Implementing Two-Factor Authentication for Fidelity Accounts

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills.
Post Reply
User avatar
Topic Author
Alskar
Posts: 643
Joined: Wed Jan 06, 2010 9:52 pm
Location: Oregon

Implementing Two-Factor Authentication for Fidelity Accounts

Post by Alskar »

I don't wish to turn this into a debate about hard vs soft keys or the various shortcomings of various security systems, password lengths, the proper use of special characters or the susceptibility to key-logging malware or how RSA and other soft-keys have been hacked. I am posting the information below as a service to other Bogleheads that have a Fidelity account and a smart phone who wish to implement two-factor authentication on their Fidelity account(s).

Recently, Fidelity began beta-testing a new two-factor authentication system for some accounts. I implemented Fidelity's new two-factor authentication system on my account today. Fidelity is using the VeriSign (now owned by Symantec) VIP Access "soft-key" to implement two-factor authentication. Instead of being carried as a hardware dongle (like the RSA tokens some may be familiar with), the VeriSign soft-key or "security code" is carried as an application on one's smart phone. RSA has had a soft-key app for limited devices (mostly Blackberries) for many years. VeriSign VIP Access seems to have support for more smartphones than RSA.

Here are the steps:

1. You must have an Android, iPhone, Blackberry, or Windows Mobile smart phone. Here's a list of compatible devices: http://vipmobile.verisign.com/home.v. The so-called "security code" is created on your smart phone and presumably synchronized with a central server. Without the key you will be unable to access your Fidelity account even from your home computer. This is to say: If your phone isn't working, you're not getting online access to your account. I haven't tested it yet, but I'm guessing the VIP Access app won't work properly if the phone doesn't have access to the internet via Wi-Fi or the data network.

2. Call Fidelity to see if you're eligible to have this feature on your account. I was led to believe that not every Fidelity customer is eligible for this feature, but I was not told the specific eligibility requirements. I am a so-called "Premium Services" customer at Fidelity. I'm not sure if that made any difference. The "Premium Services Account Executive" checked my account somehow and very quickly determined I was eligible...which was nice!

3. Download the VIP Access application to your phone. This is done differently for different smart phones. I downloaded the free "VIP Access" application from the Apple App Store for my iPhone 3GS running iOS-6 with no issues. I assume that other iOS phones will work as well, but I don't know that for certain. I can't help you with the process for downloading the app for other phones, but it appears that if you click on the link above and then click on the type of phone you have, you can get a link to the app sent to your phone via TM. Alternately you can try entering "m.verisign.com" into your browser.

4. Once the application is installed on your phone and running, call (800) 673-2938 to have Fidelity configure your account to use to use the "VeriSign Security Code". This is a special number specifically for configuring two-factor authentication. The agent will need the "Credential ID" displayed on your smart phone app to configure your account. In my case, the agent didn't ask for the "Credential ID" by name which caused some confusion. When they ask for a number, give them the "Credential ID".

5. The agent will configure your account to require the "VeriSign Security Code" to access your online Fidelity account.

6. Once enabled, you sign in as you normally do, but after you enter your user name and password a new screen appears requesting your "VeriSign Security Code". Enter the "Security Code" from the VIP Access app on your smart phone and you will be logged in. Note that the "security code" changes every 30 seconds so it's possible to run out of time to enter the code. Just retry with the new code.

I've only had it for a few hours, but it seems to work great!
Lagom är bäst
susze
Posts: 194
Joined: Sun Jul 27, 2008 2:26 pm

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by susze »

Any idea if it works with the mobile app?
User avatar
Topic Author
Alskar
Posts: 643
Joined: Wed Jan 06, 2010 9:52 pm
Location: Oregon

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by Alskar »

susze wrote:Any idea if it works with the mobile app?
Unfortunately, not yet. The Fidelity CS rep I spoke with says that Fidelity will be enabling VIP Access for the Fidelity App(s) and for mobile browsers "...soon..." At the current time VIP Access is being beta-tested at Fidelity. Note that Fidelity isn't listed on the VeriSign VIP Access website (except for Fidelity Wealth Management which is a different deal). I assume that Fidelity will be listed as a user once beta-testing is complete.
Lagom är bäst
User avatar
tfb
Posts: 8397
Joined: Mon Feb 19, 2007 4:46 pm

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by tfb »

Called twice. The reps refused to enroll me in the beta both times -- "not expanding beyond those who have been invited." I thought about calling that other 800 number directly but I'm not that desperate. I will wait.
Harry Sit has left the forums.
Saleen
Posts: 66
Joined: Wed Jun 13, 2007 12:08 pm

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by Saleen »

I do love that Blizzard uses this type of authentication to protect people's virtual property (game characters) which is worth nothing in the real world, but websites where people can access millions of dollars allow people to use password123 as their password.
User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by Epsilon Delta »

adamcate wrote:I do love that Blizzard uses this type of authentication to protect people's virtual property (game characters) which is worth nothing in the real world, but websites where people can access millions of dollars allow people to use password123 as their password.
Usually authentication is the only thing protecting virtual property, while real world property is protected by other things, including the legal system and associated men with guns.
blackstone
Posts: 33
Joined: Sun Jan 30, 2011 7:15 pm

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by blackstone »

susze wrote:Any idea if it works with the mobile app?
It is usually not a good idea to use a mobile app to login to a site when another app on the same device is the "soft" dongle for multi factor authentication. If you save your password for the app for example, if someone steals your phone, they get access to both the password and the authentication key.
rohitj
Posts: 33
Joined: Tue Jun 07, 2011 11:07 pm

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by rohitj »

I have yet to see a banking app that let's you save your password.

If they enable two-factor, I hope they also give a way of allowing mint.com/other trusted apps to still work. Otherwise it's really discouraging to those that use any sort of software to monitor their accounts.

Ingdirect allows you to create a specific password for aggregators.
ftobin
Posts: 1071
Joined: Fri Mar 20, 2009 3:28 pm

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by ftobin »

rohitj wrote:If they enable two-factor, I hope they also give a way of allowing mint.com/other trusted apps to still work.
Google allows you to create application-specific passwods. For instance, there is a unique password my Android phone uses for my account, a different one for my mail client, another for my IM client, etc.

These passwords are designed to only be known/viewed once, and the application should save it going forward. If one of the applications is compromised, I can easily revoke the password granted to that device/application.
User avatar
Topic Author
Alskar
Posts: 643
Joined: Wed Jan 06, 2010 9:52 pm
Location: Oregon

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by Alskar »

adamcate wrote:I do love that Blizzard uses this type of authentication to protect people's virtual property (game characters) which is worth nothing in the real world, but websites where people can access millions of dollars allow people to use password123 as their password.
I got a chuckle out of that myself! World of Warcraft (WoW) uses very lengthy complex passwords, but Vanguard uses 10 character passwords. I suppose it has to do with timing. WoW is new, so they built their system with security in mind. Vanguard's system was built long before the web became commonplace. Vanguard probably wanted to make it easy for clients to enter their passwords on the telephone keypad. Online games need no such convenience.

None-the-less, I think it is pretty ironic!
Lagom är bäst
User avatar
Topic Author
Alskar
Posts: 643
Joined: Wed Jan 06, 2010 9:52 pm
Location: Oregon

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by Alskar »

UPDATE: I just switched from using the VIP Access app on my iPhone as the the token device to a YubiKey VIP (http://www.yubico.com/products/yubikey- ... bikey-vip/) hardware token. The hardware token is potentially more secure, doesn't require a battery, and is much smaller than my cellphone.

The YubiKey VIP comes preconfigured with the VIP Access credential. With some serious effort I was able to get the same YubiKey to work as the VIP Access token and as the OTP (One Time Password) two-factor authentication device for my LastPass password vault. Yubico's documentation on how this is done is exceedingly poor, but I muddled through. If anybody would like me to post better instructions on how this is done, I will do that upon request. I can save you a couple of hours of frustration.

The YubiKey VIP token was $25 plus $5 shipping. Not cheap, but not crazy expensive either. Since it doesn't have a battery or an LCD display like most HW tokens it is less susceptible to physical damage. It fits on my key ring.

I can now use the same HW token to get into my LastPass password vault and to access VIP Access enabled sites like Ebay, PayPal and Fidelity. As an added bonus, just having this device has renewed my geek license for at least another year, maybe two! :D
Lagom är bäst
radioactive
Posts: 27
Joined: Fri Feb 22, 2013 10:18 am

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by radioactive »

I found this thread while looking to enable two-factor for the rest of my accounts. I tried to call Fidelity today, I have a standard account with SEP, Roth, Sole Proprietorship, etc. I called the customer service number on my account page, and spoke to a CSR.

The CSR initially said "Oh, you're calling about the additional security features where we use a code from your smartphone to validate your account." I was initially excited that they'd be able to help, but after a brief hold, the rep came back and said "We'll be introducing wire transfers on 10 March, so just wait 18 more days."

I explained that I wanted two-factor and gave him the "Something you know, plus something you have" pitch, not bank wires. After a short hold, he came back, said "If you log into your Fidelity account from an unknown computer, we'll ask you security questions." I tried one more time, explaining the thread, and the Verisign app, but he didn't budge, and went back to babbling about wire transfers.

Unfortunately, it looks like I'll try again in a couple months :(

<edit>post below has the number to call to set it up, everything works great now</edit>
Last edited by radioactive on Wed Feb 27, 2013 8:44 am, edited 1 time in total.
Postmon
Posts: 316
Joined: Mon Jan 02, 2012 1:46 pm

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by Postmon »

I've been using the dongle for years and have been happy with it. The only thing is the security code is not integrated with their mobile site or when you call in.
When you're on the page where you enter your security code, here's what you get if you click on the link for more info:

FAQ for VeriSign VIP Program

What is the new program?
Why are you changing the program?
I already have a VeriSign credential that I use for some of my other online accounts. Can I use the same token on Fidelity.com?
What is a "soft token"?
Are you offering the use of "soft tokens" at this time?
What if I no longer want to use my device?
What if I forget my token and need to log in?

What is the new program?

The new program is a partnership between Fidelity and VeriSign and features several different options for using additional authentication methods. For instance, to generate a unique authentication code every time you log in, you will be able to choose either a physical device that you carry with you or software you download to your computer. If you already have a Fidelity Account Key, we will automatically swap out your current device for one that is very similar.
Top
Why are you changing the program?

The devices used in the current program have batteries that are about to expire. Our new partnership with VeriSign offers more than one option for additional security on your account, providing greater convenience for our customers.
Top
I already have a VeriSign credential that I use for some of my other online accounts. Can I use the same token on Fidelity.com?

A. Yes, you can use your existing credential on Fidelity.com. Just call a Fidelity representative at 800-673-2938 to get set up.
Top
What is a "soft token"?

A soft token is software that generates a code every sixty seconds that can be downloaded to either your mobile phone or to your browser toolbar. It does not require you to carry an additional device with you every time you want to log into your account.
Top
Are you offering the use of "soft tokens" at this time?

Yes, you can use a soft token to generate a code from your mobile device, then log into Fidelity.com. Soft tokens can be downloaded for free at https://idprotect.verisign.com/mainmenu.v. Select either VIP access for Mobile or VIP Access Toolbar. Follow the instructions provided by VeriSign. Currently, we are not supporting the other VeriSign options. You will then need to call a Fidelity representative at 800-673-2938 to activate your credential for your Fidelity accounts.
Top
What if I no longer want to use my device?

You may "opt out" of our program by calling a Fidelity Representative at 800-673-2938.
Top
What if I forget my token and need to log in?

You may still log in by calling a Fidelity Representative at 800-673-2938 and receive a temporary code that will remain valid for 7 days.
radioactive
Posts: 27
Joined: Fri Feb 22, 2013 10:18 am

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by radioactive »

OK,
That was incredibly easy. I called the number from the previous post (+1-800-673-2938) and a representative answered without any wait.

He needed:
-An account number
-Account owners name
-Full name and date of birth of one of the beneficiaries
-Two securities held in the account
-Credential ID of my soft token (visit m.verisign.com from your mobile browser, and it'll direct you to Google Play or Apple App store to download)

A few seconds later, he had it set up, I logged out and back into Fidelity's website and it prompted me for the six digit code.

I asked why I had so much difficulty the first time I called. The agent said that normally the VIP access is set up for private clients, however if someone already has either a token or soft token with a serial number, they can set it up irrespective of assets in the account.

In total, I was done in 6 minutes. If I hadn't chatted with him at the end, it could have been done in 3.

Thanks!
Postmon
Posts: 316
Joined: Mon Jan 02, 2012 1:46 pm

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by Postmon »

I just called and transferred from the dongle to the soft token. Took about a minute! :sharebeer
KyleAAA
Posts: 9496
Joined: Wed Jul 01, 2009 5:35 pm
Contact:

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by KyleAAA »

I hope Vanguard and my bank get this soon!
User avatar
Topic Author
Alskar
Posts: 643
Joined: Wed Jan 06, 2010 9:52 pm
Location: Oregon

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by Alskar »

KyleAAA wrote:I hope Vanguard and my bank get this soon!
I just spent a few weeks tilting at the Vanguard windmill. Vanguard feels rather strongly that they're current 10 character password (that treats upper-case and lower-case characters as the same) is sufficient. Vanguard needs an intervention IMHO, but I don't have the time or patience to give it to them so I gave up and closed my Vanguard accounts in frustration. All of my assets are now at Fidelity.

Note that the phone number to call was in my original post!

For whatever it's worth, I am no longer using the Verisign VIP Access app on my phone. I switched to using a VIP YubiKey ((http://www.yubico.com/products/yubikey ... ikey-vip/) a month or so ago and I love it.

My brother reported that the Verisign VIP Access app for Android crashes on his phone. When he restarted it, it had a new ID number. He said it was difficult to get into his accounts without the security code. He has since registered with the new ID code and all has been well for a week or so.

I have had zero issues with my VIP YubiKey.
Lagom är bäst
User avatar
Topic Author
Alskar
Posts: 643
Joined: Wed Jan 06, 2010 9:52 pm
Location: Oregon

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by Alskar »

I may have spoken too soon. I just got this information from one of Vanguard's Executive Correspondents:
In addition, you mentioned that you were pleased that Fidelity implemented
two-factor authentication on their accounts. Vanguard recently began this
same service to improve the client experience.
Does anybody know anything more about this? Have any of the folks with Flagship status been offered two-factor authentication on their Vanguard accounts?
Lagom är bäst
vital15
Posts: 49
Joined: Thu Oct 11, 2012 7:15 am

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by vital15 »

Thank you all for posting this! It had bothered me for years that Fidelity did not offer this and I just found this thread!

To add to the thread: I did confirm that this now works on the mobile app as well (I tested it myself on the iPad app)
brianH
Posts: 666
Joined: Wed Aug 12, 2009 12:21 pm

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by brianH »

Thanks for the tips on this; I didn't know they offered it. I wish they used the more standard TOTP protocol (http://en.wikipedia.org/wiki/Time-based ... _Algorithm) used by Google, Lastpass, etc, but I guess I can understand why a large bank would go with a 'big-name security company' to provide their 2-FA. It would also be nice if you could backup the private key so that changing devices didn't require calling them (tip: put the Symantec software on whatever device you're not likely to change frequently.)

Gentleman I spoke to confirmed that his department (tech) now handles these setups. Same # mentioned earlier: 1-800-673-2938.
User avatar
Topic Author
Alskar
Posts: 643
Joined: Wed Jan 06, 2010 9:52 pm
Location: Oregon

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by Alskar »

I'm very curious to see if the new FIDO U2F standard being driven by Google is going to gain adoption. Here's a link: http://fidoalliance.org/

YubiKey is already demonstrating a FIDO U2F enabled token: http://www.yubico.com/products/yubikey- ... y-neo-u2f/

FIDO U2F seems like a really slick, open solution that is likely less expensive to host than the Symantec VIP Access or the RSA solutions.
Lagom är bäst
papa1
Posts: 2
Joined: Tue Apr 22, 2014 11:22 am

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by papa1 »

Alskar, in one of your previous posts on this thread, you mentioned the below. I wanted to take you up on your offer since I am finding myself needing to do exactly this.. Thanks in advance for helping explain how this is done, and for all the other useful information you posted on this thread.

"The YubiKey VIP comes preconfigured with the VIP Access credential. With some serious effort I was able to get the same YubiKey to work as the VIP Access token and as the OTP (One Time Password) two-factor authentication device for my LastPass password vault. Yubico's documentation on how this is done is exceedingly poor, but I muddled through. If anybody would like me to post better instructions on how this is done, I will do that upon request. I can save you a couple of hours of frustration."
vital15
Posts: 49
Joined: Thu Oct 11, 2012 7:15 am

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by vital15 »

papa1 wrote:Alskar, in one of your previous posts on this thread, you mentioned the below. I wanted to take you up on your offer since I am finding myself needing to do exactly this.. Thanks in advance for helping explain how this is done, and for all the other useful information you posted on this thread.

"The YubiKey VIP comes preconfigured with the VIP Access credential. With some serious effort I was able to get the same YubiKey to work as the VIP Access token and as the OTP (One Time Password) two-factor authentication device for my LastPass password vault. Yubico's documentation on how this is done is exceedingly poor, but I muddled through. If anybody would like me to post better instructions on how this is done, I will do that upon request. I can save you a couple of hours of frustration."
I'll echo that request. I am looking into a yubikey too. One of my concerns is that I will lose it. Not a huge issue for fidelity as I would just call but is it possible to get a second one as a backup for the OTP part?
User avatar
serbeer
Posts: 1304
Joined: Fri Dec 28, 2007 1:09 pm

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by serbeer »

I got the hardware token from Fidelity (which was not easy, they seem to prefer people to use software on the phone instead and I was told there are minimum account balance requirements though I was not told what they are--but I met them).

The funny thing is, access to the site using Net Benefits portal (http://www.401K.com) does not require the code from token (and one can log into it with regular Fidelity login and password--I am not even sure if having retirement accounts with Fidelity is a pre-requisite, but even if it is, many people who use Fidelity have them). All retirement accounts within Net Benefits can be accessed without a token. But if I try to access Individual brokerage accounts or FullView though this portal, it does ask for a token code at that point. I asked the rep about it, and was told Net Benefits "are planning to implement optional two-factor authentication" at some undisclosed point "in the future."

I am still happy I got the token since it was FullView that I was mostly concerned about. I figure it would be much harder for someone to raid retirement accounts then regular brokerage and bank accounts. That said, your retirement accounts at Fidelity are NOT secured with VeriSign, keep that in mind. But don't tell hackers about it :)
User avatar
Topic Author
Alskar
Posts: 643
Joined: Wed Jan 06, 2010 9:52 pm
Location: Oregon

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by Alskar »

I'm am SO sorry. I've been negligent in checking my posts.

Here are the instructions for configuring one's Yubikey VIP for use with both LastPass and VIP enabled websites like Fidelity, PayPal, Ebay, etc:

1. Download and install the Yubikey Personalization Tool from the Yubico website at: http://www.yubico.com/products/services ... tools/use/
2. Insert your Yubikey VIP token into a USB slot
3. Run the Yubikey Personalization Tool (this is platform dependent, on a PC go to START >> All Programs >> Yubico >> Yubikey Personalization Tool)
4. When the Personalization Tools opens it should say "YubiKey is inserted" in the upper right-hand corner
5. Click on Update Settings (5th green arrow down on version 3.1.14)
6. This is the step I found confusing: Click on the button that says "Update Settings". This does NOT update your settings. It takes you to a screen where you can updating your settings. Yes, I know...dumb.
7. My key is already programmed, so this step may be a bit off (I'm going from memory). There is a check box marked "Configuration Slot 2". Check this box.
8. Uncheck the box that says "Dormant"
9. If you're using both LastPass and VIP (as I am) click on the "Update" button. This will make the OATH configuration in Slot 2 active (not dormant)
10. Click on the "Swap" button if you want OATH in Slot 1 (Easier for LastPass)
11. Click the "Update" button
12. Close the Yubikey Personalization Tool

This will put OATH (LastPass) support in Slot 1 and Symantec VIP access in Slot 2. Slot 1 is accessed by a brief touch of the gold button on the Yubikey. Slot 2 is accessed by pressing and holding the button for 2-3 seconds. You can swap Slot 1 and Slot 2 functionality at any time using the Personalization Tool.

If you're only using the Yubikey for Symantec VIP access, you will likely find it easier to keep the VIP configuration in Slot 1. Since I use my Yubikey for LastPass (OATH) authentication, and I do that more often than VIP authentication, I keep VIP in Slot 2 (press and hold for 2-3 seconds).

Let me know if you have any questions. I promise to check in more often.
Last edited by Alskar on Fri May 16, 2014 11:11 am, edited 1 time in total.
Lagom är bäst
User avatar
Topic Author
Alskar
Posts: 643
Joined: Wed Jan 06, 2010 9:52 pm
Location: Oregon

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by Alskar »

vital15 wrote:
papa1 wrote:Alskar, in one of your previous posts on this thread, you mentioned the below. I wanted to take you up on your offer since I am finding myself needing to do exactly this.. Thanks in advance for helping explain how this is done, and for all the other useful information you posted on this thread.

"The YubiKey VIP comes preconfigured with the VIP Access credential. With some serious effort I was able to get the same YubiKey to work as the VIP Access token and as the OTP (One Time Password) two-factor authentication device for my LastPass password vault. Yubico's documentation on how this is done is exceedingly poor, but I muddled through. If anybody would like me to post better instructions on how this is done, I will do that upon request. I can save you a couple of hours of frustration."
I'll echo that request. I am looking into a yubikey too. One of my concerns is that I will lose it. Not a huge issue for fidelity as I would just call but is it possible to get a second one as a backup for the OTP part?
I keep a backup Yubikey in a safe place in case I lose my primary Yubikey. I do this because there is no way to reset my LastPass account (which is way more secure) so if I lost my Yubikey there would be no way to retrieve my passwords from LastPass. It is possible to access Fidelity without one's VIP token by calling Fidelity.

Does that help?
Lagom är bäst
vital15
Posts: 49
Joined: Thu Oct 11, 2012 7:15 am

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by vital15 »

Thanks! Are both of your yubikeys the "Yubikey VIP?"
User avatar
Topic Author
Alskar
Posts: 643
Joined: Wed Jan 06, 2010 9:52 pm
Location: Oregon

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by Alskar »

vital15 wrote:Thanks! Are both of your yubikeys the "Yubikey VIP?"
No, one is just a standard OTP (OATH) enabled YubiKey for accessing LastPass in case I lose my primary Yubikey VIP. I can always call customer service at Fidelity and get my account registered to a different Yubikey VIP, but without a Yubikey of some type I cannot access LastPass.
Lagom är bäst
papa1
Posts: 2
Joined: Tue Apr 22, 2014 11:22 am

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by papa1 »

Thanks Alskar! I haven't received my Yubikey VIP yet, but I'll be going through your instructions when I get it. I'm sure you saved me a bunch of time..
letsgobobby
Posts: 12073
Joined: Fri Sep 18, 2009 1:10 am

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by letsgobobby »

So... do Fido and Vanguard both offer two factor to everyone? Is there a secret club one needs to join?
User avatar
Topic Author
Alskar
Posts: 643
Joined: Wed Jan 06, 2010 9:52 pm
Location: Oregon

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by Alskar »

letsgobobby wrote:So... do Fido and Vanguard both offer two factor to everyone? Is there a secret club one needs to join?
I can't speak for Vanguard, but Fidelity seems to be picking and choosing who they let into the club. I just gave Fidelity a call and they walked me through the steps I listed at the top of this thread. Once I had the token (VIP YubiKey in my case) I just called (800) 673-2938 (special number for setting up two-factor authentication) and they set me up. I don't know what criteria Fidelity is using to decide who gets to use two-factor authentication. I'm a "Premium Services" customer and I log on nearly every day. Maybe that's why I got into the club. The Finance Buff said he was turned down. I personally think they're just trying to roll out the service slowly enough that they don't get overwhelmed.
Lagom är bäst
letsgobobby
Posts: 12073
Joined: Fri Sep 18, 2009 1:10 am

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by letsgobobby »

The rep didn't say yes or no, he just sounded completely clueless. "Two what...?" Is there a department I should be talking to?
ASUGrad
Posts: 259
Joined: Sun Oct 20, 2013 8:09 pm

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by ASUGrad »

I tried on the Vanguard website. Couldn't find anything for setting it up. Might try calling on Monday. If its a new thing probably worth asking for the department that offers website help instead of the guys that just do trades.

I did however find a thing that lets you limit 'which' computers can access the VG website. So you could set it to only a few computers I guess. That is pretty safe. If you aren't home you would just have to call or use the mobile app.

Then of course there is also the trick where you set all your security questions up as secondary passwords. What's your first pets name? 1Pu23pp45y6

Vanguard always asks for a security question unless you're on a computer that you've labeled as your computer.
S&L1940
Posts: 1658
Joined: Fri Nov 02, 2007 11:19 pm
Location: South Florida

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by S&L1940 »

letsgobobby wrote:So... do Fido and Vanguard both offer two factor to everyone? Is there a secret club one needs to join?
not sure why but on several sites - including Vanguard's - I always get the pop up security question. at first I was annoyed and then realized this is just fine with me. the question keeps coming up even though I check off that I am using my own computer. even with a new PC, same thing happens, not recognizing the computer, with my major credit card provider as well. but log ins flow right along with my bank and other credit cards. been that way for years, figure there is something in the machine causing hiccups but my virus and malware protection (presumably) keep me safe...
Don't it always seem to go * That you don't know what you've got * Till it's gone
User avatar
Topic Author
Alskar
Posts: 643
Joined: Wed Jan 06, 2010 9:52 pm
Location: Oregon

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by Alskar »

letsgobobby wrote:The rep didn't say yes or no, he just sounded completely clueless. "Two what...?" Is there a department I should be talking to?
Call Fidelity at: (800) 673-2938. This will take you directly to the right group. If you want to talk to your regular account executive use this phrase: "Symantec Verisign VIP two-factor authentication". This is the particular two-factor authentication that Fidelity is using. if that doesn't work, call it "the security fob" or "the security token".
Lagom är bäst
User avatar
Rob5TCP
Posts: 3811
Joined: Tue Jun 05, 2007 7:34 pm
Location: New York, NY

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by Rob5TCP »

Everytime I talk to Vanguard (about anything) I bring up 2 factor authentication. They are now one of the few main financial institutions I deal with that don't use it.
Austintatious
Posts: 878
Joined: Thu Sep 13, 2012 7:01 pm

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by Austintatious »

Actually, Vanguard does offer a form of two factor authorization, by allowing the investor to restrict access to accounts only from a specified computer. The downside, of course, would be that one could not access accounts when that device is not readily available but the capacity to prevent others from accessing one's accounts via any other device seems to be a pretty respectable security function.
TDAlmighty
Posts: 171
Joined: Fri Dec 06, 2013 12:01 pm

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by TDAlmighty »

Austintatious wrote:Actually, Vanguard does offer a form of two factor authorization, by allowing the investor to restrict access to accounts only from a specified computer. The downside, of course, would be that one could not access accounts when that device is not readily available but the capacity to prevent others from accessing one's accounts via any other device seems to be a pretty respectable security function.
First, when you go through the steps of turning this on Vanguard actually recommends AGAINST using it...which can't be a good sign.

Secondly, Vanguard's 2nd factor authentication (either done via IP address or cookie) is static, meaning that a hacker could simply figure out your IP (phishing, malware, infected cookies/websites, bad actor at legitimate website, etc.) and spoof it in order to have circumvent the 2nd factor for any number of sessions until you or Vanguard discovers the hack. This is equivalent of just having a secondary password that NEVER changes. Compare this to Fidelity which has a changing/random 2nd factor authentication that requires you to have the secondary device.

Because the hacker would not actually be required to have the secondary device to authenticate AND the 2nd factor is static, I think it is a stretch to call Vanguard's system true 2 factor authentication.

In conclusion, while it is better than nothing, I do not believe the two systems are comparable in terms of convenience or security.
Austintatious
Posts: 878
Joined: Thu Sep 13, 2012 7:01 pm

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by Austintatious »

TDAlmighty wrote:
Austintatious wrote:Actually, Vanguard does offer a form of two factor authorization, by allowing the investor to restrict access to accounts only from a specified computer. The downside, of course, would be that one could not access accounts when that device is not readily available but the capacity to prevent others from accessing one's accounts via any other device seems to be a pretty respectable security function.
First, when you go through the steps of turning this on Vanguard actually recommends AGAINST using it...which can't be a good sign.

Secondly, Vanguard's 2nd factor authentication (either done via IP address or cookie) is static, meaning that a hacker could simply figure out your IP (phishing, malware, infected cookies/websites, bad actor at legitimate website, etc.) and spoof it in order to have circumvent the 2nd factor for any number of sessions until you or Vanguard discovers the hack. This is equivalent of just having a secondary password that NEVER changes. Compare this to Fidelity which has a changing/random 2nd factor authentication that requires you to have the secondary device.

Because the hacker would not actually be required to have the secondary device to authenticate AND the 2nd factor is static, I think it is a stretch to call Vanguard's system true 2 factor authentication.

In conclusion, while it is better than nothing, I do not believe the two systems are comparable in terms of convenience or security.
While I'd gladly continue to forego some of that "convenience" to achieve a high level of security, I think you've well made your point and I'm feeling a bit less secure than just a few moments ago. It may be time to join those asking Vanguard for a better or "true" 2 factor authentication. Thanks for responding.
letsgobobby
Posts: 12073
Joined: Fri Sep 18, 2009 1:10 am

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by letsgobobby »

Alskar wrote:
letsgobobby wrote:The rep didn't say yes or no, he just sounded completely clueless. "Two what...?" Is there a department I should be talking to?
Call Fidelity at: (800) 673-2938. This will take you directly to the right group. If you want to talk to your regular account executive use this phrase: "Symantec Verisign VIP two-factor authentication". This is the particular two-factor authentication that Fidelity is using. if that doesn't work, call it "the security fob" or "the security token".
They have confirmed the fob is only for accounts greater than $250k excluding retirement accounts.
User avatar
Topic Author
Alskar
Posts: 643
Joined: Wed Jan 06, 2010 9:52 pm
Location: Oregon

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by Alskar »

letsgobobby wrote:
Alskar wrote:
letsgobobby wrote:The rep didn't say yes or no, he just sounded completely clueless. "Two what...?" Is there a department I should be talking to?
Call Fidelity at: (800) 673-2938. This will take you directly to the right group. If you want to talk to your regular account executive use this phrase: "Symantec Verisign VIP two-factor authentication". This is the particular two-factor authentication that Fidelity is using. if that doesn't work, call it "the security fob" or "the security token".
They have confirmed the fob is only for accounts greater than $250k excluding retirement accounts.
Well that's interesting. I have MUCH less than $250K outside of my rollover IRA and rollover Roth IRA and I have two-factor authentication on my accounts. I have way more than $250K in total but the vast bulk of my retirement money is in tax advantaged accounts.

Did Fidelity screw up when they gave me two-factor authentication?
Lagom är bäst
User avatar
ResearchMed
Posts: 16764
Joined: Fri Dec 26, 2008 10:25 pm

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by ResearchMed »

Austintatious wrote:
TDAlmighty wrote:
Austintatious wrote:Actually, Vanguard does offer a form of two factor authorization, by allowing the investor to restrict access to accounts only from a specified computer. The downside, of course, would be that one could not access accounts when that device is not readily available but the capacity to prevent others from accessing one's accounts via any other device seems to be a pretty respectable security function.
First, when you go through the steps of turning this on Vanguard actually recommends AGAINST using it...which can't be a good sign.

Secondly, Vanguard's 2nd factor authentication (either done via IP address or cookie) is static, meaning that a hacker could simply figure out your IP (phishing, malware, infected cookies/websites, bad actor at legitimate website, etc.) and spoof it in order to have circumvent the 2nd factor for any number of sessions until you or Vanguard discovers the hack. This is equivalent of just having a secondary password that NEVER changes. Compare this to Fidelity which has a changing/random 2nd factor authentication that requires you to have the secondary device.

Because the hacker would not actually be required to have the secondary device to authenticate AND the 2nd factor is static, I think it is a stretch to call Vanguard's system true 2 factor authentication.

In conclusion, while it is better than nothing, I do not believe the two systems are comparable in terms of convenience or security.
While I'd gladly continue to forego some of that "convenience" to achieve a high level of security, I think you've well made your point and I'm feeling a bit less secure than just a few moments ago. It may be time to join those asking Vanguard for a better or "true" 2 factor authentication. Thanks for responding.
I think Vanguard refers to their "two factor" system as a "two step" system, and they don't actually claim it is "two FACTOR authentication".
I also think it is very misleading the way they muddle their terminology.

RM
This signature is a placebo. You are in the control group.
User avatar
serbeer
Posts: 1304
Joined: Fri Dec 28, 2007 1:09 pm

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by serbeer »

Alskar wrote:Well that's interesting. I have MUCH less than $250K outside of my rollover IRA and rollover Roth IRA and I have two-factor authentication on my accounts. I have way more than $250K in total but the vast bulk of my retirement money is in tax advantaged accounts.

Did Fidelity screw up when they gave me two-factor authentication?
When you say two-factor, are you referring to software smart-phone app? If so, I don't think it has mimimum requirements. It is free Verisign hardware token that does.

Also, do you have FullView linked to the acounts with more than the amount? If so, that might qualify you too. The reason they exclude retirement accounts is, as I stated in this thread previously, the fob does not protect such accounts for whatever reason. But it does protect access to non-retirement accounts and to FullView.
User avatar
Topic Author
Alskar
Posts: 643
Joined: Wed Jan 06, 2010 9:52 pm
Location: Oregon

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by Alskar »

serbeer wrote:
Alskar wrote:Well that's interesting. I have MUCH less than $250K outside of my rollover IRA and rollover Roth IRA and I have two-factor authentication on my accounts. I have way more than $250K in total but the vast bulk of my retirement money is in tax advantaged accounts.

Did Fidelity screw up when they gave me two-factor authentication?
When you say two-factor, are you referring to software smart-phone app? If so, I don't think it has mimimum requirements. It is free Verisign hardware token that does.

Also, do you have FullView linked to the acounts with more than the amount? If so, that might qualify you too. The reason they exclude retirement accounts is, as I stated in this thread previously, the fob does not protect such accounts for whatever reason. But it does protect access to non-retirement accounts and to FullView.
serbeer wrote:
Alskar wrote:Well that's interesting. I have MUCH less than $250K outside of my rollover IRA and rollover Roth IRA and I have two-factor authentication on my accounts. I have way more than $250K in total but the vast bulk of my retirement money is in tax advantaged accounts.

Did Fidelity screw up when they gave me two-factor authentication?
When you say two-factor, are you referring to software smart-phone app? If so, I don't think it has mimimum requirements. It is free Verisign hardware token that does.

Also, do you have FullView linked to the acounts with more than the amount? If so, that might qualify you too. The reason they exclude retirement accounts is, as I stated in this thread previously, the fob does not protect such accounts for whatever reason. But it does protect access to non-retirement accounts and to FullView.
I am using a YubiKey VIP token I purchased from Yubico for Symantec Verisign VIP two-factor authentication. I can see why Fidelity wouldn't want to be giving out hardware tokens for free. I paid $25 for mine.

I do not have Full View implemented on my account because I have security concerns about having all of my passwords stored on Fidelity's website.
Lagom är bäst
jrj
Posts: 14
Joined: Thu May 17, 2007 9:49 am

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by jrj »

For what it's worth, I just called Fidelity and converted from the old Verisign token to the Yubikey (Symantec, formerly Verisign) VIP key, which I had purchased directly from Yubikey. The rep had never heard of Yubikey. Nonetheless he was able to convert me in a few minutes. The Yubikey is functionally identical to the VIP app: as long as they have the serial number, they can put it in effect. No more worries about battery.

It still amazes me that I can't find a U.S. retail bank that has reasonable two-factor security.
User avatar
serbeer
Posts: 1304
Joined: Fri Dec 28, 2007 1:09 pm

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by serbeer »

The problem with Yubikey (and the reason I asked Fidelity for Verisign hardware token instead) is that Yubikey requires access to USB port, and while it is avaialble 95% of the time, the remaining 5% I may want to access Fidelity from terminal where the computer itself, and USB port on it is not available--like the one in healthclub or internet cafe or computer station abroad. Or, even more importantly, from mobil device without USB port, such as my Ipod/Iphone. I cannot do so with Yubikey in such cases but I can always enter 6-digit code my Fidelity token displays.

As far as battery life is concerned, Fidelity's model of the token has power-on botton and LCD screen is blank until it is pressed. Knowing how long electronic watch lasts on single battery, with LCD off, I expect the token to last for a decade at least.
jrj
Posts: 14
Joined: Thu May 17, 2007 9:49 am

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by jrj »

Yes. The Verisign hardware dongle, the Yubikey VIP, and the Symantec VIP app are functionally identical. It's just a question of which you prefer.
User avatar
Topic Author
Alskar
Posts: 643
Joined: Wed Jan 06, 2010 9:52 pm
Location: Oregon

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by Alskar »

serbeer wrote:The problem with Yubikey (and the reason I asked Fidelity for Verisign hardware token instead) is that Yubikey requires access to USB port, and while it is avaialble 95% of the time, the remaining 5% I may want to access Fidelity from terminal where the computer itself, and USB port on it is not available--like the one in healthclub or internet cafe or computer station abroad. Or, even more importantly, from mobil device without USB port, such as my Ipod/Iphone. I cannot do so with Yubikey in such cases but I can always enter 6-digit code my Fidelity token displays.
This is the biggest issue with the YubiKey in my view. For whatever reason, Yubico does not make a YubiKey VIP (the one with Symantec Versign VIP support using by FIdelity and others) with NFC (near field communication). I suppose is is because the VIP has two "slots"; one slot containing an OATH password and the other containing the VIP code and NFC doesn't have a way to support two slots.

The YubiKey NEO has NFC but it only supports OATH authentication. In the future it will also support FIDO, but they're currently not selling YubiKey NEO's with FIDO support.

FWIW, I found carrying around an RSA dongle with an LCD screen to be annoying. The dongle is too big for my pocket and I frequently damaged them with my keys. I don't think the Fidelity dongle is any smaller than the RSA dongle.
Lagom är bäst
User avatar
Topic Author
Alskar
Posts: 643
Joined: Wed Jan 06, 2010 9:52 pm
Location: Oregon

Re: Implementing Two-Factor Authentication for Fidelity Acco

Post by Alskar »

jrj wrote:It still amazes me that I can't find a U.S. retail bank that has reasonable two-factor security.
It appears that Bank of America is pretty serious about supporting the new FIDO standard: http://www.yubico.com/2014/02/bank-amer ... -alliance/. More information on FIDO can be found on their website: https://fidoalliance.org/

I think FIDO will be hard to beat once they start gaining critical mass.
Lagom är bäst
Post Reply