Most financial institutions have some form of two-factor authentication (“2FA”) when you log in online. They ask for something besides your username and password. Some places do it every time you log in; some places do it only when you log in from an unrecognized device. Some places use a mobile app as the second factor; some places send a code to your email or a text message to your mobile phone number.
SIM Swapping Risk
I had set up 2FA with Vanguard to have them text the authentication code to my Google Voice number. I gave Vanguard my Google Voice number instead of my regular mobile phone number because a Google Voice number doesn’t have a SIM card, and therefore it’s less susceptible to SIM swapping attacks.
In a SIM swapping scam, criminals convince your mobile phone carrier that you lost your phone and that you need to put your phone number onto a new SIM card they control. After they take over your phone number, they can go through the “forgot password” process with your online accounts when they’re able to receive authentication codes sent to your mobile number.
Although having text messages sent to a mobile phone number is better than not having any 2FA, and the risk of SIM swapping is small, I don’t want this risk. I don’t have my Google Voice number forward any calls or text messages to a cellphone number. All calls and texts to the Google Voice number stay in the Google Voice app on my phone. If criminals SIM swapped my real mobile number, they still can’t receive the authentication codes.
I tried to log in to my Vanguard account last week to see when my tax forms would be available, but this time the authentication code never came. I clicked on the resend link, but the code still didn’t come. Meanwhile, authentication codes from other places came to my Google Voice number just fine. So I knew the problem had to do with Vanguard, not Google Voice or my phone.
Vanguard had the option to resend the authentication code by an automated voice call. When I chose that option, the voice call came, and I was able to get the authentication code from the voice call and log in that way. Phew!
I searched online and I saw others had the same problem. Vanguard had problems sending authentication codes to Google Voice numbers for some reason. Without the authentication code, I won’t be able to log in. One obvious option would be to switch the 2FA setup to a regular mobile number. Vanguard doesn’t have any problem sending authentication codes to regular mobile numbers. I don’t want to do that because I’d like to avoid getting SIM swapped.
At this moment, Vanguard has no problem making automated voice calls to Google Voice numbers. For the time being, I switched to receiving voice calls to my Google Voice number.
In addition to sending security codes by text messages or voice calls, Vanguard also supports using a hardware security key. They don’t give or sell security keys to customers. You’d have to buy it on your own.
Vanguard specifically mentions security keys made by a company called Yubico. The least expensive key from Yubico’s website costs $25 or $29.
The $25 model works with computers with a rectangular USB port (“USB-A”). The $29 model works with computers with a smaller USB-C port. Both models work with mobile phones that have NFC (iPads don’t have NFC). Yubico also makes other more expensive models ($45 – $70) that have more features not required by Vanguard.
Less expensive security keys made by other companies that support the same industry standard (“FIDO U2F”) may also work, but I would stick to the name brand for a security device. If Vanguard stops making voice calls to my Google Voice number, I will buy two Yubikeys.
Say No To Management Fees
If you are paying an advisor a percentage of your assets, you are paying 5-10x too much. Learn how to find an independent advisor, pay for advice, and only the advice.