators (and presumably some other uses).

      I wish all did, because I’m quite leery of entering a password to my financial accounts into a third-party web site. I know all such websites say they have a “read only” connection to the financial institutions. But that doesn’t remove the fact that the password itself could be extracted and used to perform whatever malicious activity is desired.

      I don’t quite see how a password management tool is a replacement for two-factor authentication. Sure, it’s better to have a secure password for a given institution’s website. But it’s better still to have a secure password AND a second factor.

    • Alskar says

      I’m not comfortable with data aggregation services like Mint or Fidelity’s “Full View” either. Some of the more impressive hacks targeted the supposedly “closed” server-to-server connections.

      A password management tool is not a replacement for two-factor authentication, but it does allow the user to create and maintain very long and very complex passwords that are very difficult to crack by brute force. So in that sense, a password management tool can enhance security.

      I agree that its best to have a secure password AND a second factor.

  5. Alskar says

    @Dave R

    I agree. I’m a fan of LastPass. My Yubikey VIP token has a second “slot” for OATH authentication against the LastPass server. So I get both LastPass OATH authentication and Symantec VIP authentication in one tiny and nearly indestructible token.

    • Steve says

      Does the Yubikey have storage for a password vault? Or do you still have to store your vault (either on the computer or in the cloud) and then only use the Yubikey to open it?

    • Alskar says

      The Yubikey has no storage. Your passwords are stored in a vault in the cloud. The Yubikey is used to “unlock” the vault. The LastPass website has some great videos that describe their security system.

      LassPass has apps for most of the current operating systems including WebOS.

  6. Mike says

    Thanks for posting this info. My funds are at Fidelity, so I called them; after getting bounced around to a few different people, they finally connected me with someone who knew about this. The department they referred me to is called Electronic Channel Support, and the direct number there is 800-544-7595. I was told that everyone in that department is trained in setting up “soft-token” functionality with the Verisign VIP Access product. Still not sure I’m going to do this, as my wife and I are in each other’s accounts pretty regularly (we co-handle finances), and the way it sounds like this works is that my phone’s app would only work on my account, and her phone’s app would only work on her account. Is that your understanding as well?

    • Alskar says

      The correct phone number for Versign VIP support is: 800-673-2938. That will go straight through to the correct people. This is the phone number shown on Fidelity’s VIP login screen that Harry posted above.

      Yes, your Verisign credential (token or app) would only work with your account and her credential would only work with your account. FWIW, most financial institutions specifically prohibit the sharing of passwords like you’re doing. A friend of mine was told by Vanguard to stop sharing his password with his wife or they’d drop him as a customer. Vanguard’s solution was to setup a “household” account to allow one login to access more than one account.

  7. Chang says

    I enabled this with E*Trade. The CSR is incredibly less trained than desired, and she emphasized all aggregates (including MINT) will still work “because those sites have special relation with E*Trade”. Turned out my mint account is no longer able to connect :(

    Does any reader know whether MINT is able to work with Fidelity, if I also enable this with Fidelity?

    (ING Direct creates a special password for aggregates, as far as I know.)

    • Carls says

      Yes, MINT has worked well with my Fidelity Brokerage account. No idea if it works with their new AMEX card, however.
      One question for you: INGdirect disappeared last year to be replaced by a bank that bought their accounts to meet Federal requirements. Not sure of the name (Capitol1?). So how do you happen to have INGdirect. I miss it!

  8. Alskar says

    E-Trade is unusual in that they append the Symantec VIP code to the end of the password instead of having a separate screen to enter the VIP code. I don’t use data aggregaters, because I’m not comfortable with the security holes they present, but I imagine that you would not have the problem with Fidelity that you had with E-Trade.

  9. csc says

    Thanks to all, this is all great info.

    I’m thinking I want to go the VIP Security Token route.

    It seems superior to the App(s) that I’d have to download and get running, the token just seems easier if I access from multiple hosts.

    Do I get the Security Token from Verisign? or does the account management firm provide it?

    Thanks,
    CSC

    • Alskar says

      The token provided by Fidelity, Schwab and E*Trade is pretty huge and cumbersome. It has an LCD that shows the current 6 digit code. I prefer my YubiKey VIP. It’s $25 from Yubico: http://www.yubico.com/products/yubikey-hardware/yubikey-vip/

      The only downside I’ve found of the YubiKey VIP is that it is impossible to use it with mobile devices that do not have a USB Host port to plug the YubiKey token into.

      I carried a traditional HW token with a display for years. It was just way too bulky and easy to break.

    • Alskar says

      No, I don’t work for Yubico. I have no financial arrangement with Yubico. I receive no compensation from Yubico. I’m just an engineer that appreciates great technology and a fan of Yubico products.

      I’ve used a number of hardware tokens in my line of work, starting with the RSA token that was hacked. The only one I’ve found to be reliable and easy to use is my YubiKey VIP. It serves up OATH passwords to access my LastPass vault and VIP security codes to access Fidelity, Etrade, PayPal, and Ebay. It’s small enough that I feel comfortable carrying it on my keychain and it’s survived the abuse of my pocket for over a year now.

  10. Steve says

    I contacted Schwab, and they don’t appear to support the Symantec/Verisign app. Has anybody tried it with them?


    Thank you for your reply.

    I spoke with our Technical Support Team and provided them with the url below. At this time however, we do not offer an app that you could use rather than the physical device. We are looking at different options however that may allow for this or something like it in the future. Currently though, there is no date as to when something could be available.

    • Harry says

      @Steve – Assuming you still want to use a token even if it’s just a physical one, you can still request to have it enabled for your account. After you receive the token, if you are asked to call them back and give them the token’s serial number, give them the serial number from your app (download the app for free from Symantec). Chances are it will work just fine. If it doesn’t, you still have the physical token.

    • thaiguy says

      I spoke with Schwab tech support on the phone today, and specifically asked them about the Verisign mobile phone app.

      The Schwab person said their system does not support and won’t work with the Verisign mobile phone app, even though the physical tokens that Schwab issues actually have the “Symantec.VIP” logo printed on them — and oddly, no mention of Schwab anywhere.

      I may well download the Verisign app and see if it does anything with Schwab, because I have a different account with a different provider that does use the Verisign app — just to doublecheck on what Schwab is saying.

  11. Carls says

    Noobie question. Please be gentle…
    I don’t understand why access to bank and brokerage accounts is of such concern. If someone transfers money or stocks, you have a record of the transfer, know where the funds or transfers went, and have all kinds of civil and criminal procedures, as well as insurance protection, to work for you.
    Carrying a fob – more accurately finding the bloody thing – and then having to transcribe small numbers into a website… What is it that deserves this work? Plus, am I the only one that travels a lot? Do these things like Xrays? Can you imagine trying to replace a fob from overseas?
    Any help, please.

    • Alskar says

      @Carls:

      Many if not most brokerage accounts have provisions to wire transfer money out of the account. Wire transfers out of the country may traceable but not necessarily reversible. I can’t find the link I was looking for at the moment, but here’s an article that applies: http://online.wsj.com/news/articles/SB10001424052702304500404579125681915713744

      If the brokerage firm feels like you were negligent by “permitting” access to your online account, then they may decide you were at fault for not protecting your account better. On top of that, I don’t need additional hassles in my life.

      I carried an RSA token with me for years and I hated it. It was way too big and cumbersome and it was a hassle when trying to get through TSA security in the US. As a result, many of my coworkers kept the fob in their computer case, which in my view largely negates the usefulness of the fob as it is supposed to be the second factor (“something you have”). If you leave it out of your control (like in your computer case or desk drawer) for long periods of time it doesn’t serve it’s purpose. Read “Ghost in the Wires” by Kevin Mitnick if you don’t think this is important.

      So if you don’t want a large fob you can either use the Symantec VIP app on your smart phone, or (as I prefer) carry the YubiKey VIP token on your key ring. Given reports of the Symantec VIP app crashing (and taking the serial number of the token with it) and my discomfort with having a security device on a piece of hardware with at least three and possibly four wireless interfaces (3G/4G; Bluetooth; WiFI; and possibly NFC), I choose to use my YubiKey. As I’ve said before, I have no invested interest in Yubico, but after years of carrying a fob and a brief, unhappy stint with the Symantec VIP app on my iPhone, I find my YubiKey VIP to be a far better choice. It is always on my person; it doesn’t crash; and and it doesn’t have batteries.

  12. Joe says

    The place I work is not a huge company, and we have 2 factor phone authentication so it cant be that expensive or hard to do. If you got malware on your computer they could grab your name/password but not any kind of key from your phone. What if they redirect or make a remote connection from your computer to vanguard with your id/pass then restricting by IP doesnt help.
    2 factor authentication in some form should be required anywhere dealing with money. I mean WOW the game has better security then most financial companies. Those questions as the second factor can be found on most peoples facebook page or found online. You cant find a phone key.

  13. BR says

    I just spent an hour on the phone with Fidelity, three different reps. Their two-factor authentication support covers ONLY wire and ACH transfers, and then is only used when a “conduit” (receiving account) is set up. Logging in online and transactions on the phone are NOT included in their two-factor support. Even with two-factor turned on & required on the account, you can still access the account by phone or computer, trade/liquidate/buy/sell/exchange/disburse or do anything with NO additional factor past the login/password. NOT useful, and it’s annoying to see Fidelity included in lists of banks that support multi-factor.

    • BR says

      I kept trying, and got it turned on. The rep on my 5th! call figured out what to do, transferred me to the right department, and got the ID from the verisign app on the cell phone linked to my account. I’m good to go.

    • Alskar says

      Nonsense. I use my Symantec Verisign VIP token to log into my Fidelity account several times a day. The agents you spoke to are wrong. Call this number to reach the department that handles the security tokens directly without going through uninformed CS agents: 800-673-2938

    • Harry Sit says

      I added to the article the key phrase to say to a rep if he or she isn’t familiar with the program.

  14. Sanjay Joshi says

    Looks like Vanguard is rolling out text message based OTPs. For the accounts that have this feature available, it appears as “Security Code” under “Account Maintenance” page.

  15. Lynn says

    My Fidelity account representative didn’t seem very knowledgeable of online security when I raised concerns about single factor authentication. I’m glad I found this article using Google. After reading, I searched on the Fidelity site and found information about the token, but i’s pretty well hidden, and didn’t pop up when simply searching “security”. I had to search “token”. It would seem the cost of better online security would more than off-set the costs (financial, legal, reputation, potential for attrition of customer base, etc.) of maintaining the online security status quo (overly simplistic website, single factor authentication). Fidelity and others, take note!

  16. BC says

    so I’d love to enable 2FA on all my brokerage accounts. My concern is that I download transactions from my accounts into Quicken Mac and Turbotax. Google 2FA provides an option for application specific long passwords for mobile apps etc which won’t work with 2FA.

    Can anyone clarify how Fidelity, Schwab or Vanguard 2FA handle transaction downloads?

Leave a Reply

Your email address will not be published. Required fields are marked *