The Money Mustache Community
Learning, Sharing, and Teaching => Investor Alley => Topic started by: cpthammer on December 14, 2016, 08:08:19 AM
-
I just set up two-factor authentication with Vanguard. They text you a passcode every time you login.
This means (I believe) that someone would need to steal your username/password AND your phone to gain access to your account.
I would like to do the same for Fidelity, but they don't seem to have this type of two-factor security.
They seem to want you to download a very poorly regarded Symantec app to do this. The reviews of this app are terrible.
Does anyone have experience with Fidelity two factor authentication?
-
I just got an email about voice recognition for phone calls, so it's probably on their radar. Dunno about the site though. I wish everyone would just use Google authenticator.
-
Fidelity does have this, I just set it up today. Works pretty seamlessly with the Symantec VIP Access app.
https://www.fidelity.com/security/soft-tokens/overview
-
I just set up two-factor authentication with Vanguard. They text you a passcode every time you login.
This means (I believe) that someone would need to steal your username/password AND your phone to gain access to your account.
This is imprecise - if someone can convince an employee at your cell service provider that you lost your phone, they can intercept your text messages (http://adequateman.deadspin.com/dont-let-two-factor-text-authentication-lull-you-into-a-1782704215). This is not to say that you shouldn't use SMS-based 2FA, just be aware that physical access isn't necessary.
-
I just set up two-factor authentication with Vanguard. They text you a passcode every time you login.
This means (I believe) that someone would need to steal your username/password AND your phone to gain access to your account.
This is imprecise - if someone can convince an employee at your cell service provider that you lost your phone, they can intercept your text messages (http://adequateman.deadspin.com/dont-let-two-factor-text-authentication-lull-you-into-a-1782704215). This is not to say that you shouldn't use SMS-based 2FA, just be aware that physical access isn't necessary.
Which is why something like Syantec VIP is better. However, you're still at risk if your phone gets stolen/lost, especially if you have email sync enabled for the email account you're using with your brokerage account, since someone could try to log in and then reset the password, and open up VIP for the 2FA code. I actually wish VIP was password protected, then they would need to:
- Guess correct PIN for phone
- Figure out user ID for brokerage account (make sure you don't cache this). I also don't use the brokerage app.
- Figure out answers for security questions to request password reset (I know my brokerage account requires security questions to be answered)
- Open up VIP (would be better if there was a password on it) to get passcode
I do need to set up remote wipe on my phone so if it gets lost, I can get rid of the VIP instance if I lose my phone. I probably should change the email that is used to one that is not synched to my phone as that would be yet another hurdle to overcome.
-
Sounds good. For your last step, there are apps that password-protect specific apps, might only be for rooted devices though.
I wish other brokerages would enable this type of authentication as well...
-
Get the app. It's more secure than SMS 2FA.