I just set up two-factor authentication with Vanguard. They text you a passcode every time you login.
This means (I believe) that someone would need to steal your username/password AND your phone to gain access to your account.
This is imprecise - if someone can convince an employee at your cell service provider that you lost your phone, they can intercept your text messages. This is not to say that you shouldn't use SMS-based 2FA, just be aware that physical access isn't necessary.
Which is why something like Syantec VIP is better. However, you're still at risk if your phone gets stolen/lost, especially if you have email sync enabled for the email account you're using with your brokerage account, since someone could try to log in and then reset the password, and open up VIP for the 2FA code. I actually wish VIP was password protected, then they would need to:
- Guess correct PIN for phone
- Figure out user ID for brokerage account (make sure you don't cache this). I also don't use the brokerage app.
- Figure out answers for security questions to request password reset (I know my brokerage account requires security questions to be answered)
- Open up VIP (would be better if there was a password on it) to get passcode
I do need to set up remote wipe on my phone so if it gets lost, I can get rid of the VIP instance if I lose my phone. I probably should change the email that is used to one that is not synched to my phone as that would be yet another hurdle to overcome.