should I use vanguard's 2 step verification sign in

Have a question about your personal investments? No matter how simple or complex, you can ask it here.
Post Reply
lomarica01
Posts: 74
Joined: Sun Jul 05, 2015 10:57 am

should I use vanguard's 2 step verification sign in

Post by lomarica01 » Mon Dec 04, 2017 12:43 pm

Got an email from Vanguard offering 3 new security measures for accounts. Sounds like a good idea but thought I would put it out for any discussion before I make any changes. I am thinking of just using the security code via text option.

Security codes
This service—a type of “2-step verification”—sends you a single-use security code that you’ll enter after providing your user name and password when you log on to vanguard.com or our mobile apps. You can choose to receive security codes through a text message or automated phone call.
When you enroll, you can choose to use a security code every time you log on to your account or only when Vanguard doesn’t recognize your computer or device.

Account activity alerts
This service sends you email or text message alerts for certain transactions and account profile changes. You’ll receive a detailed alert moments after an initiated transaction.
You can customize your alert type and delivery method settings by email or text—simply visit the account activity alerts page.

Vanguard Voice Verification™
Verify your identity using the sound of your voice. When you sign up for this service, you’ll get even safer and faster access to your accounts when you call us.
When you first enroll in voice verification, you’ll record a passphrase that we’ll match to confirm your identity each time you call.

any comments appreciated

livesoft
Posts: 57302
Joined: Thu Mar 01, 2007 8:00 pm

Re: should I use vanguard's 2 step verification sign in

Post by livesoft » Mon Dec 04, 2017 12:53 pm

Sure, why not? I use it. One can always turn it off after trying it out if one doesn't like it or loses their phone that receives text messages.
This signature message sponsored by sscritic: Learn to fish.

dcabler
Posts: 312
Joined: Wed Feb 19, 2014 11:30 am

Re: should I use vanguard's 2 step verification sign in

Post by dcabler » Mon Dec 04, 2017 12:54 pm

Been using the 2-step verification for a couple of months now. Only issue is that I often forget to have my phone with me when I log in. :D

ACA
Posts: 11
Joined: Wed Nov 29, 2017 7:51 am

Re: should I use vanguard's 2 step verification sign in

Post by ACA » Mon Dec 04, 2017 1:07 pm

I use it and I like it.

Very simple and adds an extra layer of security...

DrGoogle2017
Posts: 678
Joined: Mon Aug 14, 2017 12:31 pm

Re: should I use vanguard's 2 step verification sign in

Post by DrGoogle2017 » Mon Dec 04, 2017 1:10 pm

I’m still avoiding it.

cmeretire
Posts: 15
Joined: Thu Nov 24, 2016 11:45 am

Re: should I use vanguard's 2 step verification sign in

Post by cmeretire » Mon Dec 04, 2017 1:15 pm

I use it at Fido but it's the same thing Vanguard uses. I've been using it for a couple months now and I like the added security it provides. With all the security breaches that seem to coming at an ever increasing frequency, what not?

jalbert
Posts: 2294
Joined: Fri Apr 10, 2015 12:29 am

Re: should I use vanguard's 2 step verification sign in

Post by jalbert » Mon Dec 04, 2017 1:36 pm

The short answer is yes to all three.
When you enroll, you can choose to use a security code every time you log on to your account or only when Vanguard doesn’t recognize your computer or device.
Green is important. Red is dubious. Security codes ensure that the same login session may not be repeated because the code value is not predictable. With out a code or if you choose remembering the computer or use a fingerprint for logging in over the internet, the data your machine transmits may be captured and replayed in a later session from a different machine.

Account activity alerts are useful to inform you in a timely manner if there is abuse of your account.

Vanguard Voice Verification or enhanced phone security passwords are important even if you don't use phone services-- someone else can still call in and try to impersonate you.
Last edited by jalbert on Wed Dec 06, 2017 5:38 pm, edited 3 times in total.
Risk is not a guarantor of return.

Liberty1100
Posts: 195
Joined: Fri Nov 21, 2014 12:36 pm
Contact:

Re: should I use vanguard's 2 step verification sign in

Post by Liberty1100 » Mon Dec 04, 2017 1:41 pm

I like having the 2-factor on as many accounts as possible. I get the texts right to my Apple Watch, so it is super easy and quick to type in.

However, I find it annoying to have to do that for Mint and Personal Capital to update my account balances.

User avatar
oldcomputerguy
Posts: 2100
Joined: Sun Nov 22, 2015 6:50 am
Location: In the middle of five acres of woods

Re: should I use vanguard's 2 step verification sign in

Post by oldcomputerguy » Mon Dec 04, 2017 2:06 pm

Did they not mention the Yubikey option?
Anybody know why there's a 20-pound frozen turkey up in the light grid?

User avatar
Jerry55
Posts: 533
Joined: Tue Jan 27, 2015 1:56 am
Location: That Toddlin' Town

Re: should I use vanguard's 2 step verification sign in

Post by Jerry55 » Mon Dec 04, 2017 11:49 pm

dcabler wrote:
Mon Dec 04, 2017 12:54 pm
Been using the 2-step verification for a couple of months now. Only issue is that I often forget to have my phone with me when I log in. :D

D.I.T.T.O.

I even use 2 step for other things, including Yahoo (just my initial web start page - gives me my news as I asked for), Gmail, and maybe 2 or 3 more. I'm retired, but, like dcabler above, I'm normally on the 3rd floor (my bedroom) and my phone is on the 1st floor. Lots of steps. :oops:
Retired 12/19/2012 @ age 57 | Good Bye Tension, Hello Pension !!!

Finridge
Posts: 126
Joined: Mon May 16, 2011 7:27 pm

Re: should I use vanguard's 2 step verification sign in

Post by Finridge » Mon Dec 04, 2017 11:55 pm

lomarica01 wrote:
Mon Dec 04, 2017 12:43 pm
Got an email from Vanguard offering 3 new security measures for accounts. Sounds like a good idea but thought I would put it out for any discussion before I make any changes. I am thinking of just using the security code via text option.

Security codes
This service—a type of “2-step verification”—sends you a single-use security code that you’ll enter after providing your user name and password when you log on to vanguard.com or our mobile apps. You can choose to receive security codes through a text message or automated phone call.
When you enroll, you can choose to use a security code every time you log on to your account or only when Vanguard doesn’t recognize your computer or device.

Account activity alerts
This service sends you email or text message alerts for certain transactions and account profile changes. You’ll receive a detailed alert moments after an initiated transaction.
You can customize your alert type and delivery method settings by email or text—simply visit the account activity alerts page.

Vanguard Voice Verification™
Verify your identity using the sound of your voice. When you sign up for this service, you’ll get even safer and faster access to your accounts when you call us.
When you first enroll in voice verification, you’ll record a passphrase that we’ll match to confirm your identity each time you call.

any comments appreciated
Yes, use all of these.

ccieemeritus
Posts: 440
Joined: Thu Mar 06, 2014 10:43 pm

Re: should I use vanguard's 2 step verification sign in

Post by ccieemeritus » Tue Dec 05, 2017 1:13 am

I’m trying to get to the point where all my “money accounts” have 2-factor authentication. I like getting the text message on my phone (as opposed to a physical token or smartphone app).

I have 2-factor authentication enabled for Vanguard.

Carl53
Posts: 1443
Joined: Sun Mar 07, 2010 8:26 pm

Re: should I use vanguard's 2 step verification sign in

Post by Carl53 » Tue Dec 05, 2017 6:58 am

livesoft wrote:
Mon Dec 04, 2017 12:53 pm
Sure, why not? I use it. One can always turn it off after trying it out if one doesn't like it or loses their phone that receives text messages.
How does one turn it off if you lose the phone receiving the text messages?

livesoft
Posts: 57302
Joined: Thu Mar 01, 2007 8:00 pm

Re: should I use vanguard's 2 step verification sign in

Post by livesoft » Tue Dec 05, 2017 7:07 am

You call Vanguard with another phone.
This signature message sponsored by sscritic: Learn to fish.

jebmke
Posts: 7017
Joined: Thu Apr 05, 2007 2:44 pm

Re: should I use vanguard's 2 step verification sign in

Post by jebmke » Tue Dec 05, 2017 7:52 am

I would not use a financial institution that doesn't provide 2FA.
Carl53 wrote:
Tue Dec 05, 2017 6:58 am
livesoft wrote:
Mon Dec 04, 2017 12:53 pm
Sure, why not? I use it. One can always turn it off after trying it out if one doesn't like it or loses their phone that receives text messages.
How does one turn it off if you lose the phone receiving the text messages?
You should be able to go right into the site on a computer and turn it off. It isn't generally a good practice to use the same device for the second factor that you use to access their site. I don't recommend accessing financial institutions from a mobile device period. Their security is a black box - just ask GS Warrior fans.
When you discover that you are riding a dead horse, the best strategy is to dismount.

iasw
Posts: 92
Joined: Mon Dec 05, 2016 2:02 pm

Re: should I use vanguard's 2 step verification sign in

Post by iasw » Tue Dec 05, 2017 9:06 am

My husband was trying to set up Vanguard voice verification and couldn't stop laughing at the prompt. He said it reminded him of the "selling is service, and service selling!" video and just lost it. He will try again. :P :P

2015
Posts: 978
Joined: Mon Feb 10, 2014 2:32 pm

Re: should I use vanguard's 2 step verification sign in

Post by 2015 » Tue Dec 05, 2017 3:56 pm

lomarica01 wrote:
Mon Dec 04, 2017 12:43 pm
Got an email from Vanguard offering 3 new security measures for accounts. Sounds like a good idea but thought I would put it out for any discussion before I make any changes. I am thinking of just using the security code via text option.

Security codes
This service—a type of “2-step verification”—sends you a single-use security code that you’ll enter after providing your user name and password when you log on to vanguard.com or our mobile apps. You can choose to receive security codes through a text message or automated phone call.
When you enroll, you can choose to use a security code every time you log on to your account or only when Vanguard doesn’t recognize your computer or device.

Account activity alerts
This service sends you email or text message alerts for certain transactions and account profile changes. You’ll receive a detailed alert moments after an initiated transaction.
You can customize your alert type and delivery method settings by email or text—simply visit the account activity alerts page.

Vanguard Voice Verification™
Verify your identity using the sound of your voice. When you sign up for this service, you’ll get even safer and faster access to your accounts when you call us.
When you first enroll in voice verification, you’ll record a passphrase that we’ll match to confirm your identity each time you call.

any comments appreciated
I use all of these including Yubikey for 2FA and never access any financial accounts from my phone. I use a gmail Yubikey 2FA account dedicated strictly to financials and recovery backup, which is not linked to any phone number for recovery (to thwart social engineering) but instead uses 2nd/3rd backup account recovery options of Google Authenticator and printed backup codes stored in safe location. I only recently learned to my chagrin one is unable to keep a google account on a device while disabling the gmail account; thus, my gmail account is on my phone. OTOH, the phone is locked/unlocked via fingerprint sensor, is set not to display notifications (i.e., 2FA text codes) in lock mode, and can be located/locked/wiped remotely via Google's security option in the event of theft or loss long before anyone would be interested in/have time to/figure out how to compromise the gmail account.

User avatar
TheGreyingDuke
Posts: 1381
Joined: Fri Sep 02, 2011 10:34 am

Re: should I use vanguard's 2 step verification sign in

Post by TheGreyingDuke » Tue Dec 05, 2017 4:11 pm

dcabler wrote:
Mon Dec 04, 2017 12:54 pm
Been using the 2-step verification for a couple of months now. Only issue is that I often forget to have my phone with me when I log in. :D
I am not sure if this compromises security, but I use my Google Voice number for the verification code and get it as an email as well as on my phone.
"Every time I see an adult on a bicycle, I no longer despair for the future of the human race." H.G. Wells

inbox788
Posts: 4194
Joined: Thu Mar 15, 2012 5:24 pm

Re: should I use vanguard's 2 step verification sign in

Post by inbox788 » Tue Dec 05, 2017 4:36 pm

TheGreyingDuke wrote:
Tue Dec 05, 2017 4:11 pm
dcabler wrote:
Mon Dec 04, 2017 12:54 pm
Been using the 2-step verification for a couple of months now. Only issue is that I often forget to have my phone with me when I log in. :D
I am not sure if this compromises security, but I use my Google Voice number for the verification code and get it as an email as well as on my phone.
Yes, it compromises security. You're supposed to have 2 independent security measures to truly take advantage of 2-factor authentication. By using an email, you bypass the independence, and create a single point of weakness. That said, I do the same for convenience, and it's better than not using 2-factor at all IMO.

PatrickA5
Posts: 212
Joined: Mon Jul 28, 2014 1:55 pm

Re: should I use vanguard's 2 step verification sign in

Post by PatrickA5 » Tue Dec 05, 2017 6:30 pm

I use Quicken to pull in my Vanguard transactions. Will using 2 factor cause Quicken to stop importing the data?

CRC301
Posts: 49
Joined: Sat Feb 14, 2015 1:31 pm

Re: should I use vanguard's 2 step verification sign in

Post by CRC301 » Tue Dec 05, 2017 9:37 pm

PatrickA5 wrote:
Tue Dec 05, 2017 6:30 pm
I use Quicken to pull in my Vanguard transactions. Will using 2 factor cause Quicken to stop importing the data?
I use Quicken as well and I have 2-factor (SMS codes) enabled on my Vanguard account and it has no effect on Quicken downloading the transactions. Quicken uses the Direct Connect method to download transactions from Vanguard. This means that Quicken contacts Vanguard via a special back-end protocol. As far as I know, as long as you don't setup online bill payment its a read-only connection which carries a lower risk than one where someone could initiate a trade/transfer.

I also use some other online websites to pull data from Vanguard (USAA, Personal Capital, ...) and they actually do prompt me for the security code sent to my phone. It varies from site to site and application to application.

PatrickA5
Posts: 212
Joined: Mon Jul 28, 2014 1:55 pm

Re: should I use vanguard's 2 step verification sign in

Post by PatrickA5 » Wed Dec 06, 2017 5:36 pm

Thanks for the info!

Chuck
Posts: 1897
Joined: Thu May 21, 2009 12:19 pm

Re: should I use vanguard's 2 step verification sign in

Post by Chuck » Wed Dec 06, 2017 5:54 pm

jalbert wrote:
Mon Dec 04, 2017 1:36 pm
Without a code or if you choose remembering the computer or use a fingerprint for logging in over the internet, the data your machine transmits may be captured and replayed in a later session from a different machine.
Out of curiosity, why do you believe this?

User avatar
AAA
Posts: 858
Joined: Sat Jan 12, 2008 8:56 am

Re: should I use vanguard's 2 step verification sign in

Post by AAA » Wed Dec 06, 2017 6:31 pm

cmeretire wrote:
Mon Dec 04, 2017 1:15 pm
I use it at Fido but it's the same thing Vanguard uses.
With Fidelity, I use Symantec VIP Access. It generates a random number. With Vanguard, they text a random number to my phone. So not the same thing. Does each site have other options for two-factor authentication?

drwtsn32
Posts: 102
Joined: Wed Dec 31, 2014 12:28 pm

Re: should I use vanguard's 2 step verification sign in

Post by drwtsn32 » Wed Dec 06, 2017 6:57 pm

ccieemeritus wrote:
Tue Dec 05, 2017 1:13 am
I like getting the text message on my phone (as opposed to a physical token or smartphone app).
Note that this is less secure. SMS messages can be intercepted in order to capture the second factor if the person is determined enough.

The QR code you scan into an authentication app is much more secure. The QR code itself is sent to you over an encrypted and authenticated TLS channel (unlike SMS). And it is only done once. Later, when you need to actually enter a second factor code, nothing is transmitted. The app generates a code based on its clock.

User avatar
Toons
Posts: 12104
Joined: Fri Nov 21, 2008 10:20 am
Location: Hills of Tennessee

Re: should I use vanguard's 2 step verification sign in

Post by Toons » Wed Dec 06, 2017 7:12 pm

Take full advantage of any security options you are offered. :happy
"One does not accumulate but eliminate. It is not daily increase but daily decrease. The height of cultivation always runs to simplicity" –Bruce Lee

Thesaints
Posts: 1062
Joined: Tue Jun 20, 2017 12:25 am

Re: should I use vanguard's 2 step verification sign in

Post by Thesaints » Wed Dec 06, 2017 7:23 pm

Unless one needs the extra security, why add more of it ?

surfstar
Posts: 1424
Joined: Fri Sep 13, 2013 12:17 pm
Location: Santa Barbara, CA

Re: should I use vanguard's 2 step verification sign in

Post by surfstar » Wed Dec 06, 2017 7:38 pm

If you're using 2FA, make sure its done in a more secure way...

Why to use Google Authenticator over SMS/Text codes:

https://www.wired.com/2016/06/hey-stop- ... ntication/

CyberGuy
Posts: 8
Joined: Sun Nov 12, 2017 2:42 pm

Re: should I use vanguard's 2 step verification sign in

Post by CyberGuy » Wed Dec 06, 2017 8:14 pm

Thesaints wrote:
Wed Dec 06, 2017 7:23 pm
Unless one needs the extra security, why add more of it ?
For a few main reasons:

1. People are creatures of habit and often use the same passwords on multiple websites. Even if Vanguard does not suffer a breach another website you use could have been hacked and your username and password could be floating around on the internet. http://money.cnn.com/2017/10/03/technol ... index.html

2. Many people use weak passwords that are easily guessable. Two factor authentication ensures that even if a hacker has your password they are not getting in without your phone.

3. Financial institutions are commonly targeted by hackers. What if (God-forbid) Vanguard has a security incident where you username and password is compromised? Wouldn't you want to have had 2 factor authentication?

4. Enabling the two factor authentication is completely free and significantly improves the security of your hard earned money and investments.

Cheers,

CyberGuy

Thesaints
Posts: 1062
Joined: Tue Jun 20, 2017 12:25 am

Re: should I use vanguard's 2 step verification sign in

Post by Thesaints » Wed Dec 06, 2017 8:18 pm

Two factor authentication requires me to have my cellphone active, which is not the case when I don't have my cell with me, or I have it and I'm abroad.
Also, what can a hacker do with my password ? Can't transfer money to himself and non-authorized transactions do not generate CG, afaik.

CyberGuy
Posts: 8
Joined: Sun Nov 12, 2017 2:42 pm

Re: should I use vanguard's 2 step verification sign in

Post by CyberGuy » Wed Dec 06, 2017 8:19 pm

surfstar wrote:
Wed Dec 06, 2017 7:38 pm
If you're using 2FA, make sure its done in a more secure way...

Why to use Google Authenticator over SMS/Text codes:

https://www.wired.com/2016/06/hey-stop- ... ntication/
Good post. I use google authenticator on other websites and think it's great. A yubikey or RSA token would also be nice to have. I know Fidelity has this. Anyone know if Vanguard is planning or has something similar?

Thesaints
Posts: 1062
Joined: Tue Jun 20, 2017 12:25 am

Re: should I use vanguard's 2 step verification sign in

Post by Thesaints » Wed Dec 06, 2017 8:21 pm

Hopefully not. How many break-ins have they experienced ?

fatcharlie
Posts: 31
Joined: Wed Aug 06, 2014 11:25 am

Re: should I use vanguard's 2 step verification sign in

Post by fatcharlie » Thu Dec 07, 2017 1:22 pm

jalbert wrote:
Mon Dec 04, 2017 1:36 pm
When you enroll, you can choose to use a security code every time you log on to your account or only when Vanguard doesn’t recognize your computer or device.
Green is important. Red is dubious. Security codes ensure that the same login session may not be repeated because the code value is not predictable. With out a code or if you choose remembering the computer or use a fingerprint for logging in over the internet, the data your machine transmits may be captured and replayed in a later session from a different machine.
Is this correct? I'd think that the cookies that your browser transmits to indicate that it's a known machine are protected by SSL.

2015
Posts: 978
Joined: Mon Feb 10, 2014 2:32 pm

Re: should I use vanguard's 2 step verification sign in

Post by 2015 » Thu Dec 07, 2017 3:31 pm

surfstar wrote:
Wed Dec 06, 2017 7:38 pm
If you're using 2FA, make sure its done in a more secure way...

Why to use Google Authenticator over SMS/Text codes:

https://www.wired.com/2016/06/hey-stop- ... ntication/
I use Authenticator and printed passcodes as backup recovery to Yubikey at VG, and avoid SMS 2FA on other accounts as much as possible. OTOH, I'm not so sure I'm the "target of sophisticated hackers" either.

From the article:
But for anyone who might be a target of sophisticated hackers, all of those techniques mean SMS should be avoided when possible for anything login-related.

CRC301
Posts: 49
Joined: Sat Feb 14, 2015 1:31 pm

Re: should I use vanguard's 2 step verification sign in

Post by CRC301 » Thu Dec 07, 2017 7:37 pm

fatcharlie wrote:
Thu Dec 07, 2017 1:22 pm
jalbert wrote:
Mon Dec 04, 2017 1:36 pm
When you enroll, you can choose to use a security code every time you log on to your account or only when Vanguard doesn’t recognize your computer or device.
Green is important. Red is dubious. Security codes ensure that the same login session may not be repeated because the code value is not predictable. With out a code or if you choose remembering the computer or use a fingerprint for logging in over the internet, the data your machine transmits may be captured and replayed in a later session from a different machine.
Is this correct? I'd think that the cookies that your browser transmits to indicate that it's a known machine are protected by SSL.
Depends on how the website implements their "computer recognition". I do think most of them do it with a cookie of some sort and it would be transmitted via SSL/TLS (note that not all SSL/TLS is created equal though). If someone got your password, they could technically get into the account and bypass the 2-factor if they were able to obtain that cookie somehow. Probably safest to not use that feature.

Post Reply