You should have two-factor authentication on every financial account

My friend Larry shared a harrowing story with me recently. Someone managed to get access to his Fidelity account and was trying to transfer out his funds!

This wasn't someone getting his credit card and buying something. You're protected in that kind of situation and you're not liable for more than $50 on unauthorized charges (most credit cards won't make you liable for anything). This was his investment account. His retirement account. His savings account. Yikes.

This was a big and scary deal. Fortunately, financial institutions see fishy behavior all the time. The security team at Fidelity saw the suspicious activity, stopped it, and was able to reach him to clear things up. A scary few moments for Larry but this is a very important for the rest of us.

Turn on two factor authentication on your financial accounts.

(In a previous version of this article, I confused the term authentication and authorization. I meant to use authentication.)

What is two-factor authentication?

Two-factor authentication, often shortened to 2FA or TFA, is when you're required to provide another layer of authentication in addition to your password (also, a password manager like 1Password can help too!). There are three main categories of authentication – something you know, something you have, and something you are.

google-2-step-verificationIf you use GMail, chances are you are familiar with how it works. When you try to log into your email, do you ever see the screen to the right? That's two factor authentication. They are confirming it's really you trying to access your account. That's 2FA.

At an ATM machine, your ATM card is something you have and your PIN is something you know. Adding a retina scan or fingerprint would be something you are. The “something you are” part, biometrics, is often left out because you can't change it easily if you have to. If the bank stores it and that information is stolen, you can't change something about you as easily as a password or an ATM card. 🙂

Why is this important? One factor authentication is less secure than two factor authentication because … well, two is more than one. 🙂

If you rely only on a username and password, you open yourself up to a lot of risk because that's all someone needs to get access to your account and wreck havoc on your finances. With two factor authentication, in its most common form, you would get a text message with a PIN. When you log in, you have to provide that extra PIN to get access. It's a minor inconvenience for you, it's a major inconvenience for someone looking to break into your account. They would need your phone too.

Is 2FA perfect? No – it's still possible to break into your account but it's made a little bit harder. A little bit harder means thieves might move onto the next account.

Check here to see if your financial institution offers it. Many will offer 2FA with a text message, phone call, or email. If your financial institution offers it, I recommend doing it.

I went through this process the other day with Vanguard and the basic flow will be similar.

Setting up Two-Factor Auth on Vanguard

After checking twofactorauth.org and learning Vanguard offered 2FA, I went to set it up. Very easy.

To do it, log into your account and click on the My Accounts drop down in the top menu.
vanguard-account-maintenance

Then click on Security Code in the Security Profile section in the lower right.

(click to expand, but it's in the lower right)
(click to expand, but it's in the lower right)

You'll be prompted with a sign-up page followed by a Security Code Service Terms and Conditions page.

Next, you select your Phone Number and Contact Method (I chose Text).
vanguard-establish-contact-phone-number

You'll get a text with the six digit number and ten minutes to enter it before it expires.
vanguard-confirm-phone-number

Finally, set the rules for when to use 2FA – your choices are only one new computers or all the time.
vanguard-select-frequency

I chose only when Vanguard doesn't recognize my computer or device.

There's a big NOTE on there that will have an impact on us – this added security breaks financial aggregators like Mint and Yodlee and I assumed it would break Personal Capital. I just logged in and unless I'm mistaken, Personal Capital was still able to updated as normal. Even if it didn't, it would have been unfortunate but security trumps convenience.

This isn't a perfect solution, there never will be, but it'll be one more layer of security. If nothing else, it's an early warning system too since you'll start getting text messages for login attempts you didn't make!

Remember to “Number Lock” Your Phone Number

Now that you have two-factor authorization, it's important to secure your phone. Many people use their phone for 2FA and thieves know this – so they may try to steal your phone number by porting it without your permission.

Fortunately, there's a simple solution – Number Lock (that's what Verizon, my carrier, calls it). By locking your number, it cannot be ported without you “unlocking” it first.

Here is the Verizon's FAQ answer explaining how it works:

What is a Number Lock?
If a scammer gets your personal information, they could transfer your mobile number to another carrier. This may be referred to as an unauthorized port out. Then, they could get your calls and texts to take control of other accounts, like banking and social media.

You can set up a Number Lock for free to protect your mobile number from an unauthorized transfer. Once a lock is set up for a number, that number cannot be ported to another line/carrier unless you remove the lock. You can set up a Number Lock with the My Verizon website and app or by calling Customer Service at *611.

This isn't usually turned on by default, so you'll have to log into your account and turn it on.

Other Posts You May Enjoy:

Do You Have an In-Case-of Emergency Binder?

An In-Case-of-Emergency Binder helps your loved ones deal with an emergency, such as a medical emergency or unexpected death. You'll want to include everything they would need to know if you suddenly weren't around or were having a medical emergency.

Mvelopes Review 2021: Digital Cash Envelopes

Mvelopes takes the envelope budgeting system digital. If you like the idea of the envelope budget but don't want to carry so much cash Mvelopes may be the answer. With three pricing tiers, you get unlimited envelopes and account syncing, online courses, and a dedicated financial coach.

9 Simple Bank Alternatives

With Simple Bank closing many are looking for an alternative. Each of these Simple Bank alternatives offer free checking account options and many accounts pay interest on deposits.

Jim Wang

About Jim Wang

Jim Wang is a thirty-something father of three who is a frequent contributor to Forbes and Vanguard's Blog. He has also been fortunate to have appeared in the New York Times, Baltimore Sun, Entrepreneur, and Marketplace Money.

Jim has a B.S. in Computer Science and Economics from Carnegie Mellon University, an M.S. in Information Technology - Software Engineering from Carnegie Mellon University, as well as a Masters in Business Administration from Johns Hopkins University. His approach to personal finance is that of an engineer, breaking down complex subjects into bite-sized easily understood concepts that you can use in your daily life.

One of his favorite tools (here's my treasure chest of tools,, everything I use) is Personal Capital, which enables him to manage his finances in just 15-minutes each month. They also offer financial planning, such as a Retirement Planning Tool that can tell you if you're on track to retire when you want. It's free.

He is also diversifying his investment portfolio by adding a little bit of real estate. But not rental homes, because he doesn't want a second job, it's diversified small investments in a few commercial properties and a farm in Illinois via AcreTrader.

Reader Interactions

Leave a Comment:

Comments

About the comments on this site:

These responses are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser's responsibility to ensure all posts and/or questions are answered.

  1. Joe says

    Thanks for the tip. I have TFA on a few accounts, but not at Vanguard. That’s my biggest account so I’ll set it up today. Security is paramount. I really hope it doesn’t screw up Personal Capital.

      • HF Wannabe says

        Hi Jim,

        Thanks for the post. Do you think using a financial aggregator that actively links your accounts puts your information at greater risk of being misused or falling into the wrong hands? I have not used one in the past, but was just looking into personal capital because of your post.

        • Jim says

          It will increase it but I don’t think it increases a lot versus the value of the aggregation. I haven’t heard of a breach yet and companies like Mint have been around for many years. It’s just not valuable enough, thieves are better off trying to steal credit card information.

    • Jim says

      You’re welcome! And yes, it’s very scary… glad things didn’t get worse for Larry but this is a great lesson for all of us.

  2. Syed says

    Thanks for the reminder. I’ve been meaning to do this but wasn’t actually sure how to go through the process. I will set these up on my investment accounts today.

    • Jim says

      Yes for sure, your email is often the hub of communication so someone with access to your email would learn a tremendous amount about you.

  3. Kyle says

    My credit card number just got stolen a couple days ago, makes me more weary of issues like this. Right now, my online accounts are protected with ridiculously long passwords, but i’ll have to look into 2FA. Thanks

    • Jim says

      2FA should be standard and required everywhere, the only reason it isn’t is because some people aren’t as good with technology and would have trouble getting a text message or some other verification method. 🙂

  4. Ryan says

    I set this up on my of my financial accounts – several after hearing about Larry’s scare. I use long/complex passwords, which also helps, but isn’t infallible.

    I also subscribe to identity theft protection. My belief is identity theft is a matter of when, not if. There have been too many data breaches for me to believe my information is safe. That would be naive.

    • Jim says

      Yeah I was more diligent once I heard Larry’s story, 2fa is a most nowadays.

      I’m with you on identity theft, I don’t have the protection (at least paid… it seems every few years some breach gets it to me for free…) but I’m always checking my reports to make sure.

  5. Our Next Life says

    For what it’s worth, the two-step verification on USAA is incompatible with Personal Capital. I’ve worked with tech support and everything, and they just won’t play nice together. But the 2-step works just fine with PC for Vanguard and Ally. Totally with you on this — better to go through an extra step each time for the added security!

  6. John D says

    Re: SECURITY… Here is my experience with Yodlee/Personal Capital over the last 14 months. My greatest concern is their apparent failure to protect my login credentials. In short:

    > On 2016-12-12, I removed my credit union from the Personal Capital system because failed attempts by Personal Capital/Yodlee caused me to be locked out of my credit union account. Yes, 14 months ago in 2016.

    > On 2016-12-15, Yodlee kept trying to access my credit union, I contacted Personal Capital and the logon attempts ceased.

    > On 2018-02-15, FOURTEEN MONTHS after I deleted the account from Personal Capital, Yodlee again attempted to logon to my credit union. My credit union logs showed the attempt came from a Yodlee IP address.

    > On or about 2018-02-18, after nightmarish attempts to get through to Personal Capital or Yodlee personnel who gave a damn–without my request or permission–Personal Capital deleted my ability to logon to their system. The last communication from them was from James, Feb 16, 5:53 PM PST:

    “Hello John,
    We have double checked all our databases and did not find any trace of those accounts outside of logs showing the deletion of the accounts with xxxxx Credit Union and we are following up with our aggregation partner, Yodlee to obtain an explanation. ”

    That is it. I was hoping to get assurance that Yodlee has made sure my credentials and all my financial information was removed. It looks like that is not happening since they deleted my personal capital logon ability.

    User beware. This whole event calls into question the privacy of all of your financial information–any user IDs and passwords you may have shared with Personal Capital may not be protected.

    I have all the emails and screen shots for anyone who is interested.

As Seen In: