This is a little crazy. I can stop someone from logging into my web email account because it requires a 6-digit code that changes every 30 seconds (gmail 2-step verification), but I can’t stop someone from logging into my bank account if they got my user name and password.
Some places ask those stupid security questions. What’s your favorite blah? My favorite changes. What was my favorite when I signed up ten years ago? What’s the first name of your maternal grandfather? None of your business! Where should I keep a list of all the answers I made up for each place?
Fortunately some companies have better senses. They do it the right way by offering security tokens for 2-factor authentication.
E*Trade has been offering the security token for at least 10 years. Nowadays you can also get the token on your mobile phone or computer. Just fire up the Symantec VIP Access app and you will have your code. You add the 6-digit code to the end of your password when you log in.
One small problem with the app on the phone is whenever you change to a different phone, you will have a new credential ID on the new phone. You will have to call customer service and have them update the credential ID linked to your account. If you’d rather have a stable credential ID, you can get a hardware token from E*Trade or just buy one on your own on Amazon for $25. Of course the hardware token is a separate piece you would have to keep. Some people actually like it that way than tying everything to a phone.
Call E*Trade customer service to register your credential ID or request the hardware token.
Schwab also uses the Symantec VIP system. Again you have a choice between the mobile app or hardware security token. Among all places that use Symantec VIP, you only need one app or one hardware token. You can use the same token ID on multiple accounts at different places.
Call Schwab customer service to register your credential ID or request the hardware token.
Fidelity also uses the Symantec VIP system but Fidelity doesn’t send out hardware tokens. If you prefer a hardware token you can still use one if you already have it (from E*Trade, Schwab, or bought on your own).
After you call customer service to register your credential ID, the next time you log in, you will see a second screen asking you for the 6-digit code from the Symantec app or the hardware token. This is different from E*Trade and Schwab where you append the 6-digit code to the end of your password.
Vanguard doesn’t use the Symantec VIP system. They offer the option to use a Yubikey FIDO U2F Security Key, which you will have to buy on your own ($18 on Amazon).
This security key doesn’t display anything. When you login you plug it into your computer and you tap the center circle. It will interact with the Vanguard website through the browser. You’d have to use the Chrome browser. It doesn’t work with other browsers nor on a tablet or mobile phone (no place to plug in). The Symantec VIP system used by other brokers are more versatile.
If you don’t like the limitation of the USB security key, you can have the system send you a code by text message. If you don’t have or like text messages, you can get a Google Voice number. Text messages sent to the Google Voice number will show up in Google Voice online or the Google Voice app on your smartphone.
What About Others?
Why don’t more financial institutions offer 2-factor authentication with security tokens?
There’s clearly a cost involved. Symantec says this about its service:
Symantec Validation and ID Protection Service is priced as a service, with customers subscribing on either a per-user or a per-transaction basis. Customers can choose to pay based on either the number of active users each month, a specified number of users for a year, or the monthly volume of validation transactions. Customers have the option of deploying hardware tokens at an additional cost per token.
Then there’s customer service cost in resetting lockouts or lost tokens. That’s why none of the companies offer the token as default. You get it only if you care enough about security.
If you have accounts at Fidelity, Schwab, E*Trade, or Vanguard, get the hardware token, use the free mobile or desktop app, or enroll to receive random codes by text message.
[Photo credit: Flickr user Edwin Sarmiento]