Most financial institutions have some form of two-factor authentication (“2FA”) when you log in online. They ask for something besides your user name and password. Some places do it every time you log in; some places do it only when you log in from an unrecognized device. Some places use a hardware device or a mobile app as the second factor; some places send a code to your email or a text message to your mobile phone number. See the previous post Protect Your Investment Accounts With A Security Token: Fidelity, Schwab, E*Trade, Vanguard.
SIM Swapping Risk
I had set up 2FA with Vanguard to have them text the authentication code to my Google Voice number. I gave Vanguard my Google Voice number instead of my regular mobile phone number because a Google Voice number doesn’t have a SIM card, and therefore it’s less susceptible to SIM swapping attacks. In a SIM swapping scam, criminals convince your mobile phone carrier that you lost your phone and you need to put your phone number onto a new SIM card they control. After they take over your phone number, they can go through the “forgot password” process with your online accounts when they’re able to receive authentication codes sent to your mobile number.
Although having text messages sent to a mobile phone number is better than not having any 2FA, and the risk of SIM swapping is small, I don’t want this risk. I don’t have my Google Voice number forward any calls or text messages to a cellphone number. All calls and texts to the Google Voice number stay in the Google Voice app on my phone. If criminals SIM swapped my real mobile number, they still can’t receive the authentication codes.
I tried to log in to my Vanguard account last week to see when my tax forms would be available, but this time the authentication code never came. I clicked on the resend link, but the code still didn’t come. Meanwhile, authentication codes from other places came to my Google Voice number just fine. So I knew the problem had to do with Vanguard, not Google Voice or my phone.
Vanguard had an option to resend the authentication code by an automated voice call. When I chose that option, the voice call came, and I was able to get the authentication code from the voice call and log in that way. Phew!
I searched online and I saw others had the same problem. It wasn’t a one-time glitch. Vanguard stopped sending authentication codes to Google Voice numbers for some reason. Without the authentication code, I won’t be able to log in. One obvious option would be to switch the 2FA setup to a regular mobile number. Vanguard still sends authentication codes to regular mobile numbers, just not to Google Voice numbers. I don’t want to do that because I’d like to avoid getting SIM swapped.
Voice Call
At this moment, Vanguard is still making automated voice calls to Google Voice numbers. I can change the setup from receiving a text message to getting a voice call. However, if Vanguard stopped sending text messages to Google Voice numbers because they don’t trust Google Voice numbers, it’s possible they will stop making voice calls to those numbers as well.
For the time being, I switched to receiving voice calls to my Google Voice number. It works in the short term but there’s a risk it will stop working any day.
Security Key
In addition to sending security codes by text messages or voice calls, Vanguard also supports using a hardware security key. They don’t give or sell security keys to customers. You’d have to buy it on your own.
Vanguard specifically mentions security keys made by a company called Yubico. The least expensive key from Yubico is Yubico Security Key for $20 or Yubico Security Key NFC for $24.50.
The $20 model works only with computers with a rectangular USB port (“USB-A”). The $24.50 model also works with mobile phones that have NFC. Yubico also makes other more expensive models ($45 – $70) that plug into different ports and have more features not required by Vanguard. Vanguard says they don’t support the latest YubiKey 5Ci model ($70).
Less expensive security keys made by other companies that support the same industry standard (“FIDO U2F”) may also work, but for a security device, I would stick to the name brand. If Vanguard stops making voice calls to my Google Voice number, I will buy the Yubico Security Key NFC for $24.50. Although I don’t use the Vanguard mobile app right now, I’m OK with paying an extra $5 to leave that option open.
Security Code as Backup
After you set up the security key with Vanguard, Vanguard will still use security codes by text message or voice call as a backup in case you don’t have the security key with you when you want to log in. Some security-minded people don’t like that, because it defeats the purpose of having a security key when someone can easily bypass it with a simple click saying they don’t have the security key with them and Vanguard will fall back to sending a text message or making a voice call.
However, if you set the phone number for the security code to a Google Voice number, Vanguard won’t send a text message there. They may not make a voice call there either in the near future. This will make the security key the only 2FA mechanism and it can’t be bypassed. Just make sure not to lose your security key when there’s no fallback. Or register two security keys and keep them in separate places.
Learn the Nuts and Bolts
I put everything I use to manage my money in a book. My Financial Toolbox guides you to a clear course of action.
Carrie says
I am now thoroughly convinced I should move my remaining Vanguard accounts to Fidelity. Fidelity has more options for 2FA.
ERIC GOLD says
“Vanguard had an option to resend the authentication code by an automated voice call. When I chose that option, the voice call came, and I was able to get the authentication code from the voice call and log in that way. Phew!”
I’m unclear on this point. Did Vanguard call your SIM number or your Google Voice number ? Did you answer the call using the Google Voice app or the phone app ? I’m wondering if a SIM swap scam would have worked at this point.
Harry Sit says
Vanguard called the Google Voice number. I answered in the Google Voice app. I had in my Google Voice settings not to forward any calls or texts.
Dan says
I had exactly the same experience with Vanguard last week–I requested my authentication code be forwarded to my Google Voice number, which I had set up a couple of years ago to thwart possible SIM-swapping attacks. It had always worked previously, but this time the code never arrived, so I requested it be sent again. Never received anything so I had to call Vanguard, go through authentication, and reset the security on my profile in order to gain access to my accounts. I do have a Thetis security key that meets the U2F and FIDO requirements, but I was put off by the statement, “When you register a security key, we have to change your security code settings from “Only when Vanguard doesn’t recognize my computer or device” to “Every time I log on.” “. There should be an option to retain only when Vanguard doesn’t recognize my computer. Even though Vanguard funds are the best, their user interface seems to be getting worse every year. I guess the low fees do have a hidden cost.
ERIC GOLD says
@Dan,
My Schwab account sounds similar. I have a hardware key I have to use any time I login to my account from my computer. It is annoying enough that I use my phone instead, since I have it set up rely on fingerprint as the second factor.
I’m a fan of biometric second factor, so much so that I made it a priority in my laptop purchase. Unfortunately businesses have been slow to catch on and use the functionality outside of phones.
always_gone says
I’ve used a Yubikey for years with Vanguard. I agree, the way they have it setup, so a backup code can always be requested, is not very secure at all. I’ve asked them to remove that option for my account, but they only said they’d look into it.
By the way, they offer to store four keys, like Google does . . . So I have four Yubikeys. One in my wallet and three stored away in case one is lost or damaged.
DB says
Harry,
Like you, I too had trouble receiving security codes to my Google voice number last week and had to fall back to a voice call. However, that may have been a one time glitch. When I logged in 4 days ago, I was able to receive the text code to the same GV number.
It’s happened with at least one other financial institution for me. Sometimes texts do not work, but voice calls to. But then text functionality starts working again.
KD says
The weirdness of it all is that aggregator services (Mint, Quicken, Emoney etc) once authenticated continued without a hitch. Of course, no transactions, messaging, retrieving tax documents can be done. Because of aggregator services, I tend to not log into my account very often. I tend to do fewer than 10 transactions in my account (typical 2 in a year, if that). Financial account security is a larger concern in the past few years. I wish there was a voice recognition that can be enabled for transactions – right on the website where you read aloud a sentence (in an image so no automated stuff can work) for extra security. That way if anyone gets into the account they cannot transact.
Harry Sit says
I heard the aggregators have a special arrangement with the financial institutions. They use your password to obtain a token. After that, they use the token to retrieve your balance and transactions. Financial institutions are comfortable with it because the token only has read-only access.
Deskandchairs says
I am having a related situation with Wells Fargo, when attempting to add an additional financial institution to those authorized for online transfers from my account. They recently added a 2FA requirement for this, in addition to test deposits. They will only use text to transmit the code, not voice or email. I have called them to confirm these options are not available
Pete says
I’ve seen boglehead discussions that sharing your credentials with an aggregator violates Vanguard’s fraud policy. I quote from the Vanguard website: “Be aware of the risks of sharing your account information: If you share your vanguard.com username and password, or if you allow someone to access your account information, activities performed with your shared or accessed credentials or information may be considered authorized. ” Additionally, Vanguard states “Don’t store your password or answers to security questions on the computer or device you use to access your Vanguard accounts.” Just to be safe I store my credentials in a password manager on a removable USB and not in the password manager on my computer.
Deskandchairs says
And yet, Vanguard offers account aggregator Yodlee service on their website (which requires user name and password for each non-Vanguard account)
Novoip says
It’s VOIP numbers that Vanguard and others don’t play nice with. I don’t know the reason but that’s the issue.
Jim says
Vanguard had some technical problems with VOIP numbers, but now they came back and work just fine. Interestingly, Vanguard doesn’t accept Google Voice numbers for notifications, only for 2FA codes. Don’t know why.
Enroll your google account in Advanced Protection Program, and that way you’ll have your Vanguard account protected solely by YubiKeys.
When you call Vanguard, they identify you by voice first, if you have that set up, then by security questions, then by account number, in that order. Only one is needed to pass the verification.
Set up notifications. Very important. You can reverse fraudulent transactions if caught early.
Tried the ‘log in only from trusted devices’ option, but that didn’t really work too well. About every couple of weeks, my computer ended up being not recognized. Good thing that I had also trusted both of my iPhones, that way I was able to still log in and disable this feature.
abc says
How did you determine the risk was lower using a Google Voice number rather than your mobile number? Can you provide some references on the topic?
Dan says
Speaking only for myself, Google Voice can’t be SIM swapped, and that is the greatest risk that I am trying to defeat.
abc says
Dan,
The question is how Harry determined that a SIM swap was a greater risk than using a VOIP (Google Voice). At least some organizations have not allowed the use of Google Voice. Is that because there is a greater risk with Google Voice than with a mobile phone? Or, is there another reason.
At one point Fidelity would not allow the use of Google Voice, even though I was able to use it for FidSafe. At the time I complained to Fidelity and they said they would not allow for security reasons.
I am hoping Harry has some sources that compare the risks upon which he made his decision that Google Voice was better.
Harry Sit says
Some financial institutions don’t like VOIP numbers because they can’t be sure who’s behind that number. Identity thieves outside the country are able to get VOIP numbers in the U.S. more easily and in larger volumes than they can sign up for actual mobile numbers. That’s not a concern for me as an individual customer. I know that’s my own Google Voice number and no one else is able to access or hijack that number when I secured my Google account with a hardware key or an authenticator app. Meanwhile, my actual mobile number can be moved to a different SIM card by a customer service rep tricked by social engineering. That’s out of my control.
Basically I have more confidence in this specific VOIP number than financial institutions have confidence in generic VOIP numbers.
abc says
Harry,
Thank you for the clear and timely explanation. I was looking on the internet for a site that would compare risks between Google Voice and a mobile phone. I did not find an answer. I now better understand how you made the determination for your use.