Passwords - The First Line of Defense
Good account security starts with a strong complex password for all of your online accounts. However, it takes much more than a good password to protect yourself from security threats. Two-factor authentication (2FA), also known as multi-factor authentication (MFA), can enhance the security of your account.
Why Passwords Alone Aren’t Enough
While passwords offer some protection against risk, they can still leave your account vulnerable to theft. Even if a password is complex, if it is being reused for multiple websites, a data breach could lead to your data getting stolen across multiple accounts.
However, password reuse is not the only downside of single-factor authentication. There are other methods that attackers use to steal passwords, including:
- Phishing involves fraudulently asking the victim for sensitive information via email, SMS, or a phone call.
- Keylogging involves secretly recording the keys struck on a keyboard.
- Pharming involves installing malicious code onto a device that redirects users to a fraudulent website where they enter sensitive information.
How does 2FA Keep Your Account Secure?
While no recordkeeper or other service provider can thoroughly protect the security of any online account, we have implemented mandatory 2FA on all accounts to help prevent unauthorized individuals from accessing your Vestwell account. We leverage 2FA so that we can pair something you know (like your password) with something you have (like a code from an authentication application or a text/call on your phone).
By adding a second factor to your account authentication flow, even if your account password is compromised, your Vestwell account can still be protected. Even targeted attacks are more difficult because the attacker would be required to access two different forms of authentication.
Phone-Based 2FA
Phone-based 2FA is among the most widely used type of 2FA today. It works by sending a one-time code to your mobile phone via text message, or providing a one-time code via phone call, which you then enter to access your account. A Google study showed that phone-based authentication "can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks."
You should understand that there are limitations with phone-based 2FA, which include:
-
It requires cell phone service to receive your one-time password
-
It is tied to a specific phone number
-
The one-time passwords (OTPs) don’t expire for several minutes, which gives attackers time to conduct a cyberattack
-
Phone-based authentication is not always end-to-end encrypted, so an attacker could potentially intercept the OTP during transport on a telephony network
Time-Based One Time Password (TOTP) 2FA
TOTP 2FA uses an authenticator app on your smartphone (such as Google Authenticator or Microsoft Authenticator) to generate a one-time code that changes every 30 seconds to give little time for a potential attacker to conduct a cyberattack. To access your account, you need to enter the current code displayed on the app.
TOTP 2FA is considered to be more secure than phone-based 2FA because it is less susceptible to intercepts and spoofing. Additionally, TOTP 2FA does not rely on a phone number, so it can be used with any device that has the app installed. TOTP also doesn’t require personally identifiable information to be shared during setup, doesn’t require a network connection to generate codes, has stronger proof of possession (since it can’t be accessed from multiple devices concurrently), and generally authenticates an account faster than a text message or phone call. We encourage you to set up both TOTP and phone-based 2FA so that if one method fails, you can still leverage your backup option in order to access your account.
Now that you know the many benefits of 2FA, make sure to log in to your Vestwell account and set up 2FA today! To learn how to set up 2FA, see our article "Two-Factor Authentication on Your Advisor Portal."
As a reminder of our terms of use, even with any type of 2FA, you are always responsible for protecting your account credentials. You should always review your transaction log and statements for any suspicious activity and report any concerns to us immediately. These are good precautions for everyone to implement, including your Vestwell account and all other accounts.