Vanguard offers login security code
- indexfundfan
- Posts: 3962
- Joined: Tue Feb 20, 2007 10:21 am
- Contact:
Vanguard offers login security code
If your account is enabled, you can find it under Account Maintenance:
My signature has been deleted.
-
- Posts: 941
- Joined: Fri Apr 01, 2011 1:49 pm
Re: Vanguard offers login security code
Thanks for posting this. I've just activated mine.
- FelixTheCat
- Posts: 2035
- Joined: Sat Sep 24, 2011 12:39 am
Re: Vanguard offers login security code
+1 on thanks!ddunca1944 wrote:Thanks for posting this. I've just activated mine.
Felix is a wonderful, wonderful cat.
- Phineas J. Whoopee
- Posts: 9675
- Joined: Sun Dec 18, 2011 5:18 pm
Re: Vanguard offers login security code
Enrolled. Thanks for telling us it's become available.
PJW
PJW
Re: Vanguard offers login security code
Suck eggs, you people with no text capabilities, signed Vanguard.
Re: Vanguard offers login security code
Thank you - just signed up.
I have been waiting for this for a long time.
I set mine to send a code every time.
I have been waiting for this for a long time.
I set mine to send a code every time.
Re: Vanguard offers login security code
Works great. Thanks for the heads up, indexfundfan!
Incidentally, Google Voice is listed in Vanguard's instructions as an approved carrier. So a cell phone isn't needed to use the service.
Incidentally, Google Voice is listed in Vanguard's instructions as an approved carrier. So a cell phone isn't needed to use the service.
Re: Vanguard offers login security code
You can use Google Voice with it. Or alternatively, join the 21st century and get a cell phone.lululu wrote:Suck eggs, you people with no text capabilities, signed Vanguard.
Re: Vanguard offers login security code
Some people have plans that cost extra for texting. I not only did not pay to add unlimited texting, I asked them to turn off the texting capability so I would not be paying for spam texts. Anyone I want to "text" with has an iPhone. Now, if Vanguard would offer the iPhone IM option ....toto238 wrote:You can use Google Voice with it. Or alternatively, join the 21st century and get a cell phone.lululu wrote:Suck eggs, you people with no text capabilities, signed Vanguard.
Re: Vanguard offers login security code
Google Voice delivers incoming text to the Google Voice number as a message in the Google Voice app. Not text needed on the phone.GerryL wrote:Some people have plans that cost extra for texting. I not only did not pay to add unlimited texting, I asked them to turn off the texting capability so I would not be paying for spam texts. Anyone I want to "text" with has an iPhone. Now, if Vanguard would offer the iPhone IM option ....
Harry Sit has left the forums.
Re: Vanguard offers login security code
+1. Just did it. I feel a tiny bit safer now.ddunca1944 wrote:Thanks for posting this. I've just activated mine.
Re: Vanguard offers login security code
I wish that Vanguard would accommodate those of us who don't have cell phones or Google Voice by sending security codes to us via email. Granted, it wouldn't be as secure as two-factor authentication, but it would be more secure than having no security codes at all.
- ResearchMed
- Posts: 16795
- Joined: Fri Dec 26, 2008 10:25 pm
Re: Vanguard offers login security code
Potential problem there is "someone else has your computer, and is trying to log on to your Vanguard account", and they also have the device (your computer) that has your email loaded.John151 wrote:I wish that Vanguard would accommodate those of us who don't have cell phones or Google Voice by sending security codes to us via email. Granted, it wouldn't be as secure as two-factor authentication, but it would be more secure than having no security codes at all.
Some places allow a phone call to a REGULAR phone. That's great, IF one is "at home", but not so much otherwise, although I guess one could arrange to forward the calls to that number temporarily. But that wouldn't work - if it has to be forwarded to a hotel switchboard, since it would probably be a recorded voice with the code.
RM
This signature is a placebo. You are in the control group.
-
- Posts: 1290
- Joined: Mon Jan 20, 2014 11:14 am
Re: Vanguard offers login security code
hey vanguard...why am i reading about this on an internet forum and not in an email from you????
Re: Vanguard offers login security code
Google Voice is free, and I remember it being easy to sign up.John151 wrote:I wish that Vanguard would accommodate those of us who don't have cell phones or Google Voice by sending security codes to us via email. Granted, it wouldn't be as secure as two-factor authentication, but it would be more secure than having no security codes at all.
Re: Vanguard offers login security code
And it can deliver the text by email. https://support.google.com/voice/answer/160203?hl=enKen Schwartz wrote:Google Voice is free, and I remember it being easy to sign up.John151 wrote:I wish that Vanguard would accommodate those of us who don't have cell phones or Google Voice by sending security codes to us via email. Granted, it wouldn't be as secure as two-factor authentication, but it would be more secure than having no security codes at all.
Harry Sit has left the forums.
Re: Vanguard offers login security code
Many thanks, Ken and tfb. I'll check this out.
-
- Posts: 137
- Joined: Wed Jul 18, 2012 11:20 pm
Re: Vanguard offers login security code
Lets Recap VG security features (feel free to correct/add any features):
1. Username has been updated to 12 characters (still does not recognize upper/lower case)
2. Password has been updated to 20 characters (still does not recognize upper/lower case)
3. 2 factor/step verification is being rolled out
4. Computer/device specific restriction may be turned on (enables login from only 1 designated device/PC)
5. Voice recognition verification is offered (instead of security pass phrases)
6. paperless billing/statement option (prevents possible mail theft)
Is there anything else VG can do?
1. Username has been updated to 12 characters (still does not recognize upper/lower case)
2. Password has been updated to 20 characters (still does not recognize upper/lower case)
3. 2 factor/step verification is being rolled out
4. Computer/device specific restriction may be turned on (enables login from only 1 designated device/PC)
5. Voice recognition verification is offered (instead of security pass phrases)
6. paperless billing/statement option (prevents possible mail theft)
Is there anything else VG can do?
Re: Vanguard offers login security code
Password IS case sensitive and you can use most symbols. Username is not.indexmeasap wrote:Lets Recap VG security features (feel free to correct/add any features):
1. Username has been updated to 12 characters (still does not recognize upper/lower case)
2. Password has been updated to 20 characters (still does not recognize upper/lower case)
3. 2 factor/step verification is being rolled out
4. Computer/device specific restriction may be turned on (enables login from only 1 designated device/PC)
5. Voice recognition verification is offered (instead of security pass phrases)
6. paperless billing/statement option (prevents possible mail theft)
Is there anything else VG can do?
Re: Vanguard offers login security code
Yeah.... Better 2 factor instead of SMS - via either an app (RSA, ENIX or a million others) or via a hardware token that a lot of us already have for other things.indexmeasap wrote:Is there anything else VG can do?
|
Rob |
Its a dangerous business going out your front door. - J.R.R.Tolkien
Re: Vanguard offers login security code
I have to say they are actually ahead of the other financial firms that I do business with on this front.Lets Recap VG security features (feel free to correct/add any features):
1. Username has been updated to 12 characters (still does not recognize upper/lower case)
2. Password has been updated to 20 characters (still does not recognize upper/lower case)
3. 2 factor/step verification is being rolled out
4. Computer/device specific restriction may be turned on (enables login from only 1 designated device/PC)
5. Voice recognition verification is offered (instead of security pass phrases)
6. paperless billing/statement option (prevents possible mail theft)
Re: Vanguard offers login security code
It's fine for people at home, though. Dinky little credit unions can do this, Vanguard should be able to.ResearchMed wrote: Some places allow a phone call to a REGULAR phone. That's great, IF one is "at home", but not so much otherwise, although I guess one could arrange to forward the calls to that number temporarily. But that wouldn't work - if it has to be forwarded to a hotel switchboard, since it would probably be a recorded voice with the code.
RM
Oh, gosh, 2014 here I come, with my existing cell phone that I don't waste money paying for text on. And I don't waste time installing a package because Vanguard did a half-deleted implementation.toto238 wrote:You can use Google Voice with it. Or alternatively, join the 21st century and get a cell phone.lululu wrote:Suck eggs, you people with no text capabilities, signed Vanguard.
Re: Vanguard offers login security code
Did somebody find out what happens if your phone number changes? How do you change it so you can log onto your account?
- Phineas J. Whoopee
- Posts: 9675
- Joined: Sun Dec 18, 2011 5:18 pm
Re: Vanguard offers login security code
Therein lies the rub, and a reason one might consider not requiring the code when using a known-to-Vanguard computer. Either way, Vanguard has to have a procedure to use things one knows, or documentation one can obtain (which of course can be counterfeited), rather than strictly what one has or is, including voice verification, because both one's computer and one's phone might be destroyed in a fire or such. If in the same incident one's throat was injured by smoke inhalation, access to assets still should not become impossible.toto238 wrote:Did somebody find out what happens if your phone number changes? How do you change it so you can log onto your account?
It ain't pretty, but it has to be allowed for in advance, because in a sufficiently large population it will happen.
In all of computer security, including in our present certificate system, one can't escape the principle that "you have to trust somebody."
On the other hand, outside of emergency circumstances, you can make yourself a difficult target, or mark, to encourage the pickpockets to focus on somebody else. I'm against the practice of picking pockets, but so long as I'm powerless to end it I may as well render myself difficult to rob. As the old joke goes, I don't have to outrun the grizzly bear. I only have to outrun you.
PJW
Re: Vanguard offers login security code
You can edit your phone number under Account maintenance / Security code. Of course, you'll need to make the change before losing access to the old phone number. You can also disable the security feature on that same webpage. This could be useful as a temporary measure while you're in the process of changing phone numbers.toto238 wrote:Did somebody find out what happens if your phone number changes? How do you change it so you can log onto your account?
If your change in phone number is unplanned (maybe due to a lost or stolen phone), I suppose you'd need to call Vanguard and have a rep update your information.
Re: Vanguard offers login security code
So here's the security issue. Hacker calls Vanguard with my personal info and says "my phone was stolen, change my phone number to this new number." Now the security code is going to the hacker's cell. Security defeated.Ken Schwartz wrote:You can edit your phone number under Account maintenance / Security code. Of course, you'll need to make the change before losing access to the old phone number. You can also disable the security feature on that same webpage. This could be useful as a temporary measure while you're in the process of changing phone numbers.toto238 wrote:Did somebody find out what happens if your phone number changes? How do you change it so you can log onto your account?
If your change in phone number is unplanned (maybe due to a lost or stolen phone), I suppose you'd need to call Vanguard and have a rep update your information.
It can't be as easy as just calling in. I imagine you'd have to do voice verification or something like that for them to be able to change it over the phone. Maybe sending in a letter of instruction with a signature guarantee or notary may do the trick.
So DEFINITELY make sure you have voice verification set up before doing this. Just in case.
Re: Vanguard offers login security code
I'd hope that if you lose your phone and didn't choose the "only when we don't recognize your computer" option, then you can't get into the account until you write or call Vanguard, and wait for a reset code to arrive in the mail.
Or toto's security guarantee would be nice.
Or toto's security guarantee would be nice.
-
- Posts: 166
- Joined: Fri Mar 29, 2013 7:42 am
- Location: Potomac MD
Re: Vanguard offers login security code
Many thanks for this!
For those not aware of Two Factor Authentication (TFA), here's a Gizmodo piece on the sites that offer it from about a month ago. Link
The list includes: Apple, Google, Facebook, Microsoft, Twitter, Dropbox, Yahoo, Evernote and PayPal. (One not listed is LinkedIn.)
One of the most important logins to protect is your email account (in addition to the financial ones) - so if you use online Gmail, Hotmail or Yahoo Mail you should at least have TFA activated on these. (Yes it takes a few extra moments to receive the code via text but is completely worth it. If you want to read of a person's experience with a hacked email account. How Apple and Amazon Security Flaws Led to My Epic Hacking
For those who want to use something else other than text messages (say you have a limited text message plan), there's a great app called Authy that's a nice alternative to Google Authenticator. (Both do app-based TFA as a program that runs on a smartphone, and you plug in a number generated by the app.) I'v found that Authy has a lot more websites compatible with it (namely Microsoft, Facebook, Dropbox, Google, Evernoote, Lastpass and Hootsuite). Authy is here.
Lastly if you write a WordPress blog TFA is also available for free. Duo Security is a WordPress plug-in that also has a smartphone counterpart app. (I needed to install this as even though I had other security features to the blog it was getting lots of login attempts from places in Eastern Europe, India, SE Asia etc.)
For those not aware of Two Factor Authentication (TFA), here's a Gizmodo piece on the sites that offer it from about a month ago. Link
The list includes: Apple, Google, Facebook, Microsoft, Twitter, Dropbox, Yahoo, Evernote and PayPal. (One not listed is LinkedIn.)
One of the most important logins to protect is your email account (in addition to the financial ones) - so if you use online Gmail, Hotmail or Yahoo Mail you should at least have TFA activated on these. (Yes it takes a few extra moments to receive the code via text but is completely worth it. If you want to read of a person's experience with a hacked email account. How Apple and Amazon Security Flaws Led to My Epic Hacking
For those who want to use something else other than text messages (say you have a limited text message plan), there's a great app called Authy that's a nice alternative to Google Authenticator. (Both do app-based TFA as a program that runs on a smartphone, and you plug in a number generated by the app.) I'v found that Authy has a lot more websites compatible with it (namely Microsoft, Facebook, Dropbox, Google, Evernoote, Lastpass and Hootsuite). Authy is here.
Lastly if you write a WordPress blog TFA is also available for free. Duo Security is a WordPress plug-in that also has a smartphone counterpart app. (I needed to install this as even though I had other security features to the blog it was getting lots of login attempts from places in Eastern Europe, India, SE Asia etc.)
Re: Vanguard offers login security code
Here's a post on a site that lists banks, brokers, email, etc with 2FA: http://www.bogleheads.org/forum/viewtop ... 0&t=150266
-
- Posts: 94
- Joined: Wed Nov 12, 2014 8:04 am
Re: Vanguard offers login security code
No thanks. This will only make it harder to day trade with my Vanguard account while at work.
-
- Posts: 1209
- Joined: Sat Oct 09, 2010 3:52 pm
Re: Vanguard offers login security code
Signed up, but every logon won't work with Quicken only recognised device.
Re: Vanguard offers login security code
What this thread seems to be concentrating on is security against theft or misuse of your password and/or your computer. Secondarily, we need to have some plan in case Vanguard accidentally exposes their half: the hashed (and hopefully salted) passwords and hints. This secondary issue is important. The eHarmony and LinkedIn disasters were due to storing user's login credentials on their servers without salt. "Salting" passwords was old hat in the mid-1970s and makes the hacker's job almost infinitely more difficult. It only takes a few lines of code. Organizations are stupid and dishonest. Even ones like eHarmony and LinkedIn.
Here is what I did to protect myself. Note that while I happen to use a Mac, all of these are possible steps for PCs:
You expected that some magic talisman would replace due diligence? Think again.
Security and Convenience are mortal enemies.
-Bob. Beeman.
Here is what I did to protect myself. Note that while I happen to use a Mac, all of these are possible steps for PCs:
- Use a long password that I never write down or record anywhere, even in a key manager like Keychain or LastPass. The password uses lower-case letters and decimal digits, and is really long.
- Manage my "Hints" for account recovery. For example, my first girlfriend was someone named "G8XQ9ABZN". It wasn't "Heather", or "Judy", or any normal name. If your financial institution won't accept non-pronouncable things make up a name that appears to be pronounceable. A google search can help you with this.
- Buy an external hard drive (1TB cost me $99) and create two partitions: one encrypted and one non-encrypted. Install the latest OSX (Windows/Linux) on the encrypted partition with a really long password different from the Vanguard password. The unencrypted partition is where you move things like financial statements to. Then, after you finish your financial transactions and shut down your computer, you can re-boot from your normal drive and the items you wanted to reference on your normal account are accessible from the non-encrypted partition, provided you leave the disk plugged in. Obviously, don't move sensitive info to the unencrypted partition. Equally obviously you never move any information from the unencrypted disk to the encrypted disk.
- The first account on a new encrypted boot partition is, of necessity, an administrative account. Make a non-administrative account for actual use. Never use the administrative account for ANYTHING except to set up the non-administrative account. This means that if you get malware installed, it won't have administrative privileges on your computer. This is a very good idea even if you don't do any of the other things.
- Disable all applications that you won't be using. No mail, especially no "Apps". You need a browser. Maybe a text editor. That's about it.
- Eliminate ALL bookmarks from the browser. Add one each for Vanguard and any other secure financial institutions you use. You might consider turning on Parental Controls so that you CAN'T go anywhere else, especially if you are absent-minded or weak-willed.
- Always reboot your computer from this special encrypted disk/partition when accessing financial transactions.
- Never use this disk and login for anything other than your secure financial transactions.
- If you MUST write down your passwords, write them on an index card and put it in a book somewhere. Don't label what the passwords are for. If possible encrypt them in some way, like
reverse pairs of symbols (mypassword -> ymapssowdr)
or reverse the whole thing (mypassword ->drowssapym)
or both (mypassword -> rdwosspamy)
or get creative. You will only use this in the event of a real problem, so its OK to be complicated.
You expected that some magic talisman would replace due diligence? Think again.
Security and Convenience are mortal enemies.
-Bob. Beeman.
Last edited by Bob.Beeman on Sat Nov 22, 2014 8:23 am, edited 5 times in total.
Re: Vanguard offers login security code
I've started to write up a security plan, like Bob has above, but very different strategies.
Does anyone know of a good electronic security forum where I can post it for critique?
Does anyone know of a good electronic security forum where I can post it for critique?
Re: Vanguard offers login security code
You're absolutely right about the security issue here. I didn't mean to imply the rep would change the phone number without authentication. I would hope either voice verification or answers to a bunch of tough questions would be required.toto238 wrote:So here's the security issue. Hacker calls Vanguard with my personal info and says "my phone was stolen, change my phone number to this new number." Now the security code is going to the hacker's cell. Security defeated.Ken Schwartz wrote:You can edit your phone number under Account maintenance / Security code. Of course, you'll need to make the change before losing access to the old phone number. You can also disable the security feature on that same webpage. This could be useful as a temporary measure while you're in the process of changing phone numbers.toto238 wrote:Did somebody find out what happens if your phone number changes? How do you change it so you can log onto your account?
If your change in phone number is unplanned (maybe due to a lost or stolen phone), I suppose you'd need to call Vanguard and have a rep update your information.
It can't be as easy as just calling in. I imagine you'd have to do voice verification or something like that for them to be able to change it over the phone. Maybe sending in a letter of instruction with a signature guarantee or notary may do the trick.
So DEFINITELY make sure you have voice verification set up before doing this. Just in case.
Re: Vanguard offers login security code
I don't like the idea of giving software access to my financial accounts.Grasshopper wrote:Signed up, but every log on won't work with Quicken only recognized device.
I always wanted to be a procrastinator.
Re: Vanguard offers login security code
Sidney, I'm not sure about Vanguard but some brokers allow you to set up a separate read only ID.
I've never tried this but might if I had a lot of tax data to input.
It would be nice if you could download the data into a format that TaxAct could read, so that you don't need to give the software any password at all.
I've never tried this but might if I had a lot of tax data to input.
It would be nice if you could download the data into a format that TaxAct could read, so that you don't need to give the software any password at all.
-
- Posts: 128
- Joined: Sun Mar 10, 2013 11:51 am
Re: Vanguard offers login security code
Sweet. This is a great start. Another way to do this is automated voice calls; but that's more expensive than sending texts. In the spirit of keeping costs low, I'll gladly accept this text-only implementation from Vanguard.
@Bob.Beeman, How about using a Virtual Machine instead of what you described? All financial transactions happen in the VM. Will that be as secure?
@Bob.Beeman, How about using a Virtual Machine instead of what you described? All financial transactions happen in the VM. Will that be as secure?
80/20 Stock/Bond
-
- Posts: 1660
- Joined: Tue Feb 01, 2011 8:22 pm
Re: Vanguard offers login security code
1. I'm pretty sure the username has always been 12 characters. I don't think that's been updated in a long time. I wish it were because the username I prefer is slightly longer than 12 characters long.indexmeasap wrote:Lets Recap VG security features (feel free to correct/add any features):
1. Username has been updated to 12 characters (still does not recognize upper/lower case)
2. Password has been updated to 20 characters (still does not recognize upper/lower case)
3. 2 factor/step verification is being rolled out
4. Computer/device specific restriction may be turned on (enables login from only 1 designated device/PC)
5. Voice recognition verification is offered (instead of security pass phrases)
6. paperless billing/statement option (prevents possible mail theft)
Is there anything else VG can do?
2. I use Lastpass for my password so I feel pretty secure on that front. I would prefer to have an even longer password though.
3. Appreciate the 2 step verification but I would like the ability to use the Google Authenticator app.
4. I really like this feature but it would be much better if I could see (and edit) a list of all the recognized devices. Lastpass does a great job with this. I can see a list of all the devices that are currently recognized and can delete any that I no longer wish to be recognized. Lastpass also allows me to restrict access from other countries (and tor).
5. I really like the voice verification. I wish they would get rid of the security questions altogether. If someone fails the voice verification are they then asked the security questions? If so, that would defeat the purpose.
6. Definitely signed up for this.
Re: Vanguard offers login security code
Several of my friends do this. Whether it is as good depends on how much you trust the Virtual Machine software. I would tend to trust that.whadyaknow wrote:@Bob.Beeman, How about using a Virtual Machine instead of what you described? All financial transactions happen in the VM. Will that be as secure?
The other thing is that if you do it my way and you lose the disk the whole thing is encrypted and probably only some federal agency could recover the data. When you run a virtual machine my understanding is that any files you save and browser cookies are not encrypted once you boot out of the VM.
If the VM encrypts the entire virtual disk, then yes, it is probably just as good. Just don't forget the other items, no mail client, no Apps, no bookmarks for anything other than your financial organizations, etc. Also, I have Java and Flash turned off in the browser. Any financial institution that requires those is run by people who are astoundingly (stupid/inattentive/dishonest). Flash and Java (not JavaScript) browser plugins are famous as security risks. Fonts of Dis-Knowledge.
You have to find your own comfort level. The one in my previous post represents mine. Yours may legitimately differ.
- Bob.Beeman
Re: Vanguard offers login security code
I have a question. My wife and I have a single cell phone, but we each have our own Vanguard accounts.
Can we use the same cell phone number for 2-factor authorization? Glenn
Can we use the same cell phone number for 2-factor authorization? Glenn
Re: Vanguard offers login security code
I don't see why not. Try it.dcnut wrote:I have a question. My wife and I have a single cell phone, but we each have our own Vanguard accounts.
Can we use the same cell phone number for 2-factor authorization? Glenn
Re: Vanguard offers login security code
Well it turns out that Vanguard's terms and conditions require that the cell phone be registered in your name, and not your spouse's. Since our cell phone is registered to my wife, I cannot use that phone for my Vanguard account.Ken Schwartz wrote:I don't see why not. Try it.dcnut wrote:I have a question. My wife and I have a single cell phone, but we each have our own Vanguard accounts.
Can we use the same cell phone number for 2-factor authorization? Glenn
Re: Vanguard offers login security code
Good catch, but I think there's a way around that rule. The 3rd item in "Additional Terms and Conditions" statesdcnut wrote:Well it turns out that Vanguard's terms and conditions require that the cell phone be registered in your name, and not your spouse's. Since our cell phone is registered to my wife, I cannot use that phone for my Vanguard account.Ken Schwartz wrote:I don't see why not. Try it.dcnut wrote:I have a question. My wife and I have a single cell phone, but we each have our own Vanguard accounts.
Can we use the same cell phone number for 2-factor authorization? Glenn
Notice that Vanguard's putting a requirement on the phone number, not the phone itself. Your wife can sign up to receive security codes in the straightforward way. You, on the other hand, can sign up for a Google Voice phone number in your name, and forward texts received at that number to your wife's phone. You would then provide Vanguard with your phone number.The mobile phone number you provide to sign up for the Service is registered in your name, and you will not initiate messages to the phone or other access device of any other person or entity.
I'm not absolutely sure this approach would really work, nor am I sure it's within the rules, but it is a thought . . .
Edit: This is a bad idea. I think it runs afoul of the "you will not initiate messages to the phone or other access device of any other person or entity" rule.
Last edited by xenial on Sat Nov 22, 2014 4:45 pm, edited 1 time in total.
Re: Vanguard offers login security code
Or you could use Google Voice directly since you will be right there at a computer that you trust enough to log in to VG.Ken Schwartz wrote:Notice that Vanguard's putting a requirement on the phone number, not the phone itself. Your wife can sign up to receive security codes in the straightforward way. You, on the other hand, can sign up for a Google Voice phone number in your name, and forward texts received at that number to your wife's phone. You would then provide Vanguard with your phone number.
I always wanted to be a procrastinator.
Re: Vanguard offers login security code
I retract my idea from 2 messages above. (See my edit.) Sidney's approach looks good.
Re: Vanguard offers login security code
This is, in fact, what I will do. I spent this afternoon getting familiar with Google Voice, and then I signed up for a Google account with a Google Voice number. I also verified that I could send a text message to this number which can be read in the Google Voice inbox. Tomorrow, I will use this number to enable 2-factor authorization for my Vanguard account. My daughter, a Google software engineer in CA would approve.Sidney wrote:Or you could use Google Voice directly since you will be right there at a computer that you trust enough to log in to VG.Ken Schwartz wrote:Notice that Vanguard's putting a requirement on the phone number, not the phone itself. Your wife can sign up to receive security codes in the straightforward way. You, on the other hand, can sign up for a Google Voice phone number in your name, and forward texts received at that number to your wife's phone. You would then provide Vanguard with your phone number.
Glenn
Re: Vanguard offers login security code
That's all fine and works well I'm sure, but you could just setup a second system ( any older system would work fine for the purpose ) and dedicate it for financial use only. I have an ancient desktop ( Dell 4700 ) that fills that role nicely.Bob.Beeman wrote:What this thread seems to be concentrating on is security against theft or misuse of your password and/or your computer. Secondarily, we need to have some plan in case Vanguard accidentally exposes their half: the hashed (and hopefully salted) passwords and hints. This secondary issue is important. The eHarmony and LinkedIn disasters were due to storing user's login credentials on their servers without salt. "Salting" passwords was old hat in the mid-1970s and makes the hacker's job almost infinitely more difficult. It only takes a few lines of code. Organizations are stupid and dishonest. Even ones like eHarmony and LinkedIn.
Here is what I did to protect myself. Note that while I happen to use a Mac, all of these are possible steps for PCs:
Yes, this is a real pain, at least at first, but it gets pretty easy to use once you are set up.
- Use a long password that I never write down or record anywhere, even in a key manager like Keychain or LastPass. The password uses lower-case letters and decimal digits, and is really long.
- Manage my "Hints" for account recovery. For example, my first girlfriend was someone named "G8XQ9ABZN". It wasn't "Heather", or "Judy", or any normal name. If your financial institution won't accept non-pronouncable things make up a name that appears to be pronounceable. A google search can help you with this.
- Buy an external hard drive (1TB cost me $99) and create two partitions: one encrypted and one non-encrypted. Install the latest OSX (Windows/Linux) on the encrypted partition with a really long password different from the Vanguard password. The unencrypted partition is where you move things like financial statements to. Then, after you finish your financial transactions and shut down your computer, you can re-boot from your normal drive and the items you wanted to reference on your normal account are accessible from the non-encrypted partition, provided you leave the disk plugged in. Obviously, don't move sensitive info to the unencrypted partition. Equally obviously you never move any information from the unencrypted disk to the encrypted disk.
- The first account on a new encrypted boot partition is, of necessity, an administrative account. Make a non-administrative account for actual use. Never use the administrative account for ANYTHING except to set up the non-administrative account. This means that if you get malware installed, it won't have administrative privileges on your computer. This is a very good idea even if you don't do any of the other things.
- Disable all applications that you won't be using. No mail, especially no "Apps". You need a browser. Maybe a text editor. That's about it.
- Eliminate ALL bookmarks from the browser. Add one each for Vanguard and any other secure financial institutions you use. You might consider turning on Parental Controls so that you CAN'T go anywhere else, especially if you are absent-minded or weak-willed.
- Always reboot your computer from this special encrypted disk/partition when accessing financial transactions.
- Never use this disk and login for anything other than your secure financial transactions.
- If you MUST write down your passwords, write them on an index card and put it in a book somewhere. Don't label what the passwords are for. If possible encrypt them in some way, like
reverse pairs of symbols (mypassword -> ymapssowdr)
or reverse the whole thing (mypassword ->drowssapym)
or both (mypassword -> rdwosspamy)
or get creative. You will only use this in the event of a real problem, so its OK to be complicated.
You expected that some magic talisman would replace due diligence? Think again.
Security and Convenience are mortal enemies.
-Bob. Beeman.
Re: Vanguard offers login security code
How much more expensive can it be, when no humans are involved? And yet financial institutions in my state with 1/1000 the assets of Vanguard can manage to provide this service to all their customers, not just people with text capability.whadyaknow wrote:Sweet. This is a great start. Another way to do this is automated voice calls; but that's more expensive than sending texts. In the spirit of keeping costs low, I'll gladly accept this text-only implementation from Vanguard.
-
- Posts: 714
- Joined: Thu Mar 06, 2014 9:43 pm
Re: Vanguard offers login security code
OP: thanks for posting about the login security code. I signed up and set it to always send a text to my phone when accessing my Vanguard account.
+1 financial account protected with 2-factor authentication without adding to my physical token collection. That puts me at about 50%.
I already have a similar "text message code plus static password" feature from BankOfAmerica. I've used it for years without issue (although one advantage
there is that BofA has my DW's phone as well, so one lost phone won't lock us out of our Bank.
+1 financial account protected with 2-factor authentication without adding to my physical token collection. That puts me at about 50%.
I already have a similar "text message code plus static password" feature from BankOfAmerica. I've used it for years without issue (although one advantage
there is that BofA has my DW's phone as well, so one lost phone won't lock us out of our Bank.