Author Topic: Vanguard Security Codes--Yes or No?  (Read 1484 times)

lizzzi

  • Handlebar Stache
  • *****
  • Posts: 2022
Vanguard Security Codes--Yes or No?
« on: August 06, 2018, 02:07:02 PM »
I keep getting messages from Vanguard when I check my balances that they want us to sign up for security codes on our phones by 8/15/2018. When I clicked on the links, it does not look like this is mandatory, and I thought it looked kind of confusing. Are most of you signing up for these security codes? Or not? I don't use my phone for Vanguard anyway, I do everything on the computer.

e34bb098

  • 5 O'Clock Shadow
  • *
  • Posts: 83
Re: Vanguard Security Codes--Yes or No?
« Reply #1 on: August 06, 2018, 02:35:00 PM »
I used to use them, but they prevented Personal Capital from importing my Vanguard info unless I typed in the security code every time.  I decided that the extra layer of security was not worth the constant annoyance.  Besides, SMS-based TFA is not that secure anyway -- see, for example the recent hack of Reddit:

https://www.csoonline.com/article/3293904/cloud-security/reddit-discloses-hack-says-sms-intercept-allowed-attackers-to-skirt-2fa-protections.html

CupcakeGuru

  • Stubble
  • **
  • Posts: 142
Re: Vanguard Security Codes--Yes or No?
« Reply #2 on: August 06, 2018, 03:23:39 PM »
I haven't bothered to add the extra security codes because it would then not import into Mint. I do change my password quarterly though.

PencilStache

  • 5 O'Clock Shadow
  • *
  • Posts: 13
Re: Vanguard Security Codes--Yes or No?
« Reply #3 on: August 06, 2018, 03:31:36 PM »
I did add them and found the extra hassle provided more peace of mind. Well worth it to me.

MustacheAndaHalf

  • Handlebar Stache
  • *****
  • Posts: 1260
Re: Vanguard Security Codes--Yes or No?
« Reply #4 on: August 07, 2018, 01:40:20 AM »
I find the "verify new devices" security option isn't troublesome at all.

I used to use them, but they prevented Personal Capital from importing my Vanguard info unless I typed in the security code every time.
If you use "only when device is unrecognized" on Vanguard, then according to a post over on bogleheads it works with Personal Capital (but not Mint).

appleshampooid

  • Stubble
  • **
  • Posts: 130
  • Relentless Snacker
Re: Vanguard Security Codes--Yes or No?
« Reply #5 on: August 07, 2018, 05:24:27 AM »
I haven't bothered to add the extra security codes because it would then not import into Mint. I do change my password quarterly though.
Same for me on the Mint front. Most accounts will "remember" a browser, which includes Mint's automated system, so you don't have to do the 2FA every time, but for whatever reason Vanguard's system doesn't work that way. It is more secure, just less usable. Especially for those of us who use Mint or other 3rd party trackers.

lizzzi

  • Handlebar Stache
  • *****
  • Posts: 2022
Re: Vanguard Security Codes--Yes or No?
« Reply #6 on: August 07, 2018, 06:55:36 AM »
Thanks for the helpful replies. I think I'll just continue to change my (already very complex) password from time to time.

GreenEggs

  • Pencil Stache
  • ****
  • Posts: 525
  • Location: Here & There
Re: Vanguard Security Codes--Yes or No?
« Reply #7 on: August 07, 2018, 07:36:35 AM »
I really like the added layer of security. 




grandep

  • Stubble
  • **
  • Posts: 108
  • Location: New Mexico
Re: Vanguard Security Codes--Yes or No?
« Reply #8 on: August 07, 2018, 07:55:18 AM »
I also had trouble with Mint but have had no problems with Personal Capital. Frankly, this is Mint's problem -- it's unacceptable to be incompatible with two-factor authentication nowadays.

I use 2FA almost everywhere it is offered and I recommend that everyone do so. Especially since Vanguard will only text you if you are logging in from a new device, so the inconvenience factor is minimal.

Bird In Hand

  • Bristles
  • ***
  • Posts: 424
Re: Vanguard Security Codes--Yes or No?
« Reply #9 on: August 08, 2018, 10:37:10 AM »
I called Vanguard recently to ask about the effect of Security Codes on financial aggregators (I use yodlee).  I was told that soon they would be mandatory, but the timing of that was supposed to coincide with the rollout of another way for the aggregators to work without them.

Scandium

  • Handlebar Stache
  • *****
  • Posts: 2167
  • Location: EastCoast
Re: Vanguard Security Codes--Yes or No?
« Reply #10 on: August 08, 2018, 11:02:25 AM »
I also had trouble with Mint but have had no problems with Personal Capital. Frankly, this is Mint's problem -- it's unacceptable to be incompatible with two-factor authentication nowadays.

I use 2FA almost everywhere it is offered and I recommend that everyone do so. Especially since Vanguard will only text you if you are logging in from a new device, so the inconvenience factor is minimal.

That would be all well and good if it was secure. 2FA using SMS is junk since SMS is not encrypted and hopelessly insecure. If they used email (as many others do) I'd be fine with it.

appleshampooid

  • Stubble
  • **
  • Posts: 130
  • Relentless Snacker
Re: Vanguard Security Codes--Yes or No?
« Reply #11 on: August 08, 2018, 11:40:38 AM »
I also had trouble with Mint but have had no problems with Personal Capital. Frankly, this is Mint's problem -- it's unacceptable to be incompatible with two-factor authentication nowadays.

I use 2FA almost everywhere it is offered and I recommend that everyone do so. Especially since Vanguard will only text you if you are logging in from a new device, so the inconvenience factor is minimal.
I wouldn't place the blame squarely on Mint without more info - Mint integrates fine with lots of other providers that require 2FA. The first time you link the account, you go through the 2FA process inside of the Mint website, then the website remembers Mint as a trusted client (just like your own browser). Without knowing more details of the technology in play, the problem could be on either end. I've had one other account (WageWorks pre-tax commuter account) that suffered from the same problem.

grandep

  • Stubble
  • **
  • Posts: 108
  • Location: New Mexico
Re: Vanguard Security Codes--Yes or No?
« Reply #12 on: August 08, 2018, 02:00:10 PM »
That would be all well and good if it was secure. 2FA using SMS is junk since SMS is not encrypted and hopelessly insecure. If they used email (as many others do) I'd be fine with it.

I'm interested to learn more about the flaws in SMS based 2FA. I genuinely wasn't aware that it was considered suboptimal. It is pretty common in my experience.

MustacheAndaHalf

  • Handlebar Stache
  • *****
  • Posts: 1260
Re: Vanguard Security Codes--Yes or No?
« Reply #13 on: August 09, 2018, 09:37:22 AM »
Last time I visited this thread I read up on it, and essentially someone can target you specifically.  They can convince a cell phone provider to switch their service to mirror your phone, then request an SMS message that goes to their phone instead of yours.  To me, that's more effort than simply targeting a password, so I think it's still an added layer of security.  But with retirement accounts at stake, higher levels of security seem appropriate.

Besides security codes, Vanguard also offers support for security keys.
https://investor.vanguard.com/security/security-keys

Scandium

  • Handlebar Stache
  • *****
  • Posts: 2167
  • Location: EastCoast
Re: Vanguard Security Codes--Yes or No?
« Reply #14 on: August 09, 2018, 11:24:00 AM »
Last time I visited this thread I read up on it, and essentially someone can target you specifically.  They can convince a cell phone provider to switch their service to mirror your phone, then request an SMS message that goes to their phone instead of yours. To me, that's more effort than simply targeting a password, so I think it's still an added layer of security. But with retirement accounts at stake, higher levels of security seem appropriate.

Besides security codes, Vanguard also offers support for security keys.
https://investor.vanguard.com/security/security-keys

Is it? How would they crack a password? Hopefully vanguard isn't hacked (in that case we're screwed anyway) so I don't think they can use rainbow tables. And for example I have an 18 character password which would take forever. They could intercept the login on open wifi I guess, but that's a pretty bad idea and nobody should do that. And then they could do the same with SMS anyway. If you need the SMS in addition to password I suppose it's no less secure, but I'm not sure how it works with vanguard.