These instructions have been broken out from the parent post on Securing Your Financial Accounts in the interest of keeping the top-level content free of absurd levels of detail.
- Purchase key. I bought this one off Amazon. There are other options available — feel free to do your own research and find a model and vendor that works for you.
- Plug key into PC
- Check your OS device lists to make sure you see the hardware show up. In Windows 10, you can type “settings” into the search field in the lower left of your screen. After clicking on the settings icon, you’ll see a list of choices. Click on “Devices.” On the following page you’ll see a list of stuff connected to your PC. You should see an entry for your key — mine shows up as Security Key by Yubico. You could in theory skip this step, but I like to be sure that things are looking OK on the hardware/OS side of things. And I’m sorry, I’m not sure how to perform the analogous steps on iOS (AKA Mac OS). Luckily, this step (hardware validation) is optional.
It just kinda shows up in Windows 10 after you plug it in.
- Log into Vanguard and go to Account Maintenance.
- On the next screen, head down to the Security Profile heading and click on Security Code. Here you’ll make sure the phone number on file is accurate, as you’ll need a “code” in order to set up your Security Key. Once you’re done, move on.
Also make sure Status = Enrolled., and frequency is set to Every time I log on. You, unlike me, will probably leave your Primary Phone Number settings on SMS rather than Automated Call, though.
- Go back to Account Maintenance, again find the Security Profile heading, but this time click on Security Key. If you didn’t set frequency to Every Time I log on in the previous step, you may see the following:
- At this point you’ll either get an SMS message on your phone, or a voice call from Vanguard, depending on the settings in your security profile page. Either way, you’ll have a security code – you should enter it.
- You should now see a long information sheet. Read it, accept terms, and accept it — select continue.
- Give a name to your key. It can be anything and you don’t have to memorize it. It’s just an identifier, don’t overthink it.
- Follow onscreen instructions — insert your key into a USB port on your machine. The key button will flash. Tap it and you will see a confirmation that Vanguard has registered your device. You’ll then be forwarded to the next page.
You’re done! At this point you can test logging into Vanguard with your key by logging out and logging back in. You’ll still need to enter your username/password, of course, but afterwards you will be prompted to enter your hardware key and again tap on the blinking key light. Once you tap on it, you’ll be automatically forwarded to your account information.
Get used to it — this is, moving forward, the method you will use to access your account information.
Note that you can register multiple keys and they’ll all work. Vanguard recommends you register two, so if one goes missing you can plug the other one in.
And of course, if any of your keys is lost or stolen, you’re advised to immediately remove your key from your Vanguard Security Profile by visiting the security key maintenance page and deleting it. This can be done with a few simple clicks.
But wait! Maybe using a hardware key with Vanguard is not perfectly secure?
There’s another odd wrinkle to this which is that Vanguard will not, as of this writing (Jan 16, 2018), allow you to entirely disable an alternate 2-factor method.
In the interest of clarity, I will tediously spell out what I mean here: If you don’t have your hardware key available (for whatever reason), you are, on Vanguard’s login page, presented with an option to complete two-factor authentication via “security code” which is likely set to SMS in your security profile, meaning a code contained within a text will be sent to your phone.
If you’ve been following along, you’ll immediately spot the problem. Wait, isn’t setting up a physical key supposed to solve the vulnerability of someone imitating (spoofing) my phone and getting my security codes or otherwise exploiting SMS weaknesses? Since SMS is still a backup option, how, then, is using a hardware key any more secure than using SMS?
Yep. All great questions and valid concerns. Read on.
- Perhaps the best way to solve this problem is to change the phone number on file with your mutual fund provider to one which can’t accept texts. Vanguard will still allow you to use this number as your 2nd authentication check, but since it’s not SMS-capable, you will instead listen to a robo-voice provide your code. I still have a land line (it’s an extra ten bucks a month on top of my ISP service, no biggie, expense-wise) so I switched the number on file with Vanguard over to this.
- You could also consider getting a Google Voice number just for this purpose. (Google Voice numbers are free.) Obviously if you continue to use SMS with your google voice account, you will still be vulnerable to the standard SMS weak-points — you could instead set your google voice account to “automated call” in the Vanguard profile settings and listen to the incoming call from Vanguard using your device’s speakers. Conveniently, you can secure your google account itself with the very same Yubico key that you use for Vanguard. I believe this approach is more secure than continuing to use your cell phone+SMS to complete your two-factor account logon.
- Even if you don’t or can’t switch your phone number away from your cell, the default login will still be key-based. This is still a win (albeit a marginal one) as your regular logins will be more secure and an attacker may not even notice there’s an option to change the 2nd auth method to voice or sms codes.
- You might also consider calling Vanguard and asking if they’re ever going to change the policy of allowing a backup 2-factor method via codes. Maybe they’ll update it at some point. I went to the trouble of emailing Vanguard to ask if they would consider changes in this area and their answer was, paraphrased, no, not in the near future. This is kind of a disappointment, but also understandable, given the probable increase in support calls from folks who have lost their keys but still need to log into their investment accounts.
Living a FI 