Most secure Two factor authentication out of Fidelity, Vanguard, Charles Schwab?

Have a question about your personal investments? No matter how simple or complex, you can ask it here.
grenadaRocks
Posts: 29
Joined: Sat Mar 11, 2017 10:33 pm

Re: Most secure Two factor authentication out of Fidelity, Vanguard, Charles Schwab?

Post by grenadaRocks »

I was on the Vanguard site and could not find instructions on how to set up Vanguard accounts with a YubiKey. Can you post a link please?

Can a Yubikey be shared across accounts?

Can there me more than one YubiKey on an account (as with joint accounts, or to keep one in a safe)?
User avatar
HomerJ
Posts: 21246
Joined: Fri Jun 06, 2008 12:50 pm

Re: Most secure Two factor authentication out of Fidelity, Vanguard, Charles Schwab?

Post by HomerJ »

grenadaRocks wrote: Sat Nov 13, 2021 12:26 pm I was on the Vanguard site and could not find instructions on how to set up Vanguard accounts with a YubiKey. Can you post a link please?

Can a Yubikey be shared across accounts?

Can there me more than one YubiKey on an account (as with joint accounts, or to keep one in a safe)?
Top right - Profile and Account Settings
Scroll down to Security settings
Click on Security Key

You can indeed share the same key across accounts, and you can have more than one Yubikey per account. I have currently have one that is shared for both my account and my wife's account. I plan to get a second one to register on both accounts in case we lose the first one. Waiting for a Cyber-Monday sale I guess.
"The best tools available to us are shovels, not scalpels. Don't get carried away." - vanBogle59
bacon4retirement
Posts: 107
Joined: Sun Apr 19, 2020 9:59 pm

Re: Most secure Two factor authentication out of Fidelity, Vanguard, Charles Schwab?

Post by bacon4retirement »

anon_investor wrote: Thu Nov 11, 2021 9:16 pm
bacon4retirement wrote: Thu Nov 11, 2021 8:50 pm
VictorStarr wrote: Fri Apr 16, 2021 3:36 pm Fidelity also support "Money transfer lockdown" - blocking the ability to electronically move money out of your accounts.
As far as I can tell, the Fidelity lockdown feature provides no additional security. Turning off the lockdown requires nothing beyond being logged in to your account. I really wish they had the option to set a 3 day delay on unlocking the account.
Unlocking it does trigger 2FA again, so better than nothing...
When I turned off lockdown today, there was no additional 2FA request. It does send an email notification that lockdown was turned off. In the event a hacker was able to access my account, I am not sure if they could turn off lockdown and empty my account faster than I could actually reach a live person at Fidelity.
Wrench
Posts: 1046
Joined: Sun Apr 28, 2019 10:21 am

Re: Most secure Two factor authentication out of Fidelity, Vanguard, Charles Schwab?

Post by Wrench »

Cheez-It Guy wrote: Thu Apr 15, 2021 3:44 pm Vanguard with a hardware key, and set SMS backup to a landline phone that doesn't support SMS? Or use a known fake number? Maybe use Vanguard's own customer service number as your SMS backup! Basically just intentionally sabotage your backup verification method.
I set my Vanguard backup phone to a google voice number. It will accept texts, but is not vulnerable to hacks the way mobile phones are.

Wrench
passive101
Posts: 629
Joined: Tue May 05, 2020 2:47 pm

Re: Most secure Two factor authentication out of Fidelity, Vanguard, Charles Schwab?

Post by passive101 »

M1 Finance can use Google Authenticator

Not sure if that's helpful, but it is the one I ideally like.
DetroitRick
Posts: 1479
Joined: Wed Mar 23, 2016 9:28 am
Location: SE Michigan

Re: Most secure Two factor authentication out of Fidelity, Vanguard, Charles Schwab?

Post by DetroitRick »

FlyingMoose wrote: Thu Nov 11, 2021 10:14 pm
DetroitRick wrote: Wed Apr 14, 2021 1:15 pm Schwab's 2FA can be set up with Symantec VIP using either a physical token or the app. I've been using the token(s) for a few years now (don't recall but at least 3 years).
Do you know if this works with the USB version of the token, or only the one with the LCD display?

The one with the display is time-based and the USB one is OTP based but they both produce a 6-digit code.
Sorry, I just don't know for sure. Their FAQ's etc. don't specifically cite that USB version. But unless somebody else here knows, it's probably worth asking about.
User avatar
anon_investor
Posts: 15111
Joined: Mon Jun 03, 2019 1:43 pm

Re: Most secure Two factor authentication out of Fidelity, Vanguard, Charles Schwab?

Post by anon_investor »

Cheez-It Guy wrote: Thu Apr 15, 2021 3:44 pm Vanguard with a hardware key, and set SMS backup to a landline phone that doesn't support SMS? Or use a known fake number? Maybe use Vanguard's own customer service number as your SMS backup! Basically just intentionally sabotage your backup verification method.
Vanguard won't let you do that. As you set up your SMS 2FA, it makes you verify that the number can receive a code, and you have to enter it. Therefore, Yubikey at Vanguard is only as secure as your SMS 2FA. I personally use a Google Voice number for my SMS 2FA. My Google account is secured by Google Authenticator app (not SMS), so safe from a SIM swap attack. I still want to buy a Yubikey (waiting for a sale), as that would help thwart website spoofing attacks.
User avatar
Cheez-It Guy
Posts: 4005
Joined: Sun Mar 03, 2019 3:20 pm

Re: Most secure Two factor authentication out of Fidelity, Vanguard, Charles Schwab?

Post by Cheez-It Guy »

anon_investor wrote: Mon Nov 15, 2021 2:27 pm
Cheez-It Guy wrote: Thu Apr 15, 2021 3:44 pm Vanguard with a hardware key, and set SMS backup to a landline phone that doesn't support SMS? Or use a known fake number? Maybe use Vanguard's own customer service number as your SMS backup! Basically just intentionally sabotage your backup verification method.
Vanguard won't let you do that. As you set up your SMS 2FA, it makes you verify that the number can receive a code, and you have to enter it. Therefore, Yubikey at Vanguard is only as secure as your SMS 2FA. I personally use a Google Voice number for my SMS 2FA. My Google account is secured by Google Authenticator app (not SMS), so safe from a SIM swap attack. I still want to buy a Yubikey (waiting for a sale), as that would help thwart website spoofing attacks.
Yeah, someone else correctly pointed that out previously. Does it force you to set up the backup method? It's been too long since I configured. Couldn't you still use a landline phone number you own? That's also not susceptible to a SIM swap attack (no SIM).
User avatar
anon_investor
Posts: 15111
Joined: Mon Jun 03, 2019 1:43 pm

Re: Most secure Two factor authentication out of Fidelity, Vanguard, Charles Schwab?

Post by anon_investor »

Cheez-It Guy wrote: Mon Nov 15, 2021 7:28 pm
anon_investor wrote: Mon Nov 15, 2021 2:27 pm
Cheez-It Guy wrote: Thu Apr 15, 2021 3:44 pm Vanguard with a hardware key, and set SMS backup to a landline phone that doesn't support SMS? Or use a known fake number? Maybe use Vanguard's own customer service number as your SMS backup! Basically just intentionally sabotage your backup verification method.
Vanguard won't let you do that. As you set up your SMS 2FA, it makes you verify that the number can receive a code, and you have to enter it. Therefore, Yubikey at Vanguard is only as secure as your SMS 2FA. I personally use a Google Voice number for my SMS 2FA. My Google account is secured by Google Authenticator app (not SMS), so safe from a SIM swap attack. I still want to buy a Yubikey (waiting for a sale), as that would help thwart website spoofing attacks.
Yeah, someone else correctly pointed that out previously. Does it force you to set up the backup method? It's been too long since I configured. Couldn't you still use a landline phone number you own? That's also not susceptible to a SIM swap attack (no SIM).
I think with a landline you get an automated call that reads you the code aloud. That would also thwart a sim swap.
grenadaRocks
Posts: 29
Joined: Sat Mar 11, 2017 10:33 pm

Re: Most secure Two factor authentication out of Fidelity, Vanguard, Charles Schwab?

Post by grenadaRocks »

There is a Yubico sale on the keys between November 22 - 29 on Yubico.com.

There are many different types - what's the recommended types to use with financial services companies?
User avatar
anon_investor
Posts: 15111
Joined: Mon Jun 03, 2019 1:43 pm

Re: Most secure Two factor authentication out of Fidelity, Vanguard, Charles Schwab?

Post by anon_investor »

grenadaRocks wrote: Sat Nov 20, 2021 1:20 pm There is a Yubico sale on the keys between November 22 - 29 on Yubico.com.

There are many different types - what's the recommended types to use with financial services companies?
Cool, where'd you hear about the sale, do you know how much the discount will be?
increment
Posts: 1715
Joined: Tue May 15, 2018 2:20 pm

Re: Most secure Two factor authentication out of Fidelity, Vanguard, Charles Schwab?

Post by increment »

grenadaRocks wrote: Sat Nov 20, 2021 1:20 pm There are many different types - what's the recommended types to use with financial services companies?
I believe that the Security Key series will be adequate for your needs.
grenadaRocks
Posts: 29
Joined: Sat Mar 11, 2017 10:33 pm

Re: Most secure Two factor authentication out of Fidelity, Vanguard, Charles Schwab?

Post by grenadaRocks »

anon_investor wrote: Sat Nov 20, 2021 1:29 pm
grenadaRocks wrote: Sat Nov 20, 2021 1:20 pm There is a Yubico sale on the keys between November 22 - 29 on Yubico.com.

There are many different types - what's the recommended types to use with financial services companies?
Cool, where'd you hear about the sale, do you know how much the discount will be?
Here you go:
- Take $20 OFF cart subtotals of $100 or more.
- Take $10 or €10 OFF Security Key NFC or the new Security Key C NFC with purchase of any other key.
- Save 25% on select YubiStyle Accessories. While supplies last

Black Friday Link : https://www.yubico.com/store/black-friday/
mchampse
Posts: 302
Joined: Mon Feb 26, 2007 12:45 am

Re: Most secure Two factor authentication out of Fidelity, Vanguard, Charles Schwab?

Post by mchampse »

rossington wrote: Sat Nov 13, 2021 3:46 am I believe people are overreacting here:

1) Always set your device to NOT be recognized...that is it is a "public device".
2) Then after logging in you will receive a CALL with a one time security code to login...again check the public device option.
3) If you have transaction notifications setup you will KNOW when any unauthorized transaction takes place...You can act on this immediately.
4)The only monetary transfers that can be made are to accounts that YOU have set up.
5)Even if somehow a bad guy got past this security they would need to set up a new bank account to transfer any funds to ...you would be notified of this and would have to complete the final authorization before the "new" account is authorized on the brokerage end.
6) *Clear your browser immediately after logging out*.
+1

If you are holding crypto I would be worried. But other than that, SMS should more than meet your needs. Anyone SIM-jacking you still has a bit of an arduous process to actually get money into their hands. Plus even if you are the victim of fraud, your financial institution has to reimburse you. Of course, no one wants to go through that hassle.
User avatar
anon_investor
Posts: 15111
Joined: Mon Jun 03, 2019 1:43 pm

Re: Most secure Two factor authentication out of Fidelity, Vanguard, Charles Schwab?

Post by anon_investor »

grenadaRocks wrote: Sat Nov 20, 2021 5:12 pm
anon_investor wrote: Sat Nov 20, 2021 1:29 pm
grenadaRocks wrote: Sat Nov 20, 2021 1:20 pm There is a Yubico sale on the keys between November 22 - 29 on Yubico.com.

There are many different types - what's the recommended types to use with financial services companies?
Cool, where'd you hear about the sale, do you know how much the discount will be?
Here you go:
- Take $20 OFF cart subtotals of $100 or more.
- Take $10 or €10 OFF Security Key NFC or the new Security Key C NFC with purchase of any other key.
- Save 25% on select YubiStyle Accessories. While supplies last

Black Friday Link : https://www.yubico.com/store/black-friday/
The sale is live, I am thinking of picking up one each of the blue USB A and USB C security keys.

Update: I did end up picking those 2 up. The Yubico website indicates that both work with Vanguard.
chet96
Posts: 217
Joined: Fri Feb 21, 2020 8:14 am

Re: Most secure Two factor authentication out of Fidelity, Vanguard, Charles Schwab?

Post by chet96 »

anon_investor wrote: Mon Nov 22, 2021 7:48 am
grenadaRocks wrote: Sat Nov 20, 2021 5:12 pm
anon_investor wrote: Sat Nov 20, 2021 1:29 pm
grenadaRocks wrote: Sat Nov 20, 2021 1:20 pm There is a Yubico sale on the keys between November 22 - 29 on Yubico.com.

There are many different types - what's the recommended types to use with financial services companies?
Cool, where'd you hear about the sale, do you know how much the discount will be?
Here you go:
- Take $20 OFF cart subtotals of $100 or more.
- Take $10 or €10 OFF Security Key NFC or the new Security Key C NFC with purchase of any other key.
- Save 25% on select YubiStyle Accessories. While supplies last

Black Friday Link : https://www.yubico.com/store/black-friday/
The sale is live, I am thinking of picking up one each of the blue USB A and USB C security keys.

Update: I did end up picking those 2 up. The Yubico website indicates that both work with Vanguard.
I am looking to pick 2 up as well. Poking around the vanguard website, I noticed there was a separate option to enable 2FA for unrecognized devices. I did not realize this was a separate option, I thought it was automatic once 2FA was activated.
User avatar
anon_investor
Posts: 15111
Joined: Mon Jun 03, 2019 1:43 pm

Re: Most secure Two factor authentication out of Fidelity, Vanguard, Charles Schwab?

Post by anon_investor »

chet96 wrote: Fri Nov 26, 2021 7:15 pm
anon_investor wrote: Mon Nov 22, 2021 7:48 am
grenadaRocks wrote: Sat Nov 20, 2021 5:12 pm
anon_investor wrote: Sat Nov 20, 2021 1:29 pm
grenadaRocks wrote: Sat Nov 20, 2021 1:20 pm There is a Yubico sale on the keys between November 22 - 29 on Yubico.com.

There are many different types - what's the recommended types to use with financial services companies?
Cool, where'd you hear about the sale, do you know how much the discount will be?
Here you go:
- Take $20 OFF cart subtotals of $100 or more.
- Take $10 or €10 OFF Security Key NFC or the new Security Key C NFC with purchase of any other key.
- Save 25% on select YubiStyle Accessories. While supplies last

Black Friday Link : https://www.yubico.com/store/black-friday/
The sale is live, I am thinking of picking up one each of the blue USB A and USB C security keys.

Update: I did end up picking those 2 up. The Yubico website indicates that both work with Vanguard.
I am looking to pick 2 up as well. Poking around the vanguard website, I noticed there was a separate option to enable 2FA for unrecognized devices. I did not realize this was a separate option, I thought it was automatic once 2FA was activated.
Yeah, you can have Vanguard require 2FA (this includes SMS) for every login or just logins from unrecognized devices.
ErRyTour
Posts: 25
Joined: Tue Apr 23, 2019 10:56 pm

Re: Most secure Two factor authentication out of Fidelity, Vanguard, Charles Schwab?

Post by ErRyTour »

I did a quick test of my account at Vanguard...

using Chromium, when I attempt a login at Vanguard, it prompts me for my Yubikey to get access. The only option is go forward with the hardware keys or cancel. It will not fallback to SMS. This is what I normally use.

Using a browser that is not compatible with Yubikeys (e.g. Midori), when I attempt a login at Vanguard, it says I will get a SMS on my phone. However, I never receive the SMS. When I check my account from Chromium, under "Security profile > Security code", it does not have a phone number set. So, for now, as far as I can tell, it looks like I don't have the SMS hole. If there is some other way I can use to check for the SMS hole, I'm all ears. I'd like to know for sure the the SMS hole is closed.

Regarding Fidelity - it is not a hard requirement to use Symantec VIP. I don't. You can use any other TOTP authenticator program. For what it is worth, I use FreeOTP.

As for BoA - I was really happy to see them adding Yubikey support recently. Too bad they only allow support for registering two Yubikeys (and, oddly, Merrill doesn't have support for Yubikey).
User avatar
anon_investor
Posts: 15111
Joined: Mon Jun 03, 2019 1:43 pm

Re: Most secure Two factor authentication out of Fidelity, Vanguard, Charles Schwab?

Post by anon_investor »

ErRyTour wrote: Fri Nov 26, 2021 11:10 pm I did a quick test of my account at Vanguard...

using Chromium, when I attempt a login at Vanguard, it prompts me for my Yubikey to get access. The only option is go forward with the hardware keys or cancel. It will not fallback to SMS. This is what I normally use.

Using a browser that is not compatible with Yubikeys (e.g. Midori), when I attempt a login at Vanguard, it says I will get a SMS on my phone. However, I never receive the SMS. When I check my account from Chromium, under "Security profile > Security code", it does not have a phone number set. So, for now, as far as I can tell, it looks like I don't have the SMS hole. If there is some other way I can use to check for the SMS hole, I'm all ears. I'd like to know for sure the the SMS hole is closed.

Regarding Fidelity - it is not a hard requirement to use Symantec VIP. I don't. You can use any other TOTP authenticator program. For what it is worth, I use FreeOTP.

As for BoA - I was really happy to see them adding Yubikey support recently. Too bad they only allow support for registering two Yubikeys (and, oddly, Merrill doesn't have support for Yubikey).
I think the SMS 2FA hole for Vanguard is also the mobile app. It will default to SMS 2FA. But I guess it won't if you do not have a phone number listed.
User avatar
anon_investor
Posts: 15111
Joined: Mon Jun 03, 2019 1:43 pm

Re: Most secure Two factor authentication out of Fidelity, Vanguard, Charles Schwab?

Post by anon_investor »

I got my 2 Yubikeys yesterday, and I registered them with my Vanguard account, these were my observations:

-In order to register a Yubikey, you have to change security settings to use 2FA for every login. Note for the mobile app it never asks me for 2FA (it was a "remember device" from before I registered my Yubikeys).

-On my phone the Vanguard app and mobile browser do not support Yubikey 2FA, so it defaults to SMS 2FA.

-On my desktop you can by pass Yubikey 2FA and request SMS 2FA.

-When registering a Yubokey, it says if you register 2 or more Yubikeys you can disable SMS 2FA. (I did not try this)
Post Reply