Join Early Retirement Today
Reply
 
Thread Tools Display Modes
Vanguard 2-step verification
Old 12-06-2014, 08:54 PM   #1
Administrator
Alan's Avatar
 
Join Date: Jul 2005
Location: N. Yorkshire
Posts: 34,053
Vanguard 2-step verification

Vanguard has finally introduced an optional 2-step verification. You can now set up a text verification by cell phone. You can also choose to have a text with a verification number every time you log in, or a text number verification only when you log in from a new device.

I am all in favor of this extra security.
__________________
Retired in Jan, 2010 at 55, moved to England in May 2016
Enough private pension and SS income to cover all needs
Alan is offline   Reply With Quote
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!

Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!

You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!

Old 12-06-2014, 11:15 PM   #2
Recycles dryer sheets
fidler4's Avatar
 
Join Date: Mar 2013
Posts: 252
Quote:
Originally Posted by Alan View Post
Vanguard has finally introduced an optional 2-step verification. You can now set up a text verification by cell phone. You can also choose to have a text with a verification number every time you log in, or a text number verification only when you log in from a new device.



I am all in favor of this extra security.

+1 I set this up the other day.


Sent from my iPad using Early Retirement Forum
fidler4 is offline   Reply With Quote
Old 12-07-2014, 03:01 AM   #3
Thinks s/he gets paid by the post
Major Tom's Avatar
 
Join Date: Nov 2009
Location: SF East Bay
Posts: 4,323
Goshdarnit - if only I had a cellphone. I wish Vanguard offered verification via a voice message, like Google do.
__________________
Contentedly ER, with 3 furry friends (now, sadly, 1).
Planning my escape to the wide open spaces in my campervan (with my remaining kitty, of course!)
On a mission to become the world's second most boring man.

Major Tom is offline   Reply With Quote
Old 12-07-2014, 04:38 AM   #4
gone traveling
 
Join Date: Sep 2013
Posts: 1,248
Quote:
Originally Posted by Alan View Post
Vanguard has finally introduced an optional 2-step verification. You can now set up a text verification by cell phone. You can also choose to have a text with a verification number every time you log in, or a text number verification only when you log in from a new device.

I am all in favor of this extra security.
Protect Your Investment Accounts With A Security Token: Fidelity, Schwab, E*Trade, Vanguard

It is step in right direction, but is far from hardware token hanging on your key-chain.
eta2020 is offline   Reply With Quote
Old 12-07-2014, 05:20 AM   #5
Thinks s/he gets paid by the post
grasshopper's Avatar
 
Join Date: Oct 2010
Posts: 2,464
Quote:
Originally Posted by Major Tom View Post
Goshdarnit - if only I had a cellphone. I wish Vanguard offered verification via a voice message, like Google do.
You can set up a Google Voice phone number and use that I did.

You can't use 2 step with Quicken, Mint, for downloads.
__________________
For me experiences are not good or bad, just different
grasshopper is offline   Reply With Quote
Old 12-07-2014, 05:39 AM   #6
Administrator
MichaelB's Avatar
 
Join Date: Jan 2008
Location: Chicagoland
Posts: 40,583
Quote:
Originally Posted by Alan View Post
Vanguard has finally introduced an optional 2-step verification. You can now set up a text verification by cell phone. You can also choose to have a text with a verification number every time you log in, or a text number verification only when you log in from a new device.

I am all in favor of this extra security.
Nice. Thanks for the heads up.
MichaelB is online now   Reply With Quote
Old 12-07-2014, 09:06 AM   #7
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Chuckanut's Avatar
 
Join Date: Aug 2011
Location: West of the Mississippi
Posts: 17,169
I set it up myself, using Google Voice, so I can use the feature when I am away from my cell phone coverage.

I also selected to use the service when accessing my account from a new device so I don't need a code every time I use Vanguard with my home computer. I am curious if others have did the same, or chosen to use the code every time they access their Vanguard account.
__________________
Comparison is the thief of joy

The worst decisions are usually made in times of anger and impatience.
Chuckanut is online now   Reply With Quote
Old 12-07-2014, 10:02 AM   #8
Administrator
Alan's Avatar
 
Join Date: Jul 2005
Location: N. Yorkshire
Posts: 34,053
Quote:
Originally Posted by eta2020 View Post
Protect Your Investment Accounts With A Security Token: Fidelity, Schwab, E*Trade, Vanguard

It is step in right direction, but is far from hardware token hanging on your key-chain.
I agree, I have had a token for several years for my UK bank account. Thanks for the link, I didn't know that Fidelity offered tokens - as the article says, they don't advertise this optional security feature, but I will now inquire.

Quote:
Originally Posted by Chuckanut View Post
I set it up myself, using Google Voice, so I can use the feature when I am away from my cell phone coverage.

I also selected to use the service when accessing my account from a new device so I don't need a code every time I use Vanguard with my home computer. I am curious if others have did the same, or chosen to use the code every time they access their Vanguard account.
I also selected the service to not send a code when accessing from a registered device.

Lazy I am.
__________________
Retired in Jan, 2010 at 55, moved to England in May 2016
Enough private pension and SS income to cover all needs
Alan is offline   Reply With Quote
Old 12-07-2014, 10:18 AM   #9
Thinks s/he gets paid by the post
 
Join Date: Aug 2007
Posts: 2,857
Quote:
Originally Posted by grasshopper View Post
You can set up a Google Voice phone number and use that I did.



You can't use 2 step with Quicken, Mint, for downloads.

That's a problem. It sounds like they also need to support app passwords, much like Google does for their two factor authentication. Bummer, since this probably won't happen for a while, if ever, even though I hope I'm wrong.
__________________
Eat, Drink and Be Merry.
tulak is online now   Reply With Quote
Old 12-07-2014, 10:34 AM   #10
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: May 2005
Posts: 17,203
I would hate to think that I would need a token for each and every financial account that I have....
Texas Proud is offline   Reply With Quote
Old 12-07-2014, 11:06 AM   #11
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
audreyh1's Avatar
 
Join Date: Jan 2006
Location: Rio Grande Valley
Posts: 38,006
Quote:
Originally Posted by Alan View Post
I agree, I have had a token for several years for my UK bank account. Thanks for the link, I didn't know that Fidelity offered tokens - as the article says, they don't advertise this optional security feature, but I will now inquire.



I also selected the service to not send a code when accessing from a registered device.

Lazy I am.
OK - this is important. I've been unhappy with the one-page Fidelity login, even though they offer a security-breech guarantee.
__________________
Retired since summer 1999.
audreyh1 is online now   Reply With Quote
Old 12-07-2014, 12:27 PM   #12
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Midpack's Avatar
 
Join Date: Jan 2008
Location: NC
Posts: 21,201
I just enrolled, I think it's a good security addition. I only logon about 4/year so I wouldn't have seen it for a while. Thanks Alan.
__________________
No one agrees with other people's opinions; they merely agree with their own opinions -- expressed by somebody else. Sydney Tremayne
Retired Jun 2011 at age 57

Target AA: 50% equity funds / 45% bonds / 5% cash
Target WR: Approx 1.5% Approx 20% SI (secure income, SS only)
Midpack is online now   Reply With Quote
Old 12-07-2014, 01:08 PM   #13
Administrator
Alan's Avatar
 
Join Date: Jul 2005
Location: N. Yorkshire
Posts: 34,053
Quote:
Originally Posted by Texas Proud View Post
I would hate to think that I would need a token for each and every financial account that I have....
If they all did it then I'm sure you could combine them into 1 token, as described here,

Protect Your Investment Accounts With A Security Token: Fidelity, Schwab, E*Trade, Vanguard

Quote:
One Token Does It All

If you have accounts at more than one place, you can register the same token ID with all places. I’m not a security expert. I don’t see much risk in doing so. Symantec tells you how to do that. I take it to mean it’s OK.
__________________
Retired in Jan, 2010 at 55, moved to England in May 2016
Enough private pension and SS income to cover all needs
Alan is offline   Reply With Quote
Old 02-14-2015, 03:52 PM   #14
Thinks s/he gets paid by the post
grasshopper's Avatar
 
Join Date: Oct 2010
Posts: 2,464
You can now use Vanguard 2-step verification with Quicken and TurboTax. Thats it.
__________________
For me experiences are not good or bad, just different
grasshopper is offline   Reply With Quote
Old 02-14-2015, 04:12 PM   #15
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
MRG's Avatar
 
Join Date: Apr 2013
Posts: 11,078
Quote:
Originally Posted by audreyh1 View Post
OK - this is important. I've been unhappy with the one-page Fidelity login, even though they offer a security-breech guarantee.
I don't understand. Why does one or multiple pages make a difference? You see an issue I'm too dense to see.
Thanks.
MRG is offline   Reply With Quote
Old 02-14-2015, 04:27 PM   #16
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
audreyh1's Avatar
 
Join Date: Jan 2006
Location: Rio Grande Valley
Posts: 38,006
Quote:
Originally Posted by MRG View Post
I don't understand. Why does one or multiple pages make a difference? You see an issue I'm too dense to see.
Thanks.
You can verify that you are at the right site before you enter your password. They show you a preselected image and word that you set up on the page you enter your password.

This would be a big deal you accidentally try to log into a fraud/mimic website for your financial institution.
__________________
Retired since summer 1999.
audreyh1 is online now   Reply With Quote
Old 02-14-2015, 04:49 PM   #17
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
MRG's Avatar
 
Join Date: Apr 2013
Posts: 11,078
Oh thank you I get it. Last year our BCBS was like that for six months and then they removed it.
I do like that type of security set up so you know your session hasn't been comprised. Thanks again.
MRG is offline   Reply With Quote
Old 02-14-2015, 09:45 PM   #18
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Sep 2005
Location: Northern IL
Posts: 26,819
Quote:
Originally Posted by MRG View Post
I don't understand. Why does one or multiple pages make a difference? You see an issue I'm too dense to see.
Thanks.
Quote:
Originally Posted by audreyh1 View Post
You can verify that you are at the right site before you enter your password. They show you a preselected image and word that you set up on the page you enter your password.

This would be a big deal you accidentally try to log into a fraud/mimic website for your financial institution.

Woah! I see it very differently!

I much prefer the 'one page' verification, and it has been discussed here, and others agree.

With two page verification, a 'bad guy' can discover your logon fairly easily. They get feedback if it is wrong/right. Once they have a valid logon, they can start trying passwords. Half the battle is won.

But with one page for logon AND password, they need to get BOTH right at the same time. That makes the attack almost impossible. Using some simple math, and assuming an 8 char logon and an 8 char pw, and assuming a combo of 26 uppercase, 26 lower case, and 10 digits (not including a few special char) you go from:

1 page: 2 x (8^62)
2 page: 1 x (16^62)


Considering most passwords and logons are not totally random, the odds are less for each, making it more probable that a brute force attack with some intelligence could get through a two page authentication.

Bottom line: I much prefer one page authentication.

As far as the phishing issue - OK, but I never access my financial sites through anything but a link that I know to be valid, so I don't consider that an issue.

-ERD50
ERD50 is offline   Reply With Quote
Old 02-14-2015, 10:39 PM   #19
Thinks s/he gets paid by the post
photoguy's Avatar
 
Join Date: Jun 2010
Posts: 2,301
Quote:
Originally Posted by ERD50 View Post
With two page verification, a 'bad guy' can discover your logon fairly easily. They get feedback if it is wrong/right. Once they have a valid logon, they can start trying passwords. Half the battle is won.
That's a drawback of how vanguard has it implemented. They could have let one continue the second step without letting you know if you userid was incorrect (only provide feedback at the end, show a dummy but consistent anti-phishing image for unused userids). Probably they did this to be more user friendly.


Quote:
As far as the phishing issue - OK, but I never access my financial sites through anything but a link that I know to be valid, so I don't consider that an issue.
Even if you use a known good link or type the address directly, wouldn't you still be vulnerable to a DNS hijack? The anti-phishing image helps protect against this.

I have no idea which type of attack is more prevalent. But vanguard can monitor password attempts on a userid and stop it.
photoguy is offline   Reply With Quote
Old 02-16-2015, 09:46 AM   #20
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
MRG's Avatar
 
Join Date: Apr 2013
Posts: 11,078
Quote:
Originally Posted by photoguy View Post

...snip....

I have no idea which type of attack is more prevalent. But vanguard can monitor password attempts on a userid and stop it.
They potentially can code it either way. Standard security best pratices always disable a userid after X invalid logon attempts. I remember a financial system audit, an SAE16 auditor brought up that the error message for invalid logon specifically said invalid userid or invalid password. It was changed to display a generic message saying your userid and password didn't match. Gave out no clues as to which field is invalid. They didn't raise issues about one or multiple screens.

Personally I do like the personalized second screen as an extra check. Maybe it's just a "feel good", but systems coded that way do make me feel more secure.
MRG is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Why is Expiration Date Part of CC Verification? TromboneAl FIRE and Money 11 11-13-2011 04:17 PM
Early Retirement - verification chas57006 FIRE and Money 16 04-03-2011 05:33 AM
Online Bank Account Verification Process SkisALot FIRE and Money 2 02-13-2009 10:02 PM
Image verification perinova Forum Admin 6 11-28-2007 03:47 PM

» Quick Links

 
All times are GMT -6. The time now is 08:09 AM.
 
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2024, vBulletin Solutions, Inc.