Vanguard 2-step verification

[Alan]

Vanguard has finally introduced an optional 2-step verification. You can now set up a text verification by cell phone. You can also choose to have a text with a verification number every time you log in, or a text number verification only when you log in from a new device.

I am all in favor of this extra security.

 

[fidler4]

Vanguard has finally introduced an optional 2-step verification. You can now set up a text verification by cell phone. You can also choose to have a text with a verification number every time you log in, or a text number verification only when you log in from a new device.



I am all in favor of this extra security.

+1 I set this up the other day.


Sent from my iPad using Early Retirement Forum

 

[Major Tom]

Goshdarnit - if only I had a cellphone. I wish Vanguard offered verification via a voice message, like Google do.

 

[eta2020]

Vanguard has finally introduced an optional 2-step verification. You can now set up a text verification by cell phone. You can also choose to have a text with a verification number every time you log in, or a text number verification only when you log in from a new device.

I am all in favor of this extra security.

Protect Your Investment Accounts With A Security Token: Fidelity, Schwab, E*Trade, Vanguard

It is step in right direction, but is far from hardware token hanging on your key-chain.

 

[grasshopper]

Goshdarnit - if only I had a cellphone. I wish Vanguard offered verification via a voice message, like Google do.

You can set up a Google Voice phone number and use that I did.

You can't use 2 step with Quicken, Mint, for downloads.

 

[MichaelB]

Vanguard has finally introduced an optional 2-step verification. You can now set up a text verification by cell phone. You can also choose to have a text with a verification number every time you log in, or a text number verification only when you log in from a new device.

I am all in favor of this extra security.

Nice. Thanks for the heads up.

 

[Chuckanut]

I set it up myself, using Google Voice, so I can use the feature when I am away from my cell phone coverage.

I also selected to use the service when accessing my account from a new device so I don't need a code every time I use Vanguard with my home computer. I am curious if others have did the same, or chosen to use the code every time they access their Vanguard account.

 

[Alan]

Protect Your Investment Accounts With A Security Token: Fidelity, Schwab, E*Trade, Vanguard

It is step in right direction, but is far from hardware token hanging on your key-chain.

I agree, I have had a token for several years for my UK bank account. Thanks for the link, I didn't know that Fidelity offered tokens - as the article says, they don't advertise this optional security feature, but I will now inquire.

I set it up myself, using Google Voice, so I can use the feature when I am away from my cell phone coverage.

I also selected to use the service when accessing my account from a new device so I don't need a code every time I use Vanguard with my home computer. I am curious if others have did the same, or chosen to use the code every time they access their Vanguard account.

I also selected the service to not send a code when accessing from a registered device.

Lazy I am.

 

[tulak]

You can set up a Google Voice phone number and use that I did.



You can't use 2 step with Quicken, Mint, for downloads.

That's a problem. It sounds like they also need to support app passwords, much like Google does for their two factor authentication. Bummer, since this probably won't happen for a while, if ever, even though I hope I'm wrong.

 

[Texas Proud]

I would hate to think that I would need a token for each and every financial account that I have....

 

[audreyh1]

I agree, I have had a token for several years for my UK bank account. Thanks for the link, I didn't know that Fidelity offered tokens - as the article says, they don't advertise this optional security feature, but I will now inquire.



I also selected the service to not send a code when accessing from a registered device.

Lazy I am.

OK - this is important. I've been unhappy with the one-page Fidelity login, even though they offer a security-breech guarantee.

 

[Midpack]

I just enrolled, I think it's a good security addition. I only logon about 4/year so I wouldn't have seen it for a while. Thanks Alan.

 

[Alan]

I would hate to think that I would need a token for each and every financial account that I have....

If they all did it then I'm sure you could combine them into 1 token, as described here,

Protect Your Investment Accounts With A Security Token: Fidelity, Schwab, E*Trade, Vanguard

One Token Does It All

If you have accounts at more than one place, you can register the same token ID with all places. I’m not a security expert. I don’t see much risk in doing so. Symantec tells you how to do that. I take it to mean it’s OK.

 

[grasshopper]

You can now use Vanguard 2-step verification with Quicken and TurboTax. Thats it.

 

[MRG]

OK - this is important. I've been unhappy with the one-page Fidelity login, even though they offer a security-breech guarantee.

I don't understand. Why does one or multiple pages make a difference? You see an issue I'm too dense to see.
Thanks.

 

[audreyh1]

I don't understand. Why does one or multiple pages make a difference? You see an issue I'm too dense to see.
Thanks.

You can verify that you are at the right site before you enter your password. They show you a preselected image and word that you set up on the page you enter your password.

This would be a big deal you accidentally try to log into a fraud/mimic website for your financial institution.

 

[MRG]

Oh thank you I get it. Last year our BCBS was like that for six months and then they removed it.
I do like that type of security set up so you know your session hasn't been comprised. Thanks again.

 

[ERD50]

I don't understand. Why does one or multiple pages make a difference? You see an issue I'm too dense to see.
Thanks.

You can verify that you are at the right site before you enter your password. They show you a preselected image and word that you set up on the page you enter your password.

This would be a big deal you accidentally try to log into a fraud/mimic website for your financial institution.

Woah! I see it very differently!

I much prefer the 'one page' verification, and it has been discussed here, and others agree.

With two page verification, a 'bad guy' can discover your logon fairly easily. They get feedback if it is wrong/right. Once they have a valid logon, they can start trying passwords. Half the battle is won.

But with one page for logon AND password, they need to get BOTH right at the same time. That makes the attack almost impossible. Using some simple math, and assuming an 8 char logon and an 8 char pw, and assuming a combo of 26 uppercase, 26 lower case, and 10 digits (not including a few special char) you go from:

1 page: 2 x (8^62)
2 page: 1 x (16^62)


Considering most passwords and logons are not totally random, the odds are less for each, making it more probable that a brute force attack with some intelligence could get through a two page authentication.

Bottom line: I much prefer one page authentication.

As far as the phishing issue - OK, but I never access my financial sites through anything but a link that I know to be valid, so I don't consider that an issue.

-ERD50

 

[photoguy]

With two page verification, a 'bad guy' can discover your logon fairly easily. They get feedback if it is wrong/right. Once they have a valid logon, they can start trying passwords. Half the battle is won.

That's a drawback of how vanguard has it implemented. They could have let one continue the second step without letting you know if you userid was incorrect (only provide feedback at the end, show a dummy but consistent anti-phishing image for unused userids). Probably they did this to be more user friendly.

As far as the phishing issue - OK, but I never access my financial sites through anything but a link that I know to be valid, so I don't consider that an issue.

Even if you use a known good link or type the address directly, wouldn't you still be vulnerable to a DNS hijack? The anti-phishing image helps protect against this.

I have no idea which type of attack is more prevalent. But vanguard can monitor password attempts on a userid and stop it.

 

[MRG]

...snip....

I have no idea which type of attack is more prevalent. But vanguard can monitor password attempts on a userid and stop it.

They potentially can code it either way. Standard security best pratices always disable a userid after X invalid logon attempts. I remember a financial system audit, an SAE16 auditor brought up that the error message for invalid logon specifically said invalid userid or invalid password. It was changed to display a generic message saying your userid and password didn't match. Gave out no clues as to which field is invalid. They didn't raise issues about one or multiple screens.

Personally I do like the personalized second screen as an extra check. Maybe it's just a "feel good", but systems coded that way do make me feel more secure.

 

[Mulligan]

They potentially can code it either way. Standard security best pratices always disable a userid after X invalid logon attempts. I remember a financial system audit, an SAE16 auditor brought up that the error message for invalid logon specifically said invalid userid or invalid password. It was changed to display a generic message saying your userid and password didn't match. Gave out no clues as to which field is invalid. They didn't raise issues about one or multiple screens.

Personally I do like the personalized second screen as an extra check. Maybe it's just a "feel good", but systems coded that way do make me feel more secure.

Same here, or provided that my phone is on the nearby table. When I log in and then have to go hunt down my phone, not so much.


Sent from my iPad using Tapatalk

 

[explanade]

I set it up myself, using Google Voice, so I can use the feature when I am away from my cell phone coverage.

I also selected to use the service when accessing my account from a new device so I don't need a code every time I use Vanguard with my home computer. I am curious if others have did the same, or chosen to use the code every time they access their Vanguard account.

I turned on 2-factor and put in my GV number.

One good thing about GV number is that you can use the GV app. with push notifications.

So on my iPhone, the texts go to my GV number and the push notification pops up.

That means I do not have to be in the US, in range of my US carrier. I just need Internet access (Wifi) and I can get the code anywhere in the world, without worrying about international SMS costs.

 

[Hermit]

I turned on 2-factor and put in my GV number.

One good thing about GV number is that you can use the GV app. with push notifications.

So on my iPhone, the texts go to my GV number and the push notification pops up.

That means I do not have to be in the US, in range of my US carrier. I just need Internet access (Wifi) and I can get the code anywhere in the world, without worrying about international SMS costs.

Except this would not work for me. I use Hughesnet. The voice capability is terrible. I can hear people fine, but what they hear is garbled. Any outgoing audio is bad. I don't think it would work for me.

 

[explanade]

Well I don't make calls with my GV number that much. I have it set up to forward calls to my cell but also it transcribes the audio to an email.

It also sends the text messages, which is what Vanguard would send, a code that is good for 10 minutes. Then the GV app on my devices will show the notification on the lock screen without my having to open the app.

Or I could check my email and the code sent by SMS is there as well.

 

[target2019]

I just turned on 2-step with Vanguard to test this. I'll probably stay with it.