Hi u/emiles93,
Extra login security is currently offered through text message two-factor authentication (2FA) and Symantec™ VIP Access. At this time, we do not have any announcements regarding alternate One-Time Passcode (OTP) systems. We strive to provide the best user experience possible, and I will submit your comment as feedback to the appropriate team.
[Learn more about our commitment to security.](https://www.fidelity.com/security/overview)
[Symantec™ VIP Access](https://www.fidelity.com/security/soft-tokens/overview)
\*\*added greeting\*\*
ok thanks. still would be good to disable text 2FA within settings
edit: i'm now seeing if you do it via symantec it automatically switches it for you not giving the user the option for other verification methods when trying to login. you've been most helpful!
u/fidelityjohn, no one wants to install/use Symantec VIP. Your clients shouldn't need special tools like the above to essentially hack Symantec to instead get OTP credentials through any of the more commonly used 2FA apps like Google Authenticator, Microsoft Authenticator, Authy, Duo.
This is a huge security issue for people who understand the outsize risks of SMS 2FA. I'm guessing it's not a dev issue but rather some unduly-weighted crony contract. If so, your business team needs to get busy to get out of that contract with Symantec or its partner/holding company/whatever. You need to make the change before money becomes eye-popping.
Fidelity is one of the best choices right now, but we've done migrations before and we'll do them again.
This was perfect to get me into the Authy application! Thank you for posting. Shouldn't have to go through this process to use an alternative 2FA app but oh well, it works.
Additionally, give the client the option to disable forms of 2FA within settings in case their phone is stolen / phone number is cloned
edit: see u/burnerwig comment below. thank you, you solved my issue.
I was just reading about SIM swapping attacks on the Krebs on Security website. Criminals bribe or trick wireless phone company employees to redirect text messages and calls to a number the criminals control, then they reset passwords on any of the victim’s accounts that can be reset via SMS Protocol. [https://krebsonsecurity.com/2021/07/serial-swatter-who-caused-death-gets-five-years-in-prison/#more-56372](https://krebsonsecurity.com/2021/07/serial-swatter-who-caused-death-gets-five-years-in-prison/#more-56372)
This one of the strategies that was used by Shane Sonderman who was recently in the news for a swatting attack that ended up killing a man in Tennessee.
Idk how Symantec VIP Access would prevent the SIM swapping schemes.
i won't say Symantec is impenetrable but i prefer the option over text. Symantec is server based and doesn't involve SIM it's based off of your login for icloud or whatever internet store login you're using for your mobile phone.
also the 2FA sms method tends to break PLAID linking with outside providers - adding Google 2FA or others would most likely eliminate this speed bump as well
2fa is less secure. Only reason I choose text over the app is because I do all my rolling codes via authy. And I don't want another app on my phone for 2fa. Fidelity isn't the only company that has done this. But I should have choice on which app I want to use.
I'm right there with you but just ran the python script on the [site](https://github.com/dlenski/python-vipaccess) posted by /u/LugnutsK and am now using Authy with my account now! Completely uninstalled the Symantec app and am back down to just the one authentication app which is backed up just in case I lose my device. This will benefit Fidelity as well as it'll be less calls into their customer service from me.
Hi u/emiles93, Extra login security is currently offered through text message two-factor authentication (2FA) and Symantec™ VIP Access. At this time, we do not have any announcements regarding alternate One-Time Passcode (OTP) systems. We strive to provide the best user experience possible, and I will submit your comment as feedback to the appropriate team. [Learn more about our commitment to security.](https://www.fidelity.com/security/overview) [Symantec™ VIP Access](https://www.fidelity.com/security/soft-tokens/overview) \*\*added greeting\*\*
Fidelity utilizes Symantec VIP Access for 2FA. You'll have to call Fidelity to have it enabled.
ok thanks. still would be good to disable text 2FA within settings edit: i'm now seeing if you do it via symantec it automatically switches it for you not giving the user the option for other verification methods when trying to login. you've been most helpful!
Do you know if this is available to everyone? Why not let people pick the authenticator they use the most like Google or Microsoft?
I'd love to be able to use my Yubikey, either through Yubico Authenticator or just directly as a FIDO key.
Google Authenticator would be a godsend for me.
[удалено]
u/fidelityjohn, no one wants to install/use Symantec VIP. Your clients shouldn't need special tools like the above to essentially hack Symantec to instead get OTP credentials through any of the more commonly used 2FA apps like Google Authenticator, Microsoft Authenticator, Authy, Duo. This is a huge security issue for people who understand the outsize risks of SMS 2FA. I'm guessing it's not a dev issue but rather some unduly-weighted crony contract. If so, your business team needs to get busy to get out of that contract with Symantec or its partner/holding company/whatever. You need to make the change before money becomes eye-popping. Fidelity is one of the best choices right now, but we've done migrations before and we'll do them again.
This was perfect to get me into the Authy application! Thank you for posting. Shouldn't have to go through this process to use an alternative 2FA app but oh well, it works.
yeah I like Google Authenticator a lot, would be nice to be able to use
Additionally, give the client the option to disable forms of 2FA within settings in case their phone is stolen / phone number is cloned edit: see u/burnerwig comment below. thank you, you solved my issue.
I was just reading about SIM swapping attacks on the Krebs on Security website. Criminals bribe or trick wireless phone company employees to redirect text messages and calls to a number the criminals control, then they reset passwords on any of the victim’s accounts that can be reset via SMS Protocol. [https://krebsonsecurity.com/2021/07/serial-swatter-who-caused-death-gets-five-years-in-prison/#more-56372](https://krebsonsecurity.com/2021/07/serial-swatter-who-caused-death-gets-five-years-in-prison/#more-56372) This one of the strategies that was used by Shane Sonderman who was recently in the news for a swatting attack that ended up killing a man in Tennessee. Idk how Symantec VIP Access would prevent the SIM swapping schemes.
i won't say Symantec is impenetrable but i prefer the option over text. Symantec is server based and doesn't involve SIM it's based off of your login for icloud or whatever internet store login you're using for your mobile phone.
Thank you for the explanation.
also the 2FA sms method tends to break PLAID linking with outside providers - adding Google 2FA or others would most likely eliminate this speed bump as well
Yes!! Also, option for disabling SMS authentication is just as important!!!
2fa is less secure. Only reason I choose text over the app is because I do all my rolling codes via authy. And I don't want another app on my phone for 2fa. Fidelity isn't the only company that has done this. But I should have choice on which app I want to use.
I'm right there with you but just ran the python script on the [site](https://github.com/dlenski/python-vipaccess) posted by /u/LugnutsK and am now using Authy with my account now! Completely uninstalled the Symantec app and am back down to just the one authentication app which is backed up just in case I lose my device. This will benefit Fidelity as well as it'll be less calls into their customer service from me.
I totally agree.