USAA limits passwords to 12 characters. That means they're doing something wrong for password storage.
Although they offer 2-factor auth, only the SMS option is any good. If you choose Symantec VIP, your login consists of the VIP token and your 4 digit pin, rather than the VIP token and your password. A 4 digit pin does not provide much more security than the VIP token alone. I don't understand why they buddied up with Symantec rather than implementing OATH.
I know they're a good bank, but I can't get past those technical issues.
- Customer Service tab.
- "Visit the Security Center" in the left column under Security Features
- "View your SafePass settings" under the Online Banking menu when you expand it.
- I assume at that point there's an "Add SafePassDevice" option. I already have my phone added. I remember when I added it there was a snafu and I had to call the BOA fraud hotline to get it added, but they did add it.
- Once you have a SafePass device (sms-capable mobile), under Current SafePass settings, "change these settings" and set it to require SafePass to log in to online banking.
I don't like SMS 2-factor. People need to stop pretending that mobile networks are secure. I want something that runs autonomously on my phone (OATH, e.g. Google Authenticator), or a separate HW token for higher security. However, the choice between no 2-factor and SMS 2-factor is a no-brainer if you have an SMS allowance on your plan.
Although they offer 2-factor auth, only the SMS option is any good. If you choose Symantec VIP, your login consists of the VIP token and your 4 digit pin, rather than the VIP token and your password. A 4 digit pin does not provide much more security than the VIP token alone. I don't understand why they buddied up with Symantec rather than implementing OATH.
I know they're a good bank, but I can't get past those technical issues.