Most financial institutions have some type of two-factor authentication (2FA) now when you log into your account. You need something besides your username and password to access your account.
Using 2FA is better than not using it, but different forms of 2FA aren’t created equal. When you have a choice, use a stronger form of 2FA.
The Weakest Link: Password Reset
Before banks and brokers implemented 2FA, the emphasis had been on the strength of your password — make it long and include mixed case letters, numbers, and symbols. With 2FA, the weakest link shifted to the password reset path. Criminals don’t bother cracking your password when they can just reset it.
As a drill, go through the “forgot password” process for your accounts and see which items are needed to reset your password. Those are the things you need to secure.
Google Voice for SMS
Some financial institutions send security codes by SMS text message to a mobile phone number on file. This is weak because a mobile phone number can be hijacked through SIM swapping. A criminal can reset your password and gain access to your accounts after they hijack your mobile phone number.
You should get a Google Voice number and only use that number for your financial accounts. A Google Voice number is less prone to getting hijacked. Install the Google Voice app on your phone and read the security codes in the Google Voice app. Don’t forward text messages sent to your Google Voice number.
Your Google Voice number is secure after you secure your Google account. Google supports using a hardware key (see the Yubikey section later in this post) or a mobile authenticator app.
Some places refuse to send security codes to Google Voice numbers. I would avoid using them if they send security codes by SMS text message but they don’t support Google Voice numbers. That’s one reason I closed my account with Ally Bank.
Secure Your Email
Some financial institutions send security codes and password resets by email. That means you must secure your email. If a criminal hacks into your email, they can get the security code and reset the password to your bank or brokerage accounts.
If you use Gmail, Google supports securing the account with a hardware key (see the Yubikey section later in this post) or a mobile authenticator app. Microsoft (Hotmail, Outlook.com) and Yahoo! also support securing email accounts with a hardware key or a mobile authenticator app.
Fidelity, Charles Schwab, and E*Trade support the free Symantec VIP mobile app on your phone. The app generates a six-digit security code that you use with your username and password.
A mobile app is more secure than text messages because it’s tied to a physical device, not to a phone number that can be hijacked remotely. However, you won’t be able to log in to your accounts if you lose your phone. Malware on your phone can also potentially read your security codes.
If you upgrade to a different phone, you can reinstall the app but the Symantec VIP credential ID can’t be transferred to your new phone. You’ll have to link a new credential ID to your login.
Buy Hardware Token
Many people don’t know you can actually buy a hardware token for Symantec VIP. The hardware token isn’t connected to the Internet. Malware on your phone can’t read it. You won’t lose it if you lose your phone. You won’t have to change your credential when you upgrade your phone.
Go to the official Symantec VIP website. Click on “Buy Hardware Token” on the top right. The first link “Buy Security Token” sends you to the token sold on Amazon.
A Symantec VIP hardware token costs only $12.50 as I’m writing this. If this model is out of stock at Amazon, a different model is available on eBay for $10.
You can register the same token at Fidelity, Schwab, E*Trade, and anywhere else that also uses Symantec VIP.
Register Token with Fidelity
You must call Fidelity customer service to link the serial number of the security token to your login.
Fidelity requires separate tokens for separate logins. Get two tokens if you’re married and both of you have Fidelity accounts.
Vanguard supports Yubikey, which is a hardware key that you plug into a USB port on your computer.
The least expensive Yubikey costs $25 or $29 on the manufacturer’s website, depending on the type of USB port on your computer. You should buy two Yubikeys. The second key serves as a backup in case you lose one.
Add Yubikey to Email Accounts
If you’d like to use two Yubikeys to secure your Google account (Gmail and Google Voice), follow the steps in Use a security key for 2-Step Verification from Google. Google sells Titan Security Keys but Yubikeys will work for both Google and Vanguard.
Microsoft and Yahoo also support using two Yubikeys. See Sign in to your Microsoft account with Windows Hello or a security key from Microsoft and 2-Step Verification with a Security Key from Yahoo.
Register Yubikey with Vanguard
To register your two Yubikeys with Vanguard, click on “Profile & account settings” on the top right after you log in.
Click on the Security tab and then “Security key.”
Repeat the process to add your second key. A married couple can register the same two Yubikeys with Vanguard for their separate logins. This way the two keys can work interchangeably for both logins.
Symantec VIP On Yubikey
For those who are more technically inclined, you can actually put a Symantec VIP credential on a Yubikey. It requires a more expensive version of Yubikey that has two “slots.”
This blog post by engineer Paul Sambolin gives details on putting Symantec VIP on a Yubikey for E*Trade:
After the Symantec VIP credential is put on a Yubikey, it works similarly for Fidelity and Charles Schwab.
This is too much work than it’s worth in my opinion because a Symantec VIP token is both inexpensive and straightforward. Go at it if you enjoy playing with technology.
Morgan Stanley, T. Rowe Price, Betterment, Wealthfront, M1 Finance, and Robinhood all support authenticator apps for 2FA.
You link your login to an authenticator app on a mobile device, such as Google Authenticator, Microsoft Authenticator, or Authy. The authenticator app generates a six-digit code every 30 seconds.
The problem with an authenticator app is that it resides on your phone and you take your phone everywhere you go. It’s more prone to loss, theft, damage, software crash, or malware, whereas your hardware Yubikey or Symantec VIP token sits safely in your desk drawer. You can transfer the authenticator app from one phone to another when you upgrade your phone but you’ll have to learn how to do that.
The website 2FA Direcory shows which 2FA methods are supported at each place. I go down a list of priorities: hardware > mobile authenticator app > SMS to Google Voice.
If a place supports hardware, I use hardware (Yubikey or Symantec VIP hardware token). If a place doesn’t support hardware but supports a mobile authenticator app, I use a mobile authenticator app (Google Authenticator, Microsoft Authenticator, or Authy). If a place supports neither hardware nor a mobile authenticator app, I give them my Google Voice number. If a place doesn’t send codes to Google Voice, I avoid them and go somewhere else when I have a choice.
Buying security hardware costs more than using text messages or a mobile app, but the extra security and peace of mind are worth it. After I already spent the money on Yubikeys and a Symantec VIP token, I use them wherever I can.
Brokerage firms in general have better support for security hardware because they tend to deal with larger amounts of money. Most banks are still stuck at sending SMS text messages. It’s one reason that I closed my online savings account and favor using a money market fund now.
Say No To Management Fees
If you are paying an advisor a percentage of your assets, you are paying 5-10x too much. Learn how to find an independent advisor, pay for advice, and only the advice.