Most financial institutions have some form of two-factor authentication (“2FA”) when you log in online. They ask for something besides your user name and password. Some places do it every time you log in; some places do it only when you log in from an unrecognized device. Some places use a hardware device or a mobile app as the second factor; some places send a code to your email or a text message to your mobile phone number. See the previous post Protect Your Investment Accounts With A Security Token: Fidelity, Schwab, E*Trade, Vanguard.
SIM Swapping Risk
I had set up 2FA with Vanguard to have them text the authentication code to my Google Voice number. I gave Vanguard my Google Voice number instead of my regular mobile phone number because a Google Voice number doesn’t have a SIM card, and therefore it’s less susceptible to SIM swapping attacks. In a SIM swapping scam, criminals convince your mobile phone carrier that you lost your phone and you need to put your phone number onto a new SIM card they control. After they take over your phone number, they can go through the “forgot password” process with your online accounts when they’re able to receive authentication codes sent to your mobile number.
Although having text messages sent to a mobile phone number is better than not having any 2FA, and the risk of SIM swapping is small, I don’t want this risk. I don’t have my Google Voice number forward any calls or text messages to a cellphone number. All calls and texts to the Google Voice number stay in the Google Voice app on my phone. If criminals SIM swapped my real mobile number, they still can’t receive the authentication codes.
I tried to log in to my Vanguard account last week to see when my tax forms would be available, but this time the authentication code never came. I clicked on the resend link, but the code still didn’t come. Meanwhile, authentication codes from other places came to my Google Voice number just fine. So I knew the problem had to do with Vanguard, not Google Voice or my phone.
Vanguard had an option to resend the authentication code by an automated voice call. When I chose that option, the voice call came, and I was able to get the authentication code from the voice call and log in that way. Phew!
I searched online and I saw others had the same problem. It wasn’t a one-time glitch. Vanguard stopped sending authentication codes to Google Voice numbers for some reason. Without the authentication code, I won’t be able to log in. One obvious option would be to switch the 2FA setup to a regular mobile number. Vanguard still sends authentication codes to regular mobile numbers, just not to Google Voice numbers. I don’t want to do that because I’d like to avoid getting SIM swapped.
Voice Call
At this moment, Vanguard is still making automated voice calls to Google Voice numbers. I can change the setup from receiving a text message to getting a voice call. However, if Vanguard stopped sending text messages to Google Voice numbers because they don’t trust Google Voice numbers, it’s possible they will stop making voice calls to those numbers as well.
For the time being, I switched to receiving voice calls to my Google Voice number. It works in the short term but there’s a risk it will stop working any day.
Security Key
In addition to sending security codes by text messages or voice calls, Vanguard also supports using a hardware security key. They don’t give or sell security keys to customers. You’d have to buy it on your own.
Vanguard specifically mentions security keys made by a company called Yubico. The least expensive key from Yubico is Yubico Security Key for $20 or Yubico Security Key NFC for $24.50.
The $20 model works only with computers with a rectangular USB port (“USB-A”). The $24.50 model also works with mobile phones that have NFC. Yubico also makes other more expensive models ($45 – $70) that plug into different ports and have more features not required by Vanguard. Vanguard says they don’t support the latest YubiKey 5Ci model ($70).
Less expensive security keys made by other companies that support the same industry standard (“FIDO U2F”) may also work, but for a security device, I would stick to the name brand. If Vanguard stops making voice calls to my Google Voice number, I will buy the Yubico Security Key NFC for $24.50. Although I don’t use the Vanguard mobile app right now, I’m OK with paying an extra $5 to leave that option open.
Security Code as Backup
After you set up the security key with Vanguard, Vanguard will still use security codes by text message or voice call as a backup in case you don’t have the security key with you when you want to log in. Some security-minded people don’t like that, because it defeats the purpose of having a security key when someone can easily bypass it with a simple click saying they don’t have the security key with them and Vanguard will fall back to sending a text message or making a voice call.
However, if you set the phone number for the security code to a Google Voice number, Vanguard won’t send a text message there. They may not make a voice call there either in the near future. This will make the security key the only 2FA mechanism and it can’t be bypassed. Just make sure not to lose your security key when there’s no fallback. Or register two security keys and keep them in separate places.
Say No To Management Fees
If you are paying an advisor a percentage of your assets, you are paying 5-10x too much. Learn how to find an independent advisor, pay for advice, and only the advice.
Carrie says
I am now thoroughly convinced I should move my remaining Vanguard accounts to Fidelity. Fidelity has more options for 2FA.
ERIC GOLD says
“Vanguard had an option to resend the authentication code by an automated voice call. When I chose that option, the voice call came, and I was able to get the authentication code from the voice call and log in that way. Phew!”
I’m unclear on this point. Did Vanguard call your SIM number or your Google Voice number ? Did you answer the call using the Google Voice app or the phone app ? I’m wondering if a SIM swap scam would have worked at this point.
Harry Sit says
Vanguard called the Google Voice number. I answered in the Google Voice app. I had in my Google Voice settings not to forward any calls or texts.
Dan says
I had exactly the same experience with Vanguard last week–I requested my authentication code be forwarded to my Google Voice number, which I had set up a couple of years ago to thwart possible SIM-swapping attacks. It had always worked previously, but this time the code never arrived, so I requested it be sent again. Never received anything so I had to call Vanguard, go through authentication, and reset the security on my profile in order to gain access to my accounts. I do have a Thetis security key that meets the U2F and FIDO requirements, but I was put off by the statement, “When you register a security key, we have to change your security code settings from “Only when Vanguard doesn’t recognize my computer or device” to “Every time I log on.” “. There should be an option to retain only when Vanguard doesn’t recognize my computer. Even though Vanguard funds are the best, their user interface seems to be getting worse every year. I guess the low fees do have a hidden cost.
ERIC GOLD says
@Dan,
My Schwab account sounds similar. I have a hardware key I have to use any time I login to my account from my computer. It is annoying enough that I use my phone instead, since I have it set up rely on fingerprint as the second factor.
I’m a fan of biometric second factor, so much so that I made it a priority in my laptop purchase. Unfortunately businesses have been slow to catch on and use the functionality outside of phones.
always_gone says
I’ve used a Yubikey for years with Vanguard. I agree, the way they have it setup, so a backup code can always be requested, is not very secure at all. I’ve asked them to remove that option for my account, but they only said they’d look into it.
By the way, they offer to store four keys, like Google does . . . So I have four Yubikeys. One in my wallet and three stored away in case one is lost or damaged.
DB says
Harry,
Like you, I too had trouble receiving security codes to my Google voice number last week and had to fall back to a voice call. However, that may have been a one time glitch. When I logged in 4 days ago, I was able to receive the text code to the same GV number.
It’s happened with at least one other financial institution for me. Sometimes texts do not work, but voice calls to. But then text functionality starts working again.
KD says
The weirdness of it all is that aggregator services (Mint, Quicken, Emoney etc) once authenticated continued without a hitch. Of course, no transactions, messaging, retrieving tax documents can be done. Because of aggregator services, I tend to not log into my account very often. I tend to do fewer than 10 transactions in my account (typical 2 in a year, if that). Financial account security is a larger concern in the past few years. I wish there was a voice recognition that can be enabled for transactions – right on the website where you read aloud a sentence (in an image so no automated stuff can work) for extra security. That way if anyone gets into the account they cannot transact.
Harry Sit says
I heard the aggregators have a special arrangement with the financial institutions. They use your password to obtain a token. After that, they use the token to retrieve your balance and transactions. Financial institutions are comfortable with it because the token only has read-only access.
Deskandchairs says
I am having a related situation with Wells Fargo, when attempting to add an additional financial institution to those authorized for online transfers from my account. They recently added a 2FA requirement for this, in addition to test deposits. They will only use text to transmit the code, not voice or email. I have called them to confirm these options are not available
Pete says
I’ve seen boglehead discussions that sharing your credentials with an aggregator violates Vanguard’s fraud policy. I quote from the Vanguard website: “Be aware of the risks of sharing your account information: If you share your vanguard.com username and password, or if you allow someone to access your account information, activities performed with your shared or accessed credentials or information may be considered authorized. ” Additionally, Vanguard states “Don’t store your password or answers to security questions on the computer or device you use to access your Vanguard accounts.” Just to be safe I store my credentials in a password manager on a removable USB and not in the password manager on my computer.
Deskandchairs says
And yet, Vanguard offers account aggregator Yodlee service on their website (which requires user name and password for each non-Vanguard account)
Novoip says
It’s VOIP numbers that Vanguard and others don’t play nice with. I don’t know the reason but that’s the issue.
Jim says
Vanguard had some technical problems with VOIP numbers, but now they came back and work just fine. Interestingly, Vanguard doesn’t accept Google Voice numbers for notifications, only for 2FA codes. Don’t know why.
Enroll your google account in Advanced Protection Program, and that way you’ll have your Vanguard account protected solely by YubiKeys.
When you call Vanguard, they identify you by voice first, if you have that set up, then by security questions, then by account number, in that order. Only one is needed to pass the verification.
Set up notifications. Very important. You can reverse fraudulent transactions if caught early.
Tried the ‘log in only from trusted devices’ option, but that didn’t really work too well. About every couple of weeks, my computer ended up being not recognized. Good thing that I had also trusted both of my iPhones, that way I was able to still log in and disable this feature.
abc says
How did you determine the risk was lower using a Google Voice number rather than your mobile number? Can you provide some references on the topic?
Dan says
Speaking only for myself, Google Voice can’t be SIM swapped, and that is the greatest risk that I am trying to defeat.
OldAndInTheWay says
(I changed https to hxxps)
“The SIM Swapping Bible: What To Do When SIM-Swapping Happens To You”
hxxps://medium.com/mycrypto/what-to-do-when-sim-swapping-happens-to-you-1367f296ef4d#47a2
“How to Protect Yourself From SIM Swapping Hacks”
hxxps://vice.com/en/article/zm8a9y/how-to-protect-yourself-from-sim-swapping-hacks
“I was scammed into giving away my verification code & someone used my cell # to setup a google voice”
hxxps://support.google.com/voice/thread/1035901/i-was-scammed-into-giving-away-my-verification-code-someone-used-my-cell-to-setup-a-google-voice?hl=en
abc says
OldAndInTheWay,
Thanks for the links. This is the kind of info I was looking for when I initially posted – “Can you provide some references on the topic?”
OldAndInTheWay says
Here is another one…
“Using Google Voice instead of your mobile number for 2FA”
hxxps://forums.grc.com/threads/using-google-voice-instead-of-your-mobile-number-for-2fa.799/
abc says
OldAndInTheWay,
Good discussion. As an alternative to a separate Google Voice used only for critical accounts, do you have an opinion on having a separate mobile phone line only for critical accounts?
OldAndInTheWay says
“As an alternative to a separate Google Voice used only for critical accounts, do you have an opinion on having a separate mobile phone line only for critical accounts?”
No, I am still trying to wrap my head around this and not making it supper difficult for my wife when I am spread on a mountain top. She is supper smart except all this tech stuff.
I will be buying a pair of Yubico keys just for our VG investment account. hxxps://slickdeals.net/coupons/yubico/ or waiting till the Black Friday deals also on Slickdeals.
The last BF on SD had 2 keys half price, 2 for $45 instead of $90.
hxxps://slickdeals.net/f/15242767-yubico-yubikey-5-nfc-2-factor-authentication-security-keys-usb-c-2-for-55-usb-a-2-for-45-free-shipping?src=SiteSearchV2Algo1
OldAndInTheWay says
“As an alternative to a separate Google Voice used only for critical accounts, do you have an opinion on having a separate mobile phone line only for critical accounts?”
No, still trying to wrap my head around that and to make sure it does not cause any problem for my next of kin. Also what happens when a phone is lost/stolen/broken/upgraded.
abc says
Dan,
The question is how Harry determined that a SIM swap was a greater risk than using a VOIP (Google Voice). At least some organizations have not allowed the use of Google Voice. Is that because there is a greater risk with Google Voice than with a mobile phone? Or, is there another reason.
At one point Fidelity would not allow the use of Google Voice, even though I was able to use it for FidSafe. At the time I complained to Fidelity and they said they would not allow for security reasons.
I am hoping Harry has some sources that compare the risks upon which he made his decision that Google Voice was better.
Harry Sit says
Some financial institutions don’t like VOIP numbers because they can’t be sure who’s behind that number. Identity thieves outside the country are able to get VOIP numbers in the U.S. more easily and in larger volumes than they can sign up for actual mobile numbers. That’s not a concern for me as an individual customer. I know that’s my own Google Voice number and no one else is able to access or hijack that number when I secured my Google account with a hardware key or an authenticator app. Meanwhile, my actual mobile number can be moved to a different SIM card by a customer service rep tricked by social engineering. That’s out of my control.
Basically I have more confidence in this specific VOIP number than financial institutions have confidence in generic VOIP numbers.
abc says
Harry,
Thank you for the clear and timely explanation. I was looking on the internet for a site that would compare risks between Google Voice and a mobile phone. I did not find an answer. I now better understand how you made the determination for your use.
Seb says
Thanks for posting this, this was starting to drive me nuts. I do not have a Google Voice number, but I’m traveling abroad and I had to use a different SIM card.
I registered my new, foreign phone number in the Security page on vanguard.com, from my laptop. This appeared to work, and when I try to buy/sell securities *from my laptop* for example, I’m receiving a security code to my new number outside the US.
This does not work at all from my phone itself. The red “security code” screen shows that it is supposedly sending the code to my new number, but I highly suspect this feature is broken and it is either not working, or sending it to my old number in the USA, that they probably still have on record.
I tried to disabled security codes altogether (*ugh*), and I did so on my laptop. Ironically, I received a TXT message almost immediately to my foreign phone number confirming that security codes had been disabled, further proof I *can* receive TXT from them at that number.
But when I tried to use the app from my phone, Vanguard *forced* me to re-enable security codes. This is really frustrating considering it just doesn’t work. I set up the security code feature once again, but this time from my phone, entering my foreign number there. And it worked… ONLY ONCE. The set up screen did trigger a security code being sent to my new number for confirmation. However, when I closed the app and tried to access the “buy, sell & exchange” section, it was once again broken — the security code screen just does not seem to be sending anything. The *setup* screen apparently did, but not the regular security code screen. Either way this did not help.
Chris Johnson says
I’ve never had a problem with my Google Voice number receiving 2FA texts from Vanguard. I’d like to register security keys, but Vanguard doesn’t recognize Safari on macOS (or iPadOS or iOS, for that matter) as supporting security keys. Safari has supported security keys for some time, but Vanguard seems to allow only the browsers that supported security keys at the time they first implemented support.
Vanguard could support security keys in their mobile apps, but I don’t see that happening any time soon.
AP says
lot of financial institutions are now stopping sending SMS codes to Gvoice numbers, citing “security risks”… ironic.
Ed W. says
This comment from Vanguard’s website indicates that you can now disable the backup security codes:
“You can permanently disable security codes for certain account types if you enroll two security keys: one as a primary and one as a backup. You’ll use your primary key at log in to access your account. Keep your backup key in a safe location that you can access if your primary key is lost, stolen, or broken.”
(From https://personal.vanguard.com/us/U2FKeyEnrollment#/welcome)
Roger H. says
It appears that “permanently” isn’t really permanent. I set up two security keys and then disabled the security code option on my Vanguard account. Then I tried to log in to my account using the mobile app on my iPad WITHOUT using a key as a test. The Vanguard app detected there was no key inserted and asked if I wanted to send a code to my registered phone number. I selected the option to do so and received the code a few moments later. So much for permanently opting out of receiving security codes. It would appear that having a security key provides a false sense of security.
Chris Johnson says
I suspect security keys will stop working altogether at Vanguard at some point. The last time I checked, they supported only the older U2F standard, not the more modern WebAuthn. Google Chrome has deprecated U2F and announced that at some point it’ll no longer work. (That may have happened already.)
In any case, as you point out, SMS will always be a fallback for when security keys aren’t supported, like on the mobile apps. If Vanguard had a modern system, they could support all major browsers and also mobile apps, but if they continue to support only U2F, they may end up supporting nothing soon.