Vanguard has recently moved to require[0] some form of 2FA for online account access, probably in an attempt to either improve security (optimistic) or shift liability for phishing to consumers (cynical). They do this by forcing[0] you to sign up for SMS 2FA initially, which as informed readers should know, is total crap for 2FA and frequently hijacked by bad actors. I'm not a fan of this policy.

[0]:

> When it comes to account security, everyone has a role to play. So we're now requiring you to sign up to receive security codes. These codes provide a type of 2-step verification that adds an extra level of security to your accounts.

You can avoid signing up for 2FA after login by clicking "Get started," then "Cancel" without marking that you agree to the terms, and then manually navigating to your desired URL, e.g., https://personal.vanguard.com/us/myaccounts/balancesholdings .

As a 2nd or 3rd factor SMS is usually fine. Hijacking a text message is still an "extra hurdle" that improves security over just a password. The problem comes when a site allows account resets over SMS because then they've just traded one single factor (a password) for another weaker one (SMS).

> As a 2nd or 3rd factor SMS is usually fine. Hijacking a text message is still an "extra hurdle" that improves security over just a password

Perhaps, but often 2FA is leaned on to reduce the significance of the primary factor or shift liability.

> The problem comes when a site allows account resets over SMS because then they've just traded one single factor (a password) for another weaker one (SMS).

Yeah, exactly — that would be one way some "2FA" systems weaken the primary factor.