Wallet Hacks

You should have two-factor authentication on every financial account

My friend Larry shared a harrowing story with me recently. Someone managed to get access to his Fidelity account and was trying to transfer out his funds!

This wasn't someone getting his credit card and buying something. You're protected in that kind of situation and you're not liable for more than $50 on unauthorized charges (most credit cards won't make you liable for anything). This was his investment account. His retirement account. His savings account. Yikes.

This was a big and scary deal. Fortunately, financial institutions see fishy behavior all the time. The security team at Fidelity saw the suspicious activity, stopped it, and was able to reach him to clear things up. A scary few moments for Larry but this is a very important for the rest of us.

Turn on two factor authentication on your financial accounts.

(In a previous version of this article, I confused the term authentication and authorization. I meant to use authentication.)

What is two-factor authentication?

Two-factor authentication, often shortened to 2FA or TFA, is when you're required to provide another layer of authentication in addition to your password. There are three main categories of authentication – something you know, something you have, and something you are.

If you use GMail, chances are you are familiar with how it works. When you try to log into your email, do you ever see the screen to the right? That's two factor authentication. They are confirming it's really you trying to access your account. That's 2FA.

At an ATM machine, your ATM card is something you have and your PIN is something you know. Adding a retina scan or fingerprint would be something you are. The “something you are” part, biometrics, is often left out because you can't change it easily if you have to. If the bank stores it and that information is stolen, you can't change something about you as easily as a password or an ATM card. 🙂

Why is this important? One factor authentication is less secure than two factor authentication because … well, two is more than one. 🙂

If you rely only on a username and password, you open yourself up to a lot of risk because that's all someone needs to get access to your account and wreck havoc on your finances. With two factor authentication, in its most common form, you would get a text message with a PIN. When you log in, you have to provide that extra PIN to get access. It's a minor inconvenience for you, it's a major inconvenience for someone looking to break into your account. They would need your phone too.

Is 2FA perfect? No – it's still possible to break into your account but it's made a little bit harder. A little bit harder means thieves might move onto the next account.

Check here to see if your financial institution offers it. Many will offer 2FA with a text message, phone call, or email. If your financial institution offers it, I recommend doing it.

I went through this process the other day with Vanguard and the basic flow will be similar.

Setting up Two-Factor Auth on Vanguard

After checking twofactorauth.org and learning Vanguard offered 2FA, I went to set it up. Very easy.

To do it, log into your account and click on the My Accounts drop down in the top menu.

Then click on Security Code in the Security Profile section in the lower right.

(click to expand, but it's in the lower right)

You'll be prompted with a sign up page followed by a Security Code Service Terms and Conditions page.

Next, you select your Phone Number and Contact Method (I chose Text).

You'll get a text with the six digit number and ten minutes to enter it before it expires.

Finally, set the rules for when to use 2FA – your choices are only one new computers or all the time.

I chose only when Vanguard doesn't recognize my computer or device.

There's a big NOTE on there that will have an impact on us – this added security breaks financial aggregators like Mint and Yodlee and I assumed it would break Personal Capital. I just logged in and unless I'm mistaken, Personal Capital was still able to updated as normal. Even if it didn't, it would have been unfortunate but security trumps convenience.

This isn't a perfect solution, there never will be, but it'll be one more layer of security. If nothing else, it's an early warning system too since you'll start getting text messages for login attempts you didn't make!