Most financial institutions have some form of two-factor authentication (“2FA”) when you log in online. They ask for something besides your user name and password. Some places do it every time you log in; some places do it only when you log in from an unrecognized device. Some places use a hardware device or a mobile app as the second factor; some places send a code to your email or a text message to your mobile phone number. See the previous post Protect Your Investment Accounts With A Security Token: Fidelity, Schwab, E*Trade, Vanguard.
SIM Swapping Risk
I had set up 2FA with Vanguard to have them text the authentication code to my Google Voice number. I gave Vanguard my Google Voice number instead of my regular mobile phone number because a Google Voice number doesn’t have a SIM card, and therefore it’s less susceptible to SIM swapping attacks. In a SIM swapping scam, criminals convince your mobile phone carrier that you lost your phone and you need to put your phone number onto a new SIM card they control. After they take over your phone number, they can go through the “forgot password” process with your online accounts when they’re able to receive authentication codes sent to your mobile number.
Although having text messages sent to a mobile phone number is better than not having any 2FA, and the risk of SIM swapping is small, I don’t want this risk. I don’t have my Google Voice number forward any calls or text messages to a cellphone number. All calls and texts to the Google Voice number stay in the Google Voice app on my phone. If criminals SIM swapped my real mobile number, they still can’t receive the authentication codes.
I tried to log in to my Vanguard account last week to see when my tax forms would be available, but this time the authentication code never came. I clicked on the resend link, but the code still didn’t come. Meanwhile, authentication codes from other places came to my Google Voice number just fine. So I knew the problem had to do with Vanguard, not Google Voice or my phone.
Vanguard had an option to resend the authentication code by an automated voice call. When I chose that option, the voice call came, and I was able to get the authentication code from the voice call and log in that way. Phew!
I searched online and I saw others had the same problem. It wasn’t a one-time glitch. Vanguard stopped sending authentication codes to Google Voice numbers for some reason. Without the authentication code, I won’t be able to log in. One obvious option would be to switch the 2FA setup to a regular mobile number. Vanguard still sends authentication codes to regular mobile numbers, just not to Google Voice numbers. I don’t want to do that because I’d like to avoid getting SIM swapped.
At this moment, Vanguard is still making automated voice calls to Google Voice numbers. I can change the setup from receiving a text message to getting a voice call. However, if Vanguard stopped sending text messages to Google Voice numbers because they don’t trust Google Voice numbers, it’s possible they will stop making voice calls to those numbers as well.
For the time being, I switched to receiving voice calls to my Google Voice number. It works in the short term but there’s a risk it will stop working any day.
In addition to sending security codes by text messages or voice calls, Vanguard also supports using a hardware security key. They don’t give or sell security keys to customers. You’d have to buy it on your own.
The $20 model works only with computers with a rectangular USB port (“USB-A”). The $24.50 model also works with mobile phones that have NFC. Yubico also makes other more expensive models ($45 – $70) that plug into different ports and have more features not required by Vanguard. Vanguard says they don’t support the latest YubiKey 5Ci model ($70).
Less expensive security keys made by other companies that support the same industry standard (“FIDO U2F”) may also work, but for a security device, I would stick to the name brand. If Vanguard stops making voice calls to my Google Voice number, I will buy the Yubico Security Key NFC for $24.50. Although I don’t use the Vanguard mobile app right now, I’m OK with paying an extra $5 to leave that option open.
Security Code as Backup
After you set up the security key with Vanguard, Vanguard will still use security codes by text message or voice call as a backup in case you don’t have the security key with you when you want to log in. Some security-minded people don’t like that, because it defeats the purpose of having a security key when someone can easily bypass it with a simple click saying they don’t have the security key with them and Vanguard will fall back to sending a text message or making a voice call.
However, if you set the phone number for the security code to a Google Voice number, Vanguard won’t send a text message there. They may not make a voice call there either in the near future. This will make the security key the only 2FA mechanism and it can’t be bypassed. Just make sure not to lose your security key when there’s no fallback. Or register two security keys and keep them in separate places.