Implementing Two-Factor Authentication for Fidelity Accounts

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills

Implementing Two-Factor Authentication for Fidelity Accounts

Postby Alskar » Fri Jan 04, 2013 10:19 pm

I don't wish to turn this into a debate about hard vs soft keys or the various shortcomings of various security systems, password lengths, the proper use of special characters or the susceptibility to key-logging malware or how RSA and other soft-keys have been hacked. I am posting the information below as a service to other Bogleheads that have a Fidelity account and a smart phone who wish to implement two-factor authentication on their Fidelity account(s).

Recently, Fidelity began beta-testing a new two-factor authentication system for some accounts. I implemented Fidelity's new two-factor authentication system on my account today. Fidelity is using the VeriSign (now owned by Symantec) VIP Access "soft-key" to implement two-factor authentication. Instead of being carried as a hardware dongle (like the RSA tokens some may be familiar with), the VeriSign soft-key or "security code" is carried as an application on one's smart phone. RSA has had a soft-key app for limited devices (mostly Blackberries) for many years. VeriSign VIP Access seems to have support for more smartphones than RSA.

Here are the steps:

1. You must have an Android, iPhone, Blackberry, or Windows Mobile smart phone. Here's a list of compatible devices: http://vipmobile.verisign.com/home.v. The so-called "security code" is created on your smart phone and presumably synchronized with a central server. Without the key you will be unable to access your Fidelity account even from your home computer. This is to say: If your phone isn't working, you're not getting online access to your account. I haven't tested it yet, but I'm guessing the VIP Access app won't work properly if the phone doesn't have access to the internet via Wi-Fi or the data network.

2. Call Fidelity to see if you're eligible to have this feature on your account. I was led to believe that not every Fidelity customer is eligible for this feature, but I was not told the specific eligibility requirements. I am a so-called "Premium Services" customer at Fidelity. I'm not sure if that made any difference. The "Premium Services Account Executive" checked my account somehow and very quickly determined I was eligible...which was nice!

3. Download the VIP Access application to your phone. This is done differently for different smart phones. I downloaded the free "VIP Access" application from the Apple App Store for my iPhone 3GS running iOS-6 with no issues. I assume that other iOS phones will work as well, but I don't know that for certain. I can't help you with the process for downloading the app for other phones, but it appears that if you click on the link above and then click on the type of phone you have, you can get a link to the app sent to your phone via TM. Alternately you can try entering "m.verisign.com" into your browser.

4. Once the application is installed on your phone and running, call (800) 673-2938 to have Fidelity configure your account to use to use the "VeriSign Security Code". This is a special number specifically for configuring two-factor authentication. The agent will need the "Credential ID" displayed on your smart phone app to configure your account. In my case, the agent didn't ask for the "Credential ID" by name which caused some confusion. When they ask for a number, give them the "Credential ID".

5. The agent will configure your account to require the "VeriSign Security Code" to access your online Fidelity account.

6. Once enabled, you sign in as you normally do, but after you enter your user name and password a new screen appears requesting your "VeriSign Security Code". Enter the "Security Code" from the VIP Access app on your smart phone and you will be logged in. Note that the "security code" changes every 30 seconds so it's possible to run out of time to enter the code. Just retry with the new code.

I've only had it for a few hours, but it seems to work great!
Lagom är bäst
User avatar
Alskar
 
Posts: 457
Joined: 6 Jan 2010
Location: Oregon

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby susze » Wed Jan 09, 2013 9:15 pm

Any idea if it works with the mobile app?
susze
 
Posts: 91
Joined: 27 Jul 2008

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby Alskar » Wed Jan 09, 2013 10:43 pm

susze wrote:Any idea if it works with the mobile app?

Unfortunately, not yet. The Fidelity CS rep I spoke with says that Fidelity will be enabling VIP Access for the Fidelity App(s) and for mobile browsers "...soon..." At the current time VIP Access is being beta-tested at Fidelity. Note that Fidelity isn't listed on the VeriSign VIP Access website (except for Fidelity Wealth Management which is a different deal). I assume that Fidelity will be listed as a user once beta-testing is complete.
Lagom är bäst
User avatar
Alskar
 
Posts: 457
Joined: 6 Jan 2010
Location: Oregon

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby tfb » Wed Jan 09, 2013 11:41 pm

Called twice. The reps refused to enroll me in the beta both times -- "not expanding beyond those who have been invited." I thought about calling that other 800 number directly but I'm not that desperate. I will wait.
Harry Sit, taking a break from the forums.
User avatar
tfb
 
Posts: 6622
Joined: 19 Feb 2007

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby Saleen » Thu Jan 10, 2013 6:45 pm

I do love that Blizzard uses this type of authentication to protect people's virtual property (game characters) which is worth nothing in the real world, but websites where people can access millions of dollars allow people to use password123 as their password.
Saleen
 
Posts: 52
Joined: 13 Jun 2007

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby Epsilon Delta » Thu Jan 10, 2013 8:34 pm

adamcate wrote:I do love that Blizzard uses this type of authentication to protect people's virtual property (game characters) which is worth nothing in the real world, but websites where people can access millions of dollars allow people to use password123 as their password.

Usually authentication is the only thing protecting virtual property, while real world property is protected by other things, including the legal system and associated men with guns.
User avatar
Epsilon Delta
 
Posts: 3077
Joined: 28 Apr 2011

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby blackstone » Thu Jan 10, 2013 8:46 pm

susze wrote:Any idea if it works with the mobile app?

It is usually not a good idea to use a mobile app to login to a site when another app on the same device is the "soft" dongle for multi factor authentication. If you save your password for the app for example, if someone steals your phone, they get access to both the password and the authentication key.
blackstone
 
Posts: 30
Joined: 30 Jan 2011

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby rohitj » Thu Jan 10, 2013 10:34 pm

I have yet to see a banking app that let's you save your password.

If they enable two-factor, I hope they also give a way of allowing mint.com/other trusted apps to still work. Otherwise it's really discouraging to those that use any sort of software to monitor their accounts.

Ingdirect allows you to create a specific password for aggregators.
rohitj
 
Posts: 32
Joined: 8 Jun 2011

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby ftobin » Thu Jan 10, 2013 10:46 pm

rohitj wrote:If they enable two-factor, I hope they also give a way of allowing mint.com/other trusted apps to still work.

Google allows you to create application-specific passwods. For instance, there is a unique password my Android phone uses for my account, a different one for my mail client, another for my IM client, etc.

These passwords are designed to only be known/viewed once, and the application should save it going forward. If one of the applications is compromised, I can easily revoke the password granted to that device/application.
ftobin
 
Posts: 833
Joined: 20 Mar 2009

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby Alskar » Thu Jan 10, 2013 10:47 pm

adamcate wrote:I do love that Blizzard uses this type of authentication to protect people's virtual property (game characters) which is worth nothing in the real world, but websites where people can access millions of dollars allow people to use password123 as their password.

I got a chuckle out of that myself! World of Warcraft (WoW) uses very lengthy complex passwords, but Vanguard uses 10 character passwords. I suppose it has to do with timing. WoW is new, so they built their system with security in mind. Vanguard's system was built long before the web became commonplace. Vanguard probably wanted to make it easy for clients to enter their passwords on the telephone keypad. Online games need no such convenience.

None-the-less, I think it is pretty ironic!
Lagom är bäst
User avatar
Alskar
 
Posts: 457
Joined: 6 Jan 2010
Location: Oregon

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby Alskar » Sun Jan 27, 2013 3:26 am

UPDATE: I just switched from using the VIP Access app on my iPhone as the the token device to a YubiKey VIP (http://www.yubico.com/products/yubikey-hardware/yubikey-vip/) hardware token. The hardware token is potentially more secure, doesn't require a battery, and is much smaller than my cellphone.

The YubiKey VIP comes preconfigured with the VIP Access credential. With some serious effort I was able to get the same YubiKey to work as the VIP Access token and as the OTP (One Time Password) two-factor authentication device for my LastPass password vault. Yubico's documentation on how this is done is exceedingly poor, but I muddled through. If anybody would like me to post better instructions on how this is done, I will do that upon request. I can save you a couple of hours of frustration.

The YubiKey VIP token was $25 plus $5 shipping. Not cheap, but not crazy expensive either. Since it doesn't have a battery or an LCD display like most HW tokens it is less susceptible to physical damage. It fits on my key ring.

I can now use the same HW token to get into my LastPass password vault and to access VIP Access enabled sites like Ebay, PayPal and Fidelity. As an added bonus, just having this device has renewed my geek license for at least another year, maybe two! :D
Lagom är bäst
User avatar
Alskar
 
Posts: 457
Joined: 6 Jan 2010
Location: Oregon

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby radioactive » Fri Feb 22, 2013 12:33 pm

I found this thread while looking to enable two-factor for the rest of my accounts. I tried to call Fidelity today, I have a standard account with SEP, Roth, Sole Proprietorship, etc. I called the customer service number on my account page, and spoke to a CSR.

The CSR initially said "Oh, you're calling about the additional security features where we use a code from your smartphone to validate your account." I was initially excited that they'd be able to help, but after a brief hold, the rep came back and said "We'll be introducing wire transfers on 10 March, so just wait 18 more days."

I explained that I wanted two-factor and gave him the "Something you know, plus something you have" pitch, not bank wires. After a short hold, he came back, said "If you log into your Fidelity account from an unknown computer, we'll ask you security questions." I tried one more time, explaining the thread, and the Verisign app, but he didn't budge, and went back to babbling about wire transfers.

Unfortunately, it looks like I'll try again in a couple months :(

<edit>post below has the number to call to set it up, everything works great now</edit>
Last edited by radioactive on Wed Feb 27, 2013 10:44 am, edited 1 time in total.
radioactive
 
Posts: 2
Joined: 22 Feb 2013

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby Postmon » Sat Feb 23, 2013 12:52 pm

I've been using the dongle for years and have been happy with it. The only thing is the security code is not integrated with their mobile site or when you call in.
When you're on the page where you enter your security code, here's what you get if you click on the link for more info:

FAQ for VeriSign VIP Program

What is the new program?
Why are you changing the program?
I already have a VeriSign credential that I use for some of my other online accounts. Can I use the same token on Fidelity.com?
What is a "soft token"?
Are you offering the use of "soft tokens" at this time?
What if I no longer want to use my device?
What if I forget my token and need to log in?

What is the new program?

The new program is a partnership between Fidelity and VeriSign and features several different options for using additional authentication methods. For instance, to generate a unique authentication code every time you log in, you will be able to choose either a physical device that you carry with you or software you download to your computer. If you already have a Fidelity Account Key, we will automatically swap out your current device for one that is very similar.
Top
Why are you changing the program?

The devices used in the current program have batteries that are about to expire. Our new partnership with VeriSign offers more than one option for additional security on your account, providing greater convenience for our customers.
Top
I already have a VeriSign credential that I use for some of my other online accounts. Can I use the same token on Fidelity.com?

A. Yes, you can use your existing credential on Fidelity.com. Just call a Fidelity representative at 800-673-2938 to get set up.
Top
What is a "soft token"?

A soft token is software that generates a code every sixty seconds that can be downloaded to either your mobile phone or to your browser toolbar. It does not require you to carry an additional device with you every time you want to log into your account.
Top
Are you offering the use of "soft tokens" at this time?

Yes, you can use a soft token to generate a code from your mobile device, then log into Fidelity.com. Soft tokens can be downloaded for free at https://idprotect.verisign.com/mainmenu.v. Select either VIP access for Mobile or VIP Access Toolbar. Follow the instructions provided by VeriSign. Currently, we are not supporting the other VeriSign options. You will then need to call a Fidelity representative at 800-673-2938 to activate your credential for your Fidelity accounts.
Top
What if I no longer want to use my device?

You may "opt out" of our program by calling a Fidelity Representative at 800-673-2938.
Top
What if I forget my token and need to log in?

You may still log in by calling a Fidelity Representative at 800-673-2938 and receive a temporary code that will remain valid for 7 days.
Postmon
 
Posts: 96
Joined: 2 Jan 2012

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby radioactive » Wed Feb 27, 2013 10:42 am

OK,
That was incredibly easy. I called the number from the previous post (+1-800-673-2938) and a representative answered without any wait.

He needed:
-An account number
-Account owners name
-Full name and date of birth of one of the beneficiaries
-Two securities held in the account
-Credential ID of my soft token (visit m.verisign.com from your mobile browser, and it'll direct you to Google Play or Apple App store to download)

A few seconds later, he had it set up, I logged out and back into Fidelity's website and it prompted me for the six digit code.

I asked why I had so much difficulty the first time I called. The agent said that normally the VIP access is set up for private clients, however if someone already has either a token or soft token with a serial number, they can set it up irrespective of assets in the account.

In total, I was done in 6 minutes. If I hadn't chatted with him at the end, it could have been done in 3.

Thanks!
radioactive
 
Posts: 2
Joined: 22 Feb 2013

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby Postmon » Wed Feb 27, 2013 12:47 pm

I just called and transferred from the dongle to the soft token. Took about a minute! :sharebeer
Postmon
 
Posts: 96
Joined: 2 Jan 2012

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby KyleAAA » Wed Feb 27, 2013 3:41 pm

I hope Vanguard and my bank get this soon!
KyleAAA
 
Posts: 5182
Joined: 1 Jul 2009

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby Alskar » Thu Feb 28, 2013 9:58 pm

KyleAAA wrote:I hope Vanguard and my bank get this soon!

I just spent a few weeks tilting at the Vanguard windmill. Vanguard feels rather strongly that they're current 10 character password (that treats upper-case and lower-case characters as the same) is sufficient. Vanguard needs an intervention IMHO, but I don't have the time or patience to give it to them so I gave up and closed my Vanguard accounts in frustration. All of my assets are now at Fidelity.

Note that the phone number to call was in my original post!

For whatever it's worth, I am no longer using the Verisign VIP Access app on my phone. I switched to using a VIP YubiKey ([url](http://www.yubico.com/products/yubikey- ... bikey-vip/)[/url] a month or so ago and I love it.

My brother reported that the Verisign VIP Access app for Android crashes on his phone. When he restarted it, it had a new ID number. He said it was difficult to get into his accounts without the security code. He has since registered with the new ID code and all has been well for a week or so.

I have had zero issues with my VIP YubiKey.
Lagom är bäst
User avatar
Alskar
 
Posts: 457
Joined: 6 Jan 2010
Location: Oregon

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby Alskar » Fri Mar 01, 2013 6:43 pm

I may have spoken too soon. I just got this information from one of Vanguard's Executive Correspondents:

In addition, you mentioned that you were pleased that Fidelity implemented
two-factor authentication on their accounts. Vanguard recently began this
same service to improve the client experience.


Does anybody know anything more about this? Have any of the folks with Flagship status been offered two-factor authentication on their Vanguard accounts?
Lagom är bäst
User avatar
Alskar
 
Posts: 457
Joined: 6 Jan 2010
Location: Oregon

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby vital15 » Wed Apr 16, 2014 4:51 pm

Thank you all for posting this! It had bothered me for years that Fidelity did not offer this and I just found this thread!

To add to the thread: I did confirm that this now works on the mobile app as well (I tested it myself on the iPad app)
vital15
 
Posts: 25
Joined: 11 Oct 2012

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby brianH » Fri Apr 18, 2014 4:21 pm

Thanks for the tips on this; I didn't know they offered it. I wish they used the more standard TOTP protocol (http://en.wikipedia.org/wiki/Time-based ... _Algorithm) used by Google, Lastpass, etc, but I guess I can understand why a large bank would go with a 'big-name security company' to provide their 2-FA. It would also be nice if you could backup the private key so that changing devices didn't require calling them (tip: put the Symantec software on whatever device you're not likely to change frequently.)

Gentleman I spoke to confirmed that his department (tech) now handles these setups. Same # mentioned earlier: 1-800-673-2938.
brianH
 
Posts: 142
Joined: 12 Aug 2009

Re: Implementing Two-Factor Authentication for Fidelity Acco

Postby Alskar » Fri Apr 18, 2014 6:07 pm

I'm very curious to see if the new FIDO U2F standard being driven by Google is going to gain adoption. Here's a link: http://fidoalliance.org/

YubiKey is already demonstrating a FIDO U2F enabled token: http://www.yubico.com/products/yubikey-hardware/yubikey-neo/yubikey-neo-u2f/

FIDO U2F seems like a really slick, open solution that is likely less expensive to host than the Symantec VIP Access or the RSA solutions.
Lagom är bäst
User avatar
Alskar
 
Posts: 457
Joined: 6 Jan 2010
Location: Oregon


Return to Personal Finance (Not Investing)

Who is online

Users browsing this forum: amitb00, jimb_fromATL and 25 guests