Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The prohibition against using a VoIP number for banking purposes is stupid. They already have the full battery of KYC info on me: if I want to use a VoIP number for 2FA (because they are so behind the times they don't support FIDO or even TOTP) then unless law says they cannot they need to allow it.

And while on the topic of banks, most will suspend access to your online portal if you log in with a VPN. Give me a bank that allows VoIP phone numbers, VPN access, and TOTP and/or FIDO support for 2FA and I'll ditch Schwab right now.



Both Fidelity and Schwab allow non-SMS 2FA.

They both use Symantec VIP but it’s fairly easy (for developers at least) to export those tokens and import them into something like Authy, Google Authenticator etc.

https://ketanvijayvargiya.com/257-symantec-vip-authy/


My bank used to allow email 2fa or SMS, but they recently dropped support for email. I don’t love using email for 2fa but since my email is itself protected with non-SMS 2fa I thought it was the best of the two bad options. Now I’m sad. Ideally my bank would support the FIDO standard and I would use a compatible hardware token.


In the case of Schwab it's only with their app. If I wanted a geolocation leash up my ass I wouldn't be complaining about this: if they don't trust me as a customer then screw them, I'll find a bank who does. Schwab's notion of non-SMS 2FA is their app. I want to use my laptop on a VPN using a FIDO key or TOTP and Schwab doesn't support this.


Do you happen to know if they allow you to also totally disable SMS 2FA?

I know that Vanguard, for instance, supports non-SMS 2FA but doesn't let you disable SMS as a fallback (and I'd rather not just totally remove all phone numbers, but maybe I have to...).


I believe you can remove SMS fallback now on Vanguard.


Neat, thank you! I'll give it a try.


Yeah, in Fidelity SMS 2FA is disabled for me. Fall back is to call them to get into my account. Don’t know about Schwab.


I had their non-SMS Symantec 2FA set up a couple years back, but turned it off cause I couldn't figure out how to disable the SMS fallback. Every time I got a new device and wanted to set up the Symantec TOTP generator they would just send me a SMS for validation. So I just told them to turn off the Symantec part.

Maybe they've changed their policy since then. But when you call to get set up on a new device, how do they verify your identity now if you don't have SMS fallback?


Chase won't let you use voip for 2fa. Ameritrade works.


I have Ally and Chime and I’m extremely disappointed neither accepts a Yubikey or something. Older banks like Schwab or US Bank I could see being behind the times, but I’d expect fintech or something more modern to be more sensible.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: