Most financial institutions have some type of two-factor authentication (2FA) now when you log into your account. You need something besides your username and password to access your account. The most common form of 2FA is a security code sent by text message to your phone.
Using 2FA is better than not using it, but different forms of 2FA aren’t created equal. Getting a security code by text message is the weakest form. When you have a choice, use a stronger form of 2FA.
The Weakest Link: Password Reset
Before banks and brokers implemented 2FA, the emphasis had been on the strength of your password — make it long and include mixed case letters, numbers, and symbols. With 2FA, the weakest link shifted to the password reset path. Criminals don’t bother cracking your password when they can just reset it.
As a drill, go through the “forgot password” process for your accounts and see which items are needed to reset your password. Those are the things you need to secure.
Google Voice for SMS
Some financial institutions send security codes by SMS text message to a mobile phone number on file. This is weak because a mobile phone number can be hijacked through SIM swapping. A criminal can reset your password and gain access to your accounts after they hijack your mobile phone number.
You should get a Google Voice number and only use that number for your financial accounts. A Google Voice number is less prone to getting hijacked. Install the Google Voice app on your phone and read the security codes in the Google Voice app. Don’t forward text messages sent to your Google Voice number.
Your Google Voice number is secure after you secure your Google account. Google supports using a hardware key (see the Yubikey section later in this post) or a mobile authenticator app.
Some places refuse to send security codes to Google Voice numbers. I would avoid using them if they send security codes by SMS text message but they don’t support Google Voice numbers. That’s one reason I closed my account with Ally Bank.
Secure Your Email
Some financial institutions send security codes and password resets by email. That means you must secure your email. If a criminal hacks into your email, they can get the security code and reset the password to your bank or brokerage accounts. See how an elderly couple lost $250,000 this way.
If you use Gmail, Google supports securing the account with a hardware key (see the Yubikey section later in this post) or a mobile authenticator app. Microsoft (Hotmail, Outlook.com), Apple iCloud, AOL, and Yahoo! also support securing email accounts with a hardware key or a mobile authenticator app.
Symantec VIP
Fidelity, Charles Schwab, and E*Trade support the free Symantec VIP mobile app on your phone. The app generates a six-digit security code that you use with your username and password.
A mobile app is more secure than text messages because it’s tied to a physical device, not to a phone number that can be hijacked remotely. However, you won’t be able to log in to your accounts if you lose your phone. Malware on your phone can also potentially read your security codes.
If you upgrade to a different phone, you can reinstall the app but the Symantec VIP credential ID can’t be transferred to your new phone. You’ll have to link a new credential ID to your login.
Hardware Token
Many people don’t know you can actually use a hardware token for Symantec VIP. The hardware token isn’t connected to the Internet. Malware on your phone can’t read it. You’re not taking the hardware token with you everywhere you go. You won’t lose it if you lose your phone. You won’t have to change your credential when you upgrade your phone.
Some brokers provide a Symantec VIP hardware token for free if you ask them (Fidelity doesn’t). If your broker doesn’t provide it, you can buy one on your own at a minimal cost.
Go to the official Symantec VIP website. Click on “Buy Hardware Token” on the top right. The first link “Buy Security Token” sends you to the token sold on Amazon.
A Symantec VIP hardware token costs only $12.50 as I’m writing this. If this model is out of stock at Amazon, a different model is available on eBay for $10.
You can register the same token at Fidelity, Schwab, E*Trade, and anywhere else that also uses Symantec VIP.
Register Token with Fidelity
You must call Fidelity customer service to link the serial number of the security token to your login.
Fidelity requires separate tokens for separate logins. Get two tokens if you’re married and both of you have Fidelity accounts.
Yubikey
Vanguard supports Yubikey, which is a hardware key that you plug into a USB port on your computer or tap on your phone to read through NFC.
The least expensive Yubikey costs $25 or $29 on the manufacturer’s website depending on the type of USB port on your computer. The manufacturer also sells other models with more features at a higher price but the Security Key NFC series is sufficient for our purpose here.
You should register at least two Yubikeys with each account. The second key serves as a backup in case you lose one. If you’re married, get four Yubikeys — one primary key and one backup key for each spouse.
Keep your Yubikeys safely at home. Don’t put it on your keyring. Store your backup key(s) separately from your primary key(s).
Add Yubikey to Email Accounts
If you’d like to use two Yubikeys to secure your Google account (Gmail and Google Voice), follow the steps in Use a security key for 2-Step Verification from Google. Google sells Titan Security Keys but Yubikeys will work for both Google and Vanguard.
Microsoft, Apple iCloud, Yahoo, and AOL also support using Yubikeys.
Register Yubikey with Vanguard
To register your two Yubikeys with Vanguard, click on “Profile & account settings” on the top right after you log in.
Click on the Security tab and then “Security key.”
Repeat the process to add your second key (and optionally the third and the fourth key). A married couple can register the same two Yubikeys with Vanguard for their separate logins. This way the two keys can work interchangeably for both logins.
Symantec VIP On Yubikey
For those who are more technically inclined, you can actually put a Symantec VIP credential on a Yubikey. It requires a more expensive version of Yubikey that has two “slots.”
This blog post by engineer Paul Sambolin gives details on putting Symantec VIP on a Yubikey for E*Trade:
After the Symantec VIP credential is put on a Yubikey, it works similarly for Fidelity and Charles Schwab.
This is too much work than it’s worth in my opinion because a Symantec VIP token is both inexpensive and straightforward. Go at it if you enjoy playing with technology.
Authenticator App
Fidelity, Morgan Stanley, T. Rowe Price, Betterment, Wealthfront, M1 Finance, and Robinhood all support authenticator apps for 2FA.
You link your login to an authenticator app on a mobile device, such as Google Authenticator, Microsoft Authenticator, or Authy. The authenticator app generates a six-digit code every 30 seconds.
The problem with an authenticator app is that it resides on your phone and you take your phone everywhere you go. It’s more prone to loss, theft, damage, software crash, or malware, whereas your hardware Yubikey or Symantec VIP token sits safely in your desk drawer. You can transfer the authenticator app from one phone to another when you upgrade your phone but you’ll have to learn how to do that.
2FA Directory
The website 2FA Direcory shows which 2FA methods are supported at each place. I go down a list of priorities: hardware > mobile authenticator app > SMS to Google Voice.
If a place supports hardware, I use hardware (Yubikey or Symantec VIP hardware token). If a place doesn’t support hardware but supports a mobile authenticator app, I use a mobile authenticator app (Google Authenticator, Microsoft Authenticator, or Authy). If a place supports neither hardware nor a mobile authenticator app, I give them my Google Voice number. If a place doesn’t send codes to Google Voice, I avoid them and go somewhere else when I have a choice.
Effect on Aggregator
Some people use an account aggregation service such as Mint, Quicken, or Empower (formerly Personal Capital) to pull information from multiple financial institutions into one place. Adding a hardware security token or authenticator app to your accounts doesn’t necessarily block the aggregators.
Aggregators usually get approval from financial institutions as a trusted third party for read-only access through a special channel. They don’t necessarily access your account through the same website you use to log in. I use Fidelity’s Full View powered by eMoney (see Fidelity Full View + GPS: Track Your Portfolio Across All Accounts). It pulls information from Vanguard just fine after I added Yubikeys to my Vanguard accounts.
***
Buying security hardware costs more than using text messages or a mobile app, but the extra security and peace of mind are worth it. After I already spent the money on Yubikeys and a Symantec VIP token, I use them wherever I can.
Brokerage firms in general have better support for security hardware because they tend to deal with larger amounts of money. Most banks are still stuck at sending SMS text messages. It’s one reason that I closed my online savings account and favor using a money market fund now.
Say No To Management Fees
If you are paying an advisor a percentage of your assets, you are paying 5-10x too much. Learn how to find an independent advisor, pay for advice, and only the advice.
always_gone says
Bravo! Great information here. I have used a Google voice number and Yubikey with Vanguard for years. It’s a great setup, works well, is easy to use, and provides infinitely more protection than a lame password and text message of a security code.
Chuck says
Great if you already know how to do that. If you need guidance from Vanguard… in my experience, it ain’t gonna happen.
Peter Sramka says
The Vanguard mobile app never checks for a Yubikey. Thus, the Yubikey is essentially useless with Vanguard. You might feel more secure, but you aren’t.
Steve says
Thank you for the information. Two questions:
1. Does either hardware token you mention work with both Fidelity and Vanguard accounts?
2. If you lose the token, or it is not available when you need to access the account, what recourse do you have/ what do you need to do to access the Fidelity or Vanguard account?
Harry Sit says
What works at a financial institution is mandated by that institution. Fidelity only supports Symantec VIP. Vanguard only supports Yubikey. If you want to use only one token for both, you’ll have to be technical enough to put a Symantec VIP credential on a [more expensive] Yubikey. See the linked blog post from an engineer in the last section. I just use separate tokens.
If you lose the Symantec VIP token, you’ll have to call Fidelity and link a replacement token to your login. If you lose a Yubikey, log in with your backup Yubikey and delete the lost Yubikey. That’s why you should register two Yubikeys with Vanguard.
You use a hardware token instead of your phone because you can keep it safely at home. You’re not taking your token everywhere you go.
Sam R says
Harry, what to do IF you lose both of the 2 Yubikeys (e.g. in a burglary or house fire)?
Do you have a 3rd yubikey & keep the 3rd one in the safe deposit box in the bank?
Thanks.
always_gone says
Sam, I’m not Harry, but I have four registered keys at Vanguard. But depending on the service (Google/Vanguard/Dropbox/etc) you can also enable other backup options, like backup codes, Authenticator app, call to customer service, etc. The fewer options you have to get in, the fewer attack vectors others have to get in as well. I keep one Yubikey on me, a couple in the house, and one at a family member’s house in case of floor/theft/fire. Just make a plan that’s reasonable. A Safe Deposit box is probably too costly and troublesome for just a backup Yubikey. Heck, you could bury one in the yard.
JohnBinSV says
Do you know if these 2FA setups interfere with Quicken software being able to download transactions? It has been the case the SMS verification interrupts the download, but it seems Quicken is shifting to an interface that doesn’t require entering the SMS code.
I’ve always been intrigued by YubiKey, but it’s relatively pricey. I wonder why it costs more than twice a Symantec VIP device.
Harry Sit says
I don’t use Quicken but if it can download without the SMS code it means it’s been approved by that financial institution as a trusted application. It goes through a separate read-only back channel.
always_gone says
Just keep in mind that compared to a hacked financial account a Yubikey is very affordable. I have four – one in my wallet, one near my home computer, and two more stored safely off site.
Marty says
Would you know if the secured accounts at Fidelity and Schwab can still be accessed by account aggregators? In fact both Fidelity & Schwab have their own aggregators but aren’t as good as ones like Personal Capital.
Harry Sit says
It depends on the aggregator. If they go through a special back channel provided by Fidelity or Schwab, they don’t need the 2FA codes.
Paranoid says
While researching using a YubiKey on Vanguard, I noticed the following on Vanguard’s web site:
“It is required to register for security codes even when enrolled in security key as a backup if you lose, misplace or forget your key. ”
Where “security codes” is Vanguard’s terminology for a “unique, 6-digit number via text”.
I found this information via the following steps:
1. Go to https://investor.vanguard.com/trust-security/security-center#modal-keys
2. Click on “Protect your accounts”
3. Click on “More about security keys”
So how does a YubiKey provide any security benefit? Why can’t an attacker (that has SIM swapped your phone number) just use the required security codes backup to bypass the YubiKey hardware security?
Harry Sit says
Vanguard requires security codes as a backup if you register only one security key. You can unenroll from security codes after you register two Yubikeys. The second key serves as your backup. If you use a Google Voice number for SMS and you secure your Google account with Yubikeys, you can also stay enrolled in security codes from Vanguard with your Google Voice number, which I do.
Kevin A says
Paranoid hits on a key problem here. I spent about 5 hours today experimenting with a set of mint Yubikey 5 NFC keys. Vanguard does not let you eliminate the text SMS “feature”. Despite Vanguard’s assertion that two or more registered Yubikeys (I registered 3 – all in the same session today) lets you disable the SMS TOTP time code feature (they even provide a link to change it and send you a text to “confirm that you have opted out of the security code service”) that it is disabled, but this is NOT true in reality.
To test after I “disabled” the SMS TOTP feature, I logged out of Vanguard, rebooted my Windows 10 PC, then logged into Vanguard with my registered Yubikey in the USB slot. Then logged in: username, password, the Yubikey interface calls for the PIN, PIN entered, touch Yubikey, the Vanguard screen launches, a popup screen appears requiring me to give it a mobile phone number to set up the SMS TOTP feature before I can go look at my accounts. And doing that reverses the security code opt out – the link is reset to its original state. And at the next login attempt, the SMS security code feature takes over, never even get to insert the Yubikey.
For security, I want to be able to have my Yubikey token be required in order to log in at Vanguard without any SMS security code dance next time I log in. I think Harry’s giving a Google Voice number for the SMS number fixes this by providing basically a dummy secure phone destination, since Vanguard’s disabling switch to stop SMS doesn’t work and stick.
Ideally I would use GV and lockdown all my Google Apps with Yubikey and fix both the Vanguard and Google SMS insecurity all at once. However I have a couple of important apps (like a password manager) that need Google App passwords to function in the Google 2FA environment, and using Google’s Advanced Protection (required for Yubikey to lockdown Google) will break all Google App passwords (according to Google).
Any ideas how to workaround this Vanguard SMS security code opt-out that is not sticky? I am using latest Firefox browser, but am willing to entertain others. Thanks !
Harry Sit says
I’m not sure what happened in your account there but after I unenrolled from SMS, Vanguard didn’t prompt me to add SMS back when I logged in. It only asked for the Yubikey. Try unenrolling from SMS again, and maybe wait a day or two to log in again.
Kevin A says
Followup of my post. I followed Harry’s Vanguard advice to unenroll from SMS codes and wait a day or two before trying to login again. I waited 2 full days before testing my Yubikey login. That did the trick. Now log ins with Yubikey at Vanguard do not create a prompt/requirement to give an SMS. Logins now require Yubikey only, exactly as I wanted. Vanguard sent me a letter by snail mail to remind me that I registered for Yubikey logins and a separate letter that I had unenrolled from SMS codes. Good to know.
Harry Sit says
Thank you for the update. Happy to hear it’s working as expected now.
RickD says
Any idea why Vanguard recommends also registering for a security code? seems to defeat the purpose of the hardware key (and ability to avoid sim swapping)?
From their website (click more info on security keys): “Even if you use a security key, you’ll still want to register for security codes in case you ever need to log on when you don’t have the key in your possession, or log on from an unrecognized device.”
Harry Sit says
See the reply to comment #5 above. They want you to have a backup. You can unenroll from security codes after you register two security keys.
Fred says
Thank you for the article Harry. How do you look at Short Term TIPs such as VTIP (https://investor.vanguard.com/etf/profile/VTIP ) compared to T-bills in a taxable account that you plan on starting to deplete in about 12 months and it will be fully depleted over the course of the next 4 years? I have VTIP and, trying to keep things super simple, trying to see it it would make sense to sell VTIP and buy T-bills instead?
Harry Sit says
Your question is unrelated to the topic of this post. If you’re going to deplete in four years, a ladder (TIPS or nominal) works better than an ETF. See Two Types of Bond Ladders: When to Replace a Bond Fund or ETF.
Bob Wilson says
Harry, can you use the same Symantec VIP hardware device for two brokers like Fidelity and Schwab?
Harry Sit says
You can. When you have the Symantec VIP app on your phone, you have just one credential ID from the app. They don’t expect you to have two instances of the same app on your phone or use two phones. You register the same credential ID from the app with both Fidelity and Schwab. The hardware device works the same way. The credential ID (serial number) for the hardware device is on the back of the device. You register the same serial number with both Fidelity and Schwab.
Korosh says
Hi Harry and thnak you for the post.
The codes/text messages that are sent to Google voice are also emailed to the Gmail and this concerns me.
I have secured the Gmail with Authenticator app but the Gmail is among my email accounts on the iPhone and also thunderbird and is always open , is there any way to prevent text messages to be sent to the Gmail?
Thank you.
Harry Sit says
You can turn off forwarding text messages to email in Google Voice settings. It’s under Settings -> Messages -> Forward messages to email.
ObiQuiet says
Does anyone know what Vanguard does to verify you when you call them, if you’ve lost keys and all codes?
Similar question for Fidelity, since you can only have one instance of VIP… how do they verify you if you call to change to a different device?
Both questions are related to the security of the recovery process… and how protected that is from bad guys.
ObiQuiet says
Found out that the Vanguard mobile app lets you switch SMS back on using username+password+security question, no Yubikey code required. How could they??
MK says
Btw, I am using my Google Voice numbers for 2FA at Ally, despite the wording saying they don’t allow VoIP it works fine if you pick the phone call option (although mobile doesn’t show that option so can’t log in on my phone).
Freddie says
Thank you Harry for another great article. Several questions.
“You should get a Google Voice number and only use that number for your financial accounts.”
So I don’t give financial accounts/institutions my real phone # but instead give them your GV # . So I need to change my profile on all accounts & delete my real phone # they have on file & change it to my GV#?
When I give someone, anyone, my phone #, I give them my real# or my GV#? Why give anyone my real ph #? But the whole world has my phone # now so I need to go & change my real/current phone # & THEN give everyone my “new” GV #?
“Don’t forward text messages sent to your Google Voice number.”
How will I know a text I’m receiving is going to my real phone # or to my GV #?
“Fidelity, Charles Schwab, and E*Trade support the free Symantec VIP mobile app on your phone. The app generates a six-digit security code that you use with your username and password.”
I assume this is no different than nor better than the Goggle Authenticator app? I see later in the article that I can also secure my Goggle account (which includes my Goggle Authenticator app) with a Yubikey; so there are 2 options:
Symantec VIP mobile app+ Symantec token
or
Goggle Authenticator app + Yubikey?
They are equally good? I do see that a Symantec VIP hardware token costs $12.50 vs. the least expensive Yubikey costs $25 or $29. I do see that you use both since that is required per the institutions that you use accept either one or the oth & that’s easier for you than doing the technical work-araound.
The Symantec VIP token option doesn’t require a USB port, or does it?
A USB port required also means you need hardware to connect a USB to a mobile phone if you wish to transaction on your mobile phone?
“Add Yubikey to Google Account
If you’d like to use Yubikeys to secure your Google account, enroll in Google’s Advanced Protection Program. Google sells Titan Security Keys but Yubikeys will work for both Google and Vanguard.”
I’m guessing that “securing your Google account” with a Yubikey secures everything related it such as Goggle Authenticator app, Goggle Drive, Goggle photos etc ?
“Register Token with Fidelity: You must call Fidelity customer service to link the serial number of the security token to your login.”
Question: if one choses the Goggle Authenticator +Yubikey route (instead of Symantec VIP+ hardware token for Symantec VIP) there will need to be some calling & registration, or no because my logging in via Goggle Authenticator app involves reading/seeing my hardware?
I simply happen to already be using Goggle Authenticator app & am thinking maybe I can just stack hardware/ a Yubikey on top of that, one less app to deal with is all.
Thank you
Freddie says
Looks like Amazon is out of Symantec VIP tokens.
Bob Wilson says
Harry, The Fidelity FAQ on Symantec vip access says:
” Can I use both the desktop and mobile versions of VIP?
For security reasons, VIP Access can only be installed on one device at any given time. For example, if it’s currently installed on your smartphone, you won’t be able to install it on your desktop without first removing the smartphone installation.”
From this, I am for that I cannot register two Symantec hardware devices with Fido. So there’s no way to have a back up.
Do you agree?
Harry Sit says
That’s true. Fidelity only allows one token at a time whether it’s from the app or from a hardware token.
Pete says
Thanks for another great article.
Marc says
if you use a hardware key like Symantec or yubikey on Gmail or fidelity, when is it needed ?
can I still send and read email? can I use billpay ?
or is the hardware key needed every time you access the email or investment accounts ?
Harry Sit says
Email with Yubikey: Need it again after you log out and you didn’t choose “remember this browser.” Don’t need it if you’re still logged in when you send or read email.
Investment accounts with Symantec: Fidelity asks for it every time you log in. Your login times out after some time. I’m not sure about Schwab or E*Trade because I don’t have an account there.
Pete says
My Yubikey order caused them to send me an email with this link:
https://www.yubico.com/setup/security-key-series/
Scroll down to the section “Compatible accounts and services”
Note the green checkmark & weather a box is shaded or not ( so no checkmark & shaded means unsupported I assume).
Do we want better security beyond just “Financial Institutions”? For example Harry’s article mentions “you can secure your Goggle account”; and I see that Internet Explorer is on that list. Am I correct that anyone using Windows, even if your default browser is Chrome or Firefox etc, that our PC using Windows does indeed have IExplorer in the background somewhere somehow? When I go to “clean my PC”, it always has some IExplorer things or cookies or something to clean in spite of my never opening IExplorer. I don’t ever recall logging in or signing up to use IExplorer (like I did for Goggle & their Chrome, Gmail, etc)
Do we want better security beyond just “Financial Institutions”? For example at a password manager app we use (assuming they support VIP token or Yubikey)?
I see some an Amazon products on that list, also ebay, but not Wal-Mart
Or do you guys think using hardware security beyond “Financial Institutions” is overkill & could be too inconvenient? I suppose a case could be made for a password manager for some folks .
Thank you.
Harry Sit says
The browser prompts for the security key and gets the output from the key to the site. Although Vanguard supports using Yubikey, it won’t work if you go to vanguard.com using Internet Explorer because IE doesn’t know how to work with a Yubikey, but going to vanguard.com using Chrome works. That’s what it means when it says IE isn’t supported.
It’s important to secure your email account with the strongest 2FA. Google, Microsoft (hotmail, outlook), and Yahoo all support Yubikey. I would also secure an online password manager with Yubikeys.
Pete says
Yes I also found that to be the case also about having more than one VIP installation.
Am I correct that it is better to have two different devices involved in your online banking when it comes to the logging in aspect? For example say one person always does his banking on his desktop, he could install the VIP app on his desktop but it is probably better to install it on his phone because it is a separate device and that makes it harder to hack ?
Harry Sit says
If you’re going to use an app as opposed to a hardware token, I think it’s better to put it on a separate device.
Seb Slaf says
Thanks for the article!
Bob Wilson says
I ordered the symantec token from Amazon on 1 January and I received it on January 8. Yesterday, I set up to use it at Schwab and Fidelity.
Schwab allows you to set it up online from your account. On their account security page, I removed text message authentication and set up token only. I then entered the ID number on my device. They allow more than one device so I added the Symantec app on my cell phone. They validated each of them by getting me to enter a code from the device. I then logged out of the account and logged in using each of the devices. No problem. So far.
Fidelity makes you call them to set up the device. The validated my call using my voice. I gave the Rep the code from the hardware device. He sent me a text message as a final check but he could not use a code from the device. I had him stay on the line while I logged out of my account and then logged in using the code from the device. That worked OK so we signed off.
I have a computer that I dedicate to finance transactions and I only access my accounts from it. I do not access using my cell phone for example. I haven’t tried again today but hopefully it’ll continue to work.
Pete says
You guys probably know this but for my android phone I need a USB cable to get setup with the Yubikey. I have no NFC on my phone (it’s not that old) & the Bluetooth method doesn’t seem to work
I got my Yubikeys , more than one. I assume it makes sense to go ahead & register all of them now? You don’t wait until you have a problem (lost your main key etc) and then register it, right? You want to be “ready to go” when you have that lost-key-problem so all you have to do is tap the spare/backup key, right? Thank you.
Harry Sit says
You should register at least two keys upfront. If you lose one key, you log in with the second key and register a third key as the new backup. Or you can register all three (or more) keys together.
Sam says
Harry, how about Merrill Edge? Can we use these hardware tokens with Merrill Edge? Thanks.
Harry Sit says
Merrill Edge doesn’t support them. It only sends codes but you can use a Google Voice number. The website 2fa.directory/us shows which 2-factor authentication methods are supported at an institution.
Sam says
Thx for the great list. Alliant & Andrews CU = No hardware. Shall I move my $ from Alliant Savings to Money Mkt Fund in Fido? Thx, Harry.
Sam says
The Symantec token has been out of stock on Amazon since early Jan at least. Any ideas on where else to buy it? We really want to buy it. Thanks.
Harry Sit says
Someone sells a different model on eBay for $10. It looks different but it works the same way.
https://www.ebay.com/itm/115266774587
Doug says
I just bought the Symnatec VIP mini-token from eBay. A mistake. The date code on these hardware tokens is 8 years ago, and the batteries are said (by Symantec) to last 5-8 years. Batteries are NOT replaceable. I should have studied the photos more closely.
In general, it appears from my experience in dealing with these little hardware tokens that Symantec is not really interested in maintaining the hardware side of their VIP business. What little information you can find is years old – some even are just 404’s (e.g the actual ‘Help’ links in the desktop app).
Not impressed with Symantec here.
Jon Hale says
On the link to the manufacturers website, the $25 and $29 yubikeys are marked as “coming soon”. The next cheapest ones are about twice as much. Am I missing something?
Harry Sit says
If you click on one of them you’ll see a note saying “Security Key Series has been updated to black in 2023 with the same features as the Security Key Series in blue. Blue keys only available through partner sites.” You can sign up for an email notification of when the updated model becomes available. If you must buy one now, a third-party seller is selling the current blue key on Amazon at a markup.
Harry Sit says
The new model of Security Key NFC by Yubico is now available on Yubico’s website. The Symantec VIP hardware token is also back in stock at Amazon.
The White Coat Investor says
You can always be more secure. The hard part is deciding when enough is enough and convenience outweighs security.
Sam says
Can we use the same yubikey for both my husband’s account & my account? Or shall I buy 2 more yubikeys for my own separate use when logging into my own accounts?
Harry Sit says
The two of you can share the same two keys. Just like house keys, each person has one key. If you lose one key, the other person’s key serves as the backup before you replace your key.
Pat says
Good info.
I wonder why financial institutions don’t offer compatibility with Authenticator apps?
Harry Sit says
Morgan Stanley, T. Rowe Price, Betterment, Wealthfront, M1 Finance, and Robinhood all support authenticator apps.
SSA says
Note that Authy can run on multiple devices (mobile/desktop) and generate the same code. So, even if you lose your phone as long as you have it setup on pc or other devices, you could get your codes from there.
The external link for setting up the symantec token on yubikey also has steps to setup a soft token which can be used in Authy. You wouldn’t need a yubikey or the symantec device.
Sam says
My Credit Unions (Alliant & Andrews) use 2-step verif text/ SMS to my Google Voice #.
But once they “remember my device”, they no longer send verif code at login.
Ha! Is it still safe? What to do?
Harry Sit says
That’s fine. Someone logging in from a different device will look different and the credit union will ask for a security code.
Sam says
Talking about security, is it safe to leave my credit card / payment info on shopping sites like Amazon?
Shall I just delete my credit card info there, & instead, type my credit card number every single time I buy sth?
And then erase the credit card info afterwards? Thanks.
Harry Sit says
It’s OK to have a card on file with large shopping sites like Amazon. You have legal protection against unauthorized charges if Amazon is hacked.
Sam says
What are your thoughts on yubikey for iphone? We’re no celebrity, but shall we use it, too? Thanks
https://www.washingtonpost.com/technology/2023/01/30/iphone-security-keys/
Harry Sit says
I’m not sure what exactly it does for the iPhone. Does it replace the Face ID or fingerprint to unlock the phone? I prefer to keep the security keys safely at home and not take it everywhere I go. As long as you don’t have to also carry the security key when you go out, feel free to experiment.
Jon Hale says
Harry,
When you say that you prefer to leave your yubikey at home, does that mean that you only access sites like vanguard from you home? Or is there something that I am missing here?
Thanks
Harry Sit says
I went hiking yesterday. I didn’t take my Yubikey but I took my phone. I want something that sees the outside world much less often than my phone. It’s less likely to be lost, stolen, or damaged that way. I’ll take my Yubikey if I’m going on a road trip for a month and I think I might need to access Vanguard during that time, but otherwise the Yubikey just sits in my desk drawer most of the time. Home or office doesn’t matter. I just want it to sit still somewhere.
S M says
I am confused about purchasing a Symantec VIP hardware token for my Schwab account.
This URL says Schwab provides them for free:
https://intelligent.schwab.com/page/agreements/mobile-schwabsafe
Can Schwab use any Symantec VIP token, or does it have to be one Schwab mails to you?
Harry Sit says
If Schwab still provides one for free, obviously get it from Schwab. Schwab can also use a generic Symantec VIP token. See comment #19.
Allan says
You may want to update your article to read that Yubico also has a model with USB-C connector for $4 more which you will need on new MacBook Air’s that only have USB-C ports.
Harry Sit says
Thank you for the suggestion. I updated the embedded images to show both models. The link to the manufacturer’s store also shows both models.
Allan says
I am waiting on a callback from Vanguard’s technical people on whether you can share 2 Yubikeys between my account and my wife’s account. I’ll get back with you know what they say.
Allan says
Sorry, I didn’t read question #25 which you answered that 2 people can share 2 keys. I hope Vanguard tech staff say the same thing.
Harry Sit says
It works. My wife and I share the same two keys under our two Vanguard logins. My key works as the backup for her login and her key works as the backup for my login.
Jim says
Thank you for this post. It was hugely helpful. My Yubikeys arrived this morning (thank you for suggesting the cheapest). I assigned passwords to the FIDO2 function on both keys and registered them with Vanguard with no issues. It actually took me longer to change my phone number to my Google number than to register the Yubikeys. Up next – registering my Yubikeys with Google, Lastpass and Protonmail.
515 Mark says
Ugh, LastPass. They had a poorly-handled data breach, and I abandoned them after like 10 years as a faithful customer. Now I use 1Password. You know what? 1Password is awesome, and kicks LastPass’s butt. Great thing? They credited me with the remaining time on my LP subscription, so the first year was only about 1/4 the usual price. And I repeat: 1P is f’ing awesome!
Daniel Holschneider says
I spoke with Fidelity, then their back office. They allow the Symantec VIP access with the installed phone app. In this case, the login recognizes both the Symantec generated code and the unique hardware (phone). Thus, one couldn’t try to login from a different phone.
Fidelity did not seem to know anything about the Symantec hardware token.
Allan says
Harry,
Heads up on using new Yubico Security Key C NFC with new Apple 15″ MacBook Air with macOS Ventura 13.5 operating system.
I was unsuccessful at adding any security keys to my account with Vanguard. They say it is because of Safari. I spent one hour with their technical people with no luck. They recognize the issue with Safari but don’t have a work around yet.
Vanguard recommended I load Chrome on my computer, with I will not do.
I’d be interested if anyone else has had an issue with Mac IOS 13.5 and security keys.
Harry Sit says
Vanguard requires a PIN on the Yubikey. If it’s related to not being able to set a PIN through Safari before the first use, you can try setting a PIN with the Yubikey Manager app:
https://www.yubico.com/support/download/yubikey-manager/
After the Yubikey already has a PIN, try Safari again.
always_gone says
Like Harry said, add a pin to your Yubikeys.
Also, dump both Chrome *and* Safari and use Firefox.
Allan says
That doesn’t appear to be the problem. I get to the screen where you plug in the Yubikey and nothing happens. The key blinks once, then nothing. It just sits at that screen. It doesn’t say accepted or any next step. I let the computer sit with the key in the USB-C port at that step for about one minute, then it kicks me off that page and takes me back to “name your key” page.
I get nothing about name a PIN or input a PIN.
Harry Sit says
It does appear to be the problem then. The normal sequence should be the browser asking for the PIN when the Yubikey has it or prompting you to set a PIN when it doesn’t have one set. Safari isn’t doing that second part. Try setting a PIN to the Yubikey outside Safari. Then see if Safari will ask for the PIN.
always_gone says
re: Authenticator apps on a phone which is lost or its software crashes: Always backup the seed code for each TOTP somewhere secure, like a password manager/Secure Notes. With the code backed up, loss of the phone won’t prevent regenerating the code in a new authenticator app or an online TOTP generator.
Harry is spot on – our phones are always with us, which is both a blessing and a curse when it comes to second factors.
SSA says
If you use the authy app, you can set it up on multiple devices and get the same code from multiple devices. So, as long as you have access to one of the devices with authy, you would still get the second factor.
Authy has been like this forever.
Google authenticator only recently added a similar feature – https://www.theverge.com/2023/4/24/23696058/google-authenticator-app-account-syncing-multiple-devices.
Allan says
I downloaded Yubikey Manager and set my PIN’s on both my keys. (successfully) Went back and tried to set the keys in my Vanguard account and had no luck. Their site didn’t act any differently then when the keys didn’t have a PIN assigned.
I guess I’ll just have to wait until Vanguard fixes their site to work properly with Safari, which in my experience with Vanguard, will be never.
always_gone says
I’ve had loads of trouble with Safari and Yubikeys. It’s the main reason I left it for Firefox, as my security trumps browser devotion.
jon says
I have had a few issues with cookies on the Vanguard site. Before giving up on them completely, you might try clearing your cache, just to see if that helps you out.
Paul says
What are security recommendations for the TreasuryDirect site? Thanks.
Harry Sit says
TreasuryDirect only offers one-time passcodes through email. Secure your email with Yubikeys. See links in the “Add Yubikey to Email Accounts” section.
Paul says
I set up my security token with Fidelity, which works great. Now just set up my desktop Yubikey with Vanguard and use only desktop for financial access. Novice question: If I also set up for my Google, including email, how can I access Google using my Ipad? It seems cumbersome to use a large key for Ipad – why don’t they also offer a small nano plug in for tablets?
Harry Sit says
If you use the gmail app on you iPad, you only need to log in once. I don’t remember what exactly I had to do to make it work but it wasn’t difficult when I had a phone that was already authenticated. Just followed the instructions when you launch the gmail app on the iPad.
Paul says
Thanks for your help, Harry. I’m going in circles with Vanguard trying to deactivate the passcode now that I have the passkey set up. They made me deactivate the passkey first so they could deactivate the passcode. Then they required the passcode be set up to install the passkey!
The bottom line is that, after working up through a supervisor, they insisted that the passcode has to be the backup (not a second passkey). Doesn’t this defeat the purpose of installing the passkey? Also, I their sign in requests passkey but give passcode as another option!
Harry Sit says
I deactivated the security code online after I registered two Yubikeys. I didn’t need to call. The Vanguard website doesn’t give security code as an option for my login (because it isn’t activated).
Paul says
Thanks, but that didn’t work. Even after I set up two keys, a week later it still showed “enrolled” passcode with a lock image next to it. I was forced to call in and they were very adamant that they must leave the passcode active.
Harry Sit says
Someone said you can’t disable the security code if you have a workplace retirement account such as a 401k with Vanguard. You can only disable it if you have just personal accounts.
Paul says
These are not workplace retirement accounts. I guess I’ll just have to keep calling and messaging until I find someone that knows how to do this. I also sent a message to Yubikey, since they advertise on their site that it works with Vanguard. I’ve been with Vanguard for a long time, so disappointed in this service. Thanks Harry.
Autumn says
Hi,
I have just discovered this helpful article and even more helpful comments. I would like to ask a few questions:
– Harry says to protect financial accounts, but what kind of accounts fall under this definition? TreasuryDirect was mentioned in the comments, but I think that SSA.gov accounts and HR Block, TT online or any other tax return preparation accounts should be locked as well. These would be in addition to brokerage accounts and banks where people have their checking/saving accounts.
– Should people also secure credit cards? Harry responded to someone’s question about keeping a CC on Amazon’s account because of legal/financial protections. Since CC companies will always reverse fraudulent charges, it makes me think that perhaps I’m OK not updating my profile with them and giving my new Google Voice number and Gmail. What are your thoughts?
– I didn’t see any mention of the limit of the accounts that can be registered on the same set of Yubikeys (3-4 keys=1 set). Is there a limit?
– I would like to update security on all my accounts too but without going crazy. For example, some people use Yubikeys to secure Vanguard accounts and they also secure Google Voice and Gmail accounts. Then they use Symantec keys for other institutions or some authentication apps, etc… Would it suffice to protect my Gmail and GV accounts with Yubikeys and then enable 2FA at all ‘financial’ places to send a passcode to the GV# (with no forwarding to Gmail) for logins and paperless documents be sent to the Gmail account? This way I wouldn’t need to buy a variety of hardware tokens and confuse myself. When people get older, they wish to simplify, not complicate, things, IMO.
– Somebody mentioned that Symantec VIP keys have a battery life of 5-8 years. Do Yubikeys also contain batteries? If so, can they be changed and what’s their lifespan?
TIA!
Jamie Cox says
I was unable to register Symantec VIP hardware token(s) with Fidelity. On the phone, the rep denied any support for such a thing. The best I could do was the Symantec VIP iPhone app for 2FA.
Maybe something has changed, but that just flat did not work.
Harry Sit says
You don’t have to say whether it’s a hardware token or a phone app. Just say you’re registering Symantec VIP and give the serial number. Treat the hardware token as a phone app. It makes no difference to Fidelity.
Jamie Cox says
Harry, thanks for the reply.
Fidelity wouldn’t/couldn’t accept the serial number from the hardware token. It is in a different format from the phone app ID, and they tried putting it in their computer but failed. My phone ID begins with SYMC. The hardware token begins with FT. Not the same. I have the blue Symantec tokens, just like the photos in this blog post.
I also could not find one word on Fidelity’s site about using a hardware token.
Harry Sit says
My hardware token still works even though Fidelity doesn’t say a word about it on its website. There’s a yellow test button on Symantec’s website:
https://vip.symantec.com/
You can test your hardware token there. If it fails, the problem isn’t specific to Fidelity. If it passes, maybe give it a second chance just in case the rep typed the serial number wrong. If it still doesn’t work, the Fidelity setup must have changed.
Peter Sramka says
Vanguard’s security key support is broken. When logging in, you are asked for your security key. However, there is also an option to bypass the security key and get a code via SMS on your phone. Basically, anyone trying to access your account can easily (and in a user-friendly way), completely bypass security key validation.
I talked to Vanguard about this. They said they had an option to disable SMS security codes if you have two security keys. I bought two security keys and went with this option. The only problem is that it doesn’t work properly. For a few days, I had to use a security key to login. Then, for whatever reason, it went back to allowing a bypass of the security keys with a code via SMS.
always_gone says
Switch your SMS code number to a Google Voice VOIP number protected by, you guessed it, a security key.
Peter Sramka says
I already did, but thanks for providing this information for anyone else who reads these comments.
Peter Sramka says
The Vanguard mobile app never checks for a Yubikey. Thus, the Yubikey is essentially useless with Vanguard. You might feel more secure with a Yubikey on Vanguard, but you aren’t.
Peter Sramka says
In case you are wondering if the Vanguard mobile app can do everything the website can, the answer is yes, because you can access the full website from the Vanguard mobile app without actually logging into the website.