Implementing Two-Factor Authentication for Fidelity Accounts

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills

Implementing Two-Factor Authentication for Fidelity Accounts

Postby Alskar » Fri Jan 04, 2013 10:19 pm

I don't wish to turn this into a debate about hard vs soft keys or the various shortcomings of various security systems, password lengths, the proper use of special characters or the susceptibility to key-logging malware or how RSA and other soft-keys have been hacked. I am posting the information below as a service to other Bogleheads that have a Fidelity account and a smart phone who wish to implement two-factor authentication on their Fidelity account(s).

Recently, Fidelity began beta-testing a new two-factor authentication system for some accounts. I implemented Fidelity's new two-factor authentication system on my account today. Fidelity is using the VeriSign (now owned by Symantec) VIP Access "soft-key" to implement two-factor authentication. Instead of being carried as a hardware dongle (like the RSA tokens some may be familiar with), the VeriSign soft-key or "security code" is carried as an application on one's smart phone. RSA has had a soft-key app for limited devices (mostly Blackberries) for many years. VeriSign VIP Access seems to have support for more smartphones than RSA.

Here are the steps:

1. You must have an Android, iPhone, Blackberry, or Windows Mobile smart phone. Here's a list of compatible devices: http://vipmobile.verisign.com/home.v. The so-called "security code" is created on your smart phone and presumably synchronized with a central server. Without the key you will be unable to access your Fidelity account even from your home computer. This is to say: If your phone isn't working, you're not getting online access to your account. I haven't tested it yet, but I'm guessing the VIP Access app won't work properly if the phone doesn't have access to the internet via Wi-Fi or the data network.

2. Call Fidelity to see if you're eligible to have this feature on your account. I was led to believe that not every Fidelity customer is eligible for this feature, but I was not told the specific eligibility requirements. I am a so-called "Premium Services" customer at Fidelity. I'm not sure if that made any difference. The "Premium Services Account Executive" checked my account somehow and very quickly determined I was eligible...which was nice!

3. Download the VIP Access application to your phone. This is done differently for different smart phones. I downloaded the free "VIP Access" application from the Apple App Store for my iPhone 3GS running iOS-6 with no issues. I assume that other iOS phones will work as well, but I don't know that for certain. I can't help you with the process for downloading the app for other phones, but it appears that if you click on the link above and then click on the type of phone you have, you can get a link to the app sent to your phone via TM. Alternately you can try entering "m.verisign.com" into your browser.

4. Once the application is installed on your phone and running, call (800) 673-2938 to have Fidelity configure your account to use to use the "VeriSign Security Code". This is a special number specifically for configuring two-factor authentication. The agent will need the "Credential ID" displayed on your smart phone app to configure your account. In my case, the agent didn't ask for the "Credential ID" by name which caused some confusion. When they ask for a number, give them the "Credential ID".

5. The agent will configure your account to require the "VeriSign Security Code" to access your online Fidelity account.

6. Once enabled, you sign in as you normally do, but after you enter your user name and password a new screen appears requesting your "VeriSign Security Code". Enter the "Security Code" from the VIP Access app on your smart phone and you will be logged in. Note that the "security code" changes every 30 seconds so it's possible to run out of time to enter the code. Just retry with the new code.

I've only had it for a few hours, but it seems to work great!
Lagom är bäst
User avatar
Alskar
 
Posts: 526
Joined: Wed Jan 06, 2010 11:52 pm
Location: Oregon

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby susze » Wed Jan 09, 2013 9:15 pm

Any idea if it works with the mobile app?
susze
 
Posts: 93
Joined: Sun Jul 27, 2008 3:26 pm

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby Alskar » Wed Jan 09, 2013 10:43 pm

susze wrote:Any idea if it works with the mobile app?

Unfortunately, not yet. The Fidelity CS rep I spoke with says that Fidelity will be enabling VIP Access for the Fidelity App(s) and for mobile browsers "...soon..." At the current time VIP Access is being beta-tested at Fidelity. Note that Fidelity isn't listed on the VeriSign VIP Access website (except for Fidelity Wealth Management which is a different deal). I assume that Fidelity will be listed as a user once beta-testing is complete.
Lagom är bäst
User avatar
Alskar
 
Posts: 526
Joined: Wed Jan 06, 2010 11:52 pm
Location: Oregon

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby tfb » Wed Jan 09, 2013 11:41 pm

Called twice. The reps refused to enroll me in the beta both times -- "not expanding beyond those who have been invited." I thought about calling that other 800 number directly but I'm not that desperate. I will wait.
Harry Sit, taking a break from the forums.
User avatar
tfb
 
Posts: 6675
Joined: Mon Feb 19, 2007 6:46 pm

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby Saleen » Thu Jan 10, 2013 6:45 pm

I do love that Blizzard uses this type of authentication to protect people's virtual property (game characters) which is worth nothing in the real world, but websites where people can access millions of dollars allow people to use password123 as their password.
Saleen
 
Posts: 53
Joined: Wed Jun 13, 2007 1:08 pm

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby Epsilon Delta » Thu Jan 10, 2013 8:34 pm

adamcate wrote:I do love that Blizzard uses this type of authentication to protect people's virtual property (game characters) which is worth nothing in the real world, but websites where people can access millions of dollars allow people to use password123 as their password.

Usually authentication is the only thing protecting virtual property, while real world property is protected by other things, including the legal system and associated men with guns.
User avatar
Epsilon Delta
 
Posts: 3346
Joined: Thu Apr 28, 2011 8:00 pm

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby blackstone » Thu Jan 10, 2013 8:46 pm

susze wrote:Any idea if it works with the mobile app?

It is usually not a good idea to use a mobile app to login to a site when another app on the same device is the "soft" dongle for multi factor authentication. If you save your password for the app for example, if someone steals your phone, they get access to both the password and the authentication key.
blackstone
 
Posts: 32
Joined: Sun Jan 30, 2011 9:15 pm

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby rohitj » Thu Jan 10, 2013 10:34 pm

I have yet to see a banking app that let's you save your password.

If they enable two-factor, I hope they also give a way of allowing mint.com/other trusted apps to still work. Otherwise it's really discouraging to those that use any sort of software to monitor their accounts.

Ingdirect allows you to create a specific password for aggregators.
rohitj
 
Posts: 32
Joined: Wed Jun 08, 2011 12:07 am

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby ftobin » Thu Jan 10, 2013 10:46 pm

rohitj wrote:If they enable two-factor, I hope they also give a way of allowing mint.com/other trusted apps to still work.

Google allows you to create application-specific passwods. For instance, there is a unique password my Android phone uses for my account, a different one for my mail client, another for my IM client, etc.

These passwords are designed to only be known/viewed once, and the application should save it going forward. If one of the applications is compromised, I can easily revoke the password granted to that device/application.
ftobin
 
Posts: 865
Joined: Fri Mar 20, 2009 4:28 pm

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby Alskar » Thu Jan 10, 2013 10:47 pm

adamcate wrote:I do love that Blizzard uses this type of authentication to protect people's virtual property (game characters) which is worth nothing in the real world, but websites where people can access millions of dollars allow people to use password123 as their password.

I got a chuckle out of that myself! World of Warcraft (WoW) uses very lengthy complex passwords, but Vanguard uses 10 character passwords. I suppose it has to do with timing. WoW is new, so they built their system with security in mind. Vanguard's system was built long before the web became commonplace. Vanguard probably wanted to make it easy for clients to enter their passwords on the telephone keypad. Online games need no such convenience.

None-the-less, I think it is pretty ironic!
Lagom är bäst
User avatar
Alskar
 
Posts: 526
Joined: Wed Jan 06, 2010 11:52 pm
Location: Oregon

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby Alskar » Sun Jan 27, 2013 3:26 am

UPDATE: I just switched from using the VIP Access app on my iPhone as the the token device to a YubiKey VIP (http://www.yubico.com/products/yubikey-hardware/yubikey-vip/) hardware token. The hardware token is potentially more secure, doesn't require a battery, and is much smaller than my cellphone.

The YubiKey VIP comes preconfigured with the VIP Access credential. With some serious effort I was able to get the same YubiKey to work as the VIP Access token and as the OTP (One Time Password) two-factor authentication device for my LastPass password vault. Yubico's documentation on how this is done is exceedingly poor, but I muddled through. If anybody would like me to post better instructions on how this is done, I will do that upon request. I can save you a couple of hours of frustration.

The YubiKey VIP token was $25 plus $5 shipping. Not cheap, but not crazy expensive either. Since it doesn't have a battery or an LCD display like most HW tokens it is less susceptible to physical damage. It fits on my key ring.

I can now use the same HW token to get into my LastPass password vault and to access VIP Access enabled sites like Ebay, PayPal and Fidelity. As an added bonus, just having this device has renewed my geek license for at least another year, maybe two! :D
Lagom är bäst
User avatar
Alskar
 
Posts: 526
Joined: Wed Jan 06, 2010 11:52 pm
Location: Oregon

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby radioactive » Fri Feb 22, 2013 12:33 pm

I found this thread while looking to enable two-factor for the rest of my accounts. I tried to call Fidelity today, I have a standard account with SEP, Roth, Sole Proprietorship, etc. I called the customer service number on my account page, and spoke to a CSR.

The CSR initially said "Oh, you're calling about the additional security features where we use a code from your smartphone to validate your account." I was initially excited that they'd be able to help, but after a brief hold, the rep came back and said "We'll be introducing wire transfers on 10 March, so just wait 18 more days."

I explained that I wanted two-factor and gave him the "Something you know, plus something you have" pitch, not bank wires. After a short hold, he came back, said "If you log into your Fidelity account from an unknown computer, we'll ask you security questions." I tried one more time, explaining the thread, and the Verisign app, but he didn't budge, and went back to babbling about wire transfers.

Unfortunately, it looks like I'll try again in a couple months :(

<edit>post below has the number to call to set it up, everything works great now</edit>
Last edited by radioactive on Wed Feb 27, 2013 10:44 am, edited 1 time in total.
radioactive
 
Posts: 2
Joined: Fri Feb 22, 2013 12:18 pm

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby Postmon » Sat Feb 23, 2013 12:52 pm

I've been using the dongle for years and have been happy with it. The only thing is the security code is not integrated with their mobile site or when you call in.
When you're on the page where you enter your security code, here's what you get if you click on the link for more info:

FAQ for VeriSign VIP Program

What is the new program?
Why are you changing the program?
I already have a VeriSign credential that I use for some of my other online accounts. Can I use the same token on Fidelity.com?
What is a "soft token"?
Are you offering the use of "soft tokens" at this time?
What if I no longer want to use my device?
What if I forget my token and need to log in?

What is the new program?

The new program is a partnership between Fidelity and VeriSign and features several different options for using additional authentication methods. For instance, to generate a unique authentication code every time you log in, you will be able to choose either a physical device that you carry with you or software you download to your computer. If you already have a Fidelity Account Key, we will automatically swap out your current device for one that is very similar.
Top
Why are you changing the program?

The devices used in the current program have batteries that are about to expire. Our new partnership with VeriSign offers more than one option for additional security on your account, providing greater convenience for our customers.
Top
I already have a VeriSign credential that I use for some of my other online accounts. Can I use the same token on Fidelity.com?

A. Yes, you can use your existing credential on Fidelity.com. Just call a Fidelity representative at 800-673-2938 to get set up.
Top
What is a "soft token"?

A soft token is software that generates a code every sixty seconds that can be downloaded to either your mobile phone or to your browser toolbar. It does not require you to carry an additional device with you every time you want to log into your account.
Top
Are you offering the use of "soft tokens" at this time?

Yes, you can use a soft token to generate a code from your mobile device, then log into Fidelity.com. Soft tokens can be downloaded for free at https://idprotect.verisign.com/mainmenu.v. Select either VIP access for Mobile or VIP Access Toolbar. Follow the instructions provided by VeriSign. Currently, we are not supporting the other VeriSign options. You will then need to call a Fidelity representative at 800-673-2938 to activate your credential for your Fidelity accounts.
Top
What if I no longer want to use my device?

You may "opt out" of our program by calling a Fidelity Representative at 800-673-2938.
Top
What if I forget my token and need to log in?

You may still log in by calling a Fidelity Representative at 800-673-2938 and receive a temporary code that will remain valid for 7 days.
Postmon
 
Posts: 104
Joined: Mon Jan 02, 2012 3:46 pm

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby radioactive » Wed Feb 27, 2013 10:42 am

OK,
That was incredibly easy. I called the number from the previous post (+1-800-673-2938) and a representative answered without any wait.

He needed:
-An account number
-Account owners name
-Full name and date of birth of one of the beneficiaries
-Two securities held in the account
-Credential ID of my soft token (visit m.verisign.com from your mobile browser, and it'll direct you to Google Play or Apple App store to download)

A few seconds later, he had it set up, I logged out and back into Fidelity's website and it prompted me for the six digit code.

I asked why I had so much difficulty the first time I called. The agent said that normally the VIP access is set up for private clients, however if someone already has either a token or soft token with a serial number, they can set it up irrespective of assets in the account.

In total, I was done in 6 minutes. If I hadn't chatted with him at the end, it could have been done in 3.

Thanks!
radioactive
 
Posts: 2
Joined: Fri Feb 22, 2013 12:18 pm

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby Postmon » Wed Feb 27, 2013 12:47 pm

I just called and transferred from the dongle to the soft token. Took about a minute! :sharebeer
Postmon
 
Posts: 104
Joined: Mon Jan 02, 2012 3:46 pm

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby KyleAAA » Wed Feb 27, 2013 3:41 pm

I hope Vanguard and my bank get this soon!
KyleAAA
 
Posts: 5356
Joined: Wed Jul 01, 2009 6:35 pm

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby Alskar » Thu Feb 28, 2013 9:58 pm

KyleAAA wrote:I hope Vanguard and my bank get this soon!

I just spent a few weeks tilting at the Vanguard windmill. Vanguard feels rather strongly that they're current 10 character password (that treats upper-case and lower-case characters as the same) is sufficient. Vanguard needs an intervention IMHO, but I don't have the time or patience to give it to them so I gave up and closed my Vanguard accounts in frustration. All of my assets are now at Fidelity.

Note that the phone number to call was in my original post!

For whatever it's worth, I am no longer using the Verisign VIP Access app on my phone. I switched to using a VIP YubiKey ([url](http://www.yubico.com/products/yubikey- ... bikey-vip/)[/url] a month or so ago and I love it.

My brother reported that the Verisign VIP Access app for Android crashes on his phone. When he restarted it, it had a new ID number. He said it was difficult to get into his accounts without the security code. He has since registered with the new ID code and all has been well for a week or so.

I have had zero issues with my VIP YubiKey.
Lagom är bäst
User avatar
Alskar
 
Posts: 526
Joined: Wed Jan 06, 2010 11:52 pm
Location: Oregon

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby Alskar » Fri Mar 01, 2013 6:43 pm

I may have spoken too soon. I just got this information from one of Vanguard's Executive Correspondents:

In addition, you mentioned that you were pleased that Fidelity implemented
two-factor authentication on their accounts. Vanguard recently began this
same service to improve the client experience.


Does anybody know anything more about this? Have any of the folks with Flagship status been offered two-factor authentication on their Vanguard accounts?
Lagom är bäst
User avatar
Alskar
 
Posts: 526
Joined: Wed Jan 06, 2010 11:52 pm
Location: Oregon

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby vital15 » Wed Apr 16, 2014 4:51 pm

Thank you all for posting this! It had bothered me for years that Fidelity did not offer this and I just found this thread!

To add to the thread: I did confirm that this now works on the mobile app as well (I tested it myself on the iPad app)
vital15
 
Posts: 31
Joined: Thu Oct 11, 2012 8:15 am

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby brianH » Fri Apr 18, 2014 4:21 pm

Thanks for the tips on this; I didn't know they offered it. I wish they used the more standard TOTP protocol (http://en.wikipedia.org/wiki/Time-based ... _Algorithm) used by Google, Lastpass, etc, but I guess I can understand why a large bank would go with a 'big-name security company' to provide their 2-FA. It would also be nice if you could backup the private key so that changing devices didn't require calling them (tip: put the Symantec software on whatever device you're not likely to change frequently.)

Gentleman I spoke to confirmed that his department (tech) now handles these setups. Same # mentioned earlier: 1-800-673-2938.
brianH
 
Posts: 146
Joined: Wed Aug 12, 2009 1:21 pm

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby Alskar » Fri Apr 18, 2014 6:07 pm

I'm very curious to see if the new FIDO U2F standard being driven by Google is going to gain adoption. Here's a link: http://fidoalliance.org/

YubiKey is already demonstrating a FIDO U2F enabled token: http://www.yubico.com/products/yubikey-hardware/yubikey-neo/yubikey-neo-u2f/

FIDO U2F seems like a really slick, open solution that is likely less expensive to host than the Symantec VIP Access or the RSA solutions.
Lagom är bäst
User avatar
Alskar
 
Posts: 526
Joined: Wed Jan 06, 2010 11:52 pm
Location: Oregon

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby papa1 » Tue Apr 22, 2014 3:24 pm

Alskar, in one of your previous posts on this thread, you mentioned the below. I wanted to take you up on your offer since I am finding myself needing to do exactly this.. Thanks in advance for helping explain how this is done, and for all the other useful information you posted on this thread.

"The YubiKey VIP comes preconfigured with the VIP Access credential. With some serious effort I was able to get the same YubiKey to work as the VIP Access token and as the OTP (One Time Password) two-factor authentication device for my LastPass password vault. Yubico's documentation on how this is done is exceedingly poor, but I muddled through. If anybody would like me to post better instructions on how this is done, I will do that upon request. I can save you a couple of hours of frustration."
papa1
 
Posts: 2
Joined: Tue Apr 22, 2014 12:22 pm

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby vital15 » Wed Apr 23, 2014 4:28 pm

papa1 wrote:Alskar, in one of your previous posts on this thread, you mentioned the below. I wanted to take you up on your offer since I am finding myself needing to do exactly this.. Thanks in advance for helping explain how this is done, and for all the other useful information you posted on this thread.

"The YubiKey VIP comes preconfigured with the VIP Access credential. With some serious effort I was able to get the same YubiKey to work as the VIP Access token and as the OTP (One Time Password) two-factor authentication device for my LastPass password vault. Yubico's documentation on how this is done is exceedingly poor, but I muddled through. If anybody would like me to post better instructions on how this is done, I will do that upon request. I can save you a couple of hours of frustration."


I'll echo that request. I am looking into a yubikey too. One of my concerns is that I will lose it. Not a huge issue for fidelity as I would just call but is it possible to get a second one as a backup for the OTP part?
vital15
 
Posts: 31
Joined: Thu Oct 11, 2012 8:15 am

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby serbeer » Thu May 01, 2014 11:35 am

I got the hardware token from Fidelity (which was not easy, they seem to prefer people to use software on the phone instead and I was told there are minimum account balance requirements though I was not told what they are--but I met them).

The funny thing is, access to the site using Net Benefits portal (http://www.401K.com) does not require the code from token (and one can log into it with regular Fidelity login and password--I am not even sure if having retirement accounts with Fidelity is a pre-requisite, but even if it is, many people who use Fidelity have them). All retirement accounts within Net Benefits can be accessed without a token. But if I try to access Individual brokerage accounts or FullView though this portal, it does ask for a token code at that point. I asked the rep about it, and was told Net Benefits "are planning to implement optional two-factor authentication" at some undisclosed point "in the future."

I am still happy I got the token since it was FullView that I was mostly concerned about. I figure it would be much harder for someone to raid retirement accounts then regular brokerage and bank accounts. That said, your retirement accounts at Fidelity are NOT secured with VeriSign, keep that in mind. But don't tell hackers about it :)
User avatar
serbeer
 
Posts: 868
Joined: Fri Dec 28, 2007 3:09 pm
Location: Chicago

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby Alskar » Sat May 03, 2014 1:31 am

I'm am SO sorry. I've been negligent in checking my posts.

Here are the instructions for configuring one's Yubikey VIP for use with both LastPass and VIP enabled websites like Fidelity, PayPal, Ebay, etc:

1. Download and install the Yubikey Personalization Tool from the Yubico website at: http://www.yubico.com/products/services-software/personalization-tools/use/
2. Insert your Yubikey VIP token into a USB slot
3. Run the Yubikey Personalization Tool (this is platform dependent, on a PC go to START >> All Programs >> Yubico >> Yubikey Personalization Tool)
4. When the Personalization Tools opens it should say "YubiKey is inserted" in the upper right-hand corner
5. Click on Update Settings (5th green arrow down on version 3.1.14)
6. This is the step I found confusing: Click on the button that says "Update Settings". This does NOT update your settings. It takes you to a screen where you can updating your settings. Yes, I know...dumb.
7. My key is already programmed, so this step may be a bit off (I'm going from memory). There is a check box marked "Configuration Slot 2". Check this box.
8. Uncheck the box that says "Dormant"
9. If you're using both LastPass and VIP (as I am) click on the "Update" button. This will make the OATH configuration in Slot 2 active (not dormant)
10. Click on the "Swap" button if you want OATH in Slot 1 (Easier for LastPass)
11. Click the "Update" button
12. Close the Yubikey Personalization Tool

This will put OATH (LastPass) support in Slot 1 and Symantec VIP access in Slot 2. Slot 1 is accessed by a brief touch of the gold button on the Yubikey. Slot 2 is accessed by pressing and holding the button for 2-3 seconds. You can swap Slot 1 and Slot 2 functionality at any time using the Personalization Tool.

If you're only using the Yubikey for Symantec VIP access, you will likely find it easier to keep the VIP configuration in Slot 1. Since I use my Yubikey for LastPass (OATH) authentication, and I do that more often than VIP authentication, I keep VIP in Slot 2 (press and hold for 2-3 seconds).

Let me know if you have any questions. I promise to check in more often.
Last edited by Alskar on Fri May 16, 2014 12:11 pm, edited 1 time in total.
Lagom är bäst
User avatar
Alskar
 
Posts: 526
Joined: Wed Jan 06, 2010 11:52 pm
Location: Oregon

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby Alskar » Sat May 03, 2014 1:36 am

vital15 wrote:
papa1 wrote:Alskar, in one of your previous posts on this thread, you mentioned the below. I wanted to take you up on your offer since I am finding myself needing to do exactly this.. Thanks in advance for helping explain how this is done, and for all the other useful information you posted on this thread.

"The YubiKey VIP comes preconfigured with the VIP Access credential. With some serious effort I was able to get the same YubiKey to work as the VIP Access token and as the OTP (One Time Password) two-factor authentication device for my LastPass password vault. Yubico's documentation on how this is done is exceedingly poor, but I muddled through. If anybody would like me to post better instructions on how this is done, I will do that upon request. I can save you a couple of hours of frustration."


I'll echo that request. I am looking into a yubikey too. One of my concerns is that I will lose it. Not a huge issue for fidelity as I would just call but is it possible to get a second one as a backup for the OTP part?

I keep a backup Yubikey in a safe place in case I lose my primary Yubikey. I do this because there is no way to reset my LastPass account (which is way more secure) so if I lost my Yubikey there would be no way to retrieve my passwords from LastPass. It is possible to access Fidelity without one's VIP token by calling Fidelity.

Does that help?
Lagom är bäst
User avatar
Alskar
 
Posts: 526
Joined: Wed Jan 06, 2010 11:52 pm
Location: Oregon

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby vital15 » Mon May 05, 2014 10:45 am

Thanks! Are both of your yubikeys the "Yubikey VIP?"
vital15
 
Posts: 31
Joined: Thu Oct 11, 2012 8:15 am

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby Alskar » Tue May 06, 2014 1:36 pm

vital15 wrote:Thanks! Are both of your yubikeys the "Yubikey VIP?"

No, one is just a standard OTP (OATH) enabled YubiKey for accessing LastPass in case I lose my primary Yubikey VIP. I can always call customer service at Fidelity and get my account registered to a different Yubikey VIP, but without a Yubikey of some type I cannot access LastPass.
Lagom är bäst
User avatar
Alskar
 
Posts: 526
Joined: Wed Jan 06, 2010 11:52 pm
Location: Oregon

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby papa1 » Fri May 16, 2014 4:56 am

Thanks Alskar! I haven't received my Yubikey VIP yet, but I'll be going through your instructions when I get it. I'm sure you saved me a bunch of time..
papa1
 
Posts: 2
Joined: Tue Apr 22, 2014 12:22 pm

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby letsgobobby » Mon Jul 14, 2014 3:21 am

So... do Fido and Vanguard both offer two factor to everyone? Is there a secret club one needs to join?
letsgobobby
 
Posts: 6904
Joined: Fri Sep 18, 2009 2:10 am

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby Alskar » Tue Jul 15, 2014 2:37 pm

letsgobobby wrote:So... do Fido and Vanguard both offer two factor to everyone? Is there a secret club one needs to join?

I can't speak for Vanguard, but Fidelity seems to be picking and choosing who they let into the club. I just gave Fidelity a call and they walked me through the steps I listed at the top of this thread. Once I had the token (VIP YubiKey in my case) I just called (800) 673-2938 (special number for setting up two-factor authentication) and they set me up. I don't know what criteria Fidelity is using to decide who gets to use two-factor authentication. I'm a "Premium Services" customer and I log on nearly every day. Maybe that's why I got into the club. The Finance Buff said he was turned down. I personally think they're just trying to roll out the service slowly enough that they don't get overwhelmed.
Lagom är bäst
User avatar
Alskar
 
Posts: 526
Joined: Wed Jan 06, 2010 11:52 pm
Location: Oregon

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby letsgobobby » Sat Jul 19, 2014 9:23 am

The rep didn't say yes or no, he just sounded completely clueless. "Two what...?" Is there a department I should be talking to?
letsgobobby
 
Posts: 6904
Joined: Fri Sep 18, 2009 2:10 am

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby ASUGrad » Sun Jul 20, 2014 7:20 pm

I tried on the Vanguard website. Couldn't find anything for setting it up. Might try calling on Monday. If its a new thing probably worth asking for the department that offers website help instead of the guys that just do trades.

I did however find a thing that lets you limit 'which' computers can access the VG website. So you could set it to only a few computers I guess. That is pretty safe. If you aren't home you would just have to call or use the mobile app.

Then of course there is also the trick where you set all your security questions up as secondary passwords. What's your first pets name? 1Pu23pp45y6

Vanguard always asks for a security question unless you're on a computer that you've labeled as your computer.
ASUGrad
 
Posts: 229
Joined: Sun Oct 20, 2013 9:09 pm

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby 1530jesup » Sun Jul 20, 2014 7:34 pm

letsgobobby wrote:So... do Fido and Vanguard both offer two factor to everyone? Is there a secret club one needs to join?

not sure why but on several sites - including Vanguard's - I always get the pop up security question. at first I was annoyed and then realized this is just fine with me. the question keeps coming up even though I check off that I am using my own computer. even with a new PC, same thing happens, not recognizing the computer, with my major credit card provider as well. but log ins flow right along with my bank and other credit cards. been that way for years, figure there is something in the machine causing hiccups but my virus and malware protection (presumably) keep me safe...
efficiency is not all its cracked up to be, do you want to live your life in half the time it takes the average person? Rhymes With Orange | Rich
1530jesup
 
Posts: 882
Joined: Sat Nov 03, 2007 12:19 am
Location: South Florida

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby Alskar » Mon Jul 21, 2014 12:36 pm

letsgobobby wrote:The rep didn't say yes or no, he just sounded completely clueless. "Two what...?" Is there a department I should be talking to?

Call Fidelity at: (800) 673-2938. This will take you directly to the right group. If you want to talk to your regular account executive use this phrase: "Symantec Verisign VIP two-factor authentication". This is the particular two-factor authentication that Fidelity is using. if that doesn't work, call it "the security fob" or "the security token".
Lagom är bäst
User avatar
Alskar
 
Posts: 526
Joined: Wed Jan 06, 2010 11:52 pm
Location: Oregon

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby Rob5TCP » Mon Jul 21, 2014 12:42 pm

Everytime I talk to Vanguard (about anything) I bring up 2 factor authentication. They are now one of the few main financial institutions I deal with that don't use it.
User avatar
Rob5TCP
 
Posts: 1832
Joined: Tue Jun 05, 2007 8:34 pm
Location: New York, NY

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby Austintatious » Sat Aug 16, 2014 6:55 pm

Actually, Vanguard does offer a form of two factor authorization, by allowing the investor to restrict access to accounts only from a specified computer. The downside, of course, would be that one could not access accounts when that device is not readily available but the capacity to prevent others from accessing one's accounts via any other device seems to be a pretty respectable security function.
Austintatious
 
Posts: 440
Joined: Thu Sep 13, 2012 8:01 pm

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby TDAlmighty » Sun Aug 17, 2014 12:50 pm

Austintatious wrote:Actually, Vanguard does offer a form of two factor authorization, by allowing the investor to restrict access to accounts only from a specified computer. The downside, of course, would be that one could not access accounts when that device is not readily available but the capacity to prevent others from accessing one's accounts via any other device seems to be a pretty respectable security function.


First, when you go through the steps of turning this on Vanguard actually recommends AGAINST using it...which can't be a good sign.

Secondly, Vanguard's 2nd factor authentication (either done via IP address or cookie) is static, meaning that a hacker could simply figure out your IP (phishing, malware, infected cookies/websites, bad actor at legitimate website, etc.) and spoof it in order to have circumvent the 2nd factor for any number of sessions until you or Vanguard discovers the hack. This is equivalent of just having a secondary password that NEVER changes. Compare this to Fidelity which has a changing/random 2nd factor authentication that requires you to have the secondary device.

Because the hacker would not actually be required to have the secondary device to authenticate AND the 2nd factor is static, I think it is a stretch to call Vanguard's system true 2 factor authentication.

In conclusion, while it is better than nothing, I do not believe the two systems are comparable in terms of convenience or security.
TDAlmighty
 
Posts: 116
Joined: Fri Dec 06, 2013 2:01 pm

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby Austintatious » Sun Aug 17, 2014 1:09 pm

TDAlmighty wrote:
Austintatious wrote:Actually, Vanguard does offer a form of two factor authorization, by allowing the investor to restrict access to accounts only from a specified computer. The downside, of course, would be that one could not access accounts when that device is not readily available but the capacity to prevent others from accessing one's accounts via any other device seems to be a pretty respectable security function.


First, when you go through the steps of turning this on Vanguard actually recommends AGAINST using it...which can't be a good sign.

Secondly, Vanguard's 2nd factor authentication (either done via IP address or cookie) is static, meaning that a hacker could simply figure out your IP (phishing, malware, infected cookies/websites, bad actor at legitimate website, etc.) and spoof it in order to have circumvent the 2nd factor for any number of sessions until you or Vanguard discovers the hack. This is equivalent of just having a secondary password that NEVER changes. Compare this to Fidelity which has a changing/random 2nd factor authentication that requires you to have the secondary device.

Because the hacker would not actually be required to have the secondary device to authenticate AND the 2nd factor is static, I think it is a stretch to call Vanguard's system true 2 factor authentication.

In conclusion, while it is better than nothing, I do not believe the two systems are comparable in terms of convenience or security.


While I'd gladly continue to forego some of that "convenience" to achieve a high level of security, I think you've well made your point and I'm feeling a bit less secure than just a few moments ago. It may be time to join those asking Vanguard for a better or "true" 2 factor authentication. Thanks for responding.
Austintatious
 
Posts: 440
Joined: Thu Sep 13, 2012 8:01 pm


Return to Personal Finance (Not Investing)

Who is online

Users browsing this forum: sdsailing, Yahoo [Bot] and 28 guests