US Banking institutions offering security options

Unfortunately, a cash-only and Monero only lifestyle is not possible for me. sounds interesting but is not yet a full suite of financial products. Even still, my 401k provider is outside of my control.

I have recently become interested in further securing my banking presence in spite of current limitations.

Some examples I have found:

  • Fidelity has added support for 2FA TOTP - although it annoyingly needs to be converted from a symantec code to a standard code.

  • Fidelity has added “lockdown mode” - although it’s seemingly simple to disable so I’m not sure what its usefulness is just yet

  • Bank of America has a 2FA TOTP option, but it is not used in certain circumstances, such as the mobile app. Limiting the usefulness of the feature.

  • Apple is claiming some sort of privacy opt-out with the credit card - “You can opt out of this use or your Apple relationship information by emailing our privacy team at with the subject line “Apple Relationship Data and Apple Card.””
    ** I’m not clear on what specifically is being opted out of

Are you aware of any banking institutions who are advertising any security or privacy options? What features are you taking of to secure your accounts?

I enable 2FAs on all accounts that have them. SMS 2FA with no recovery code is a bit trickier because I need another phone for backup. E*Trade advertises “2FA security”, which amounts to forced phone 2FA or optional Symantec VIP app.

Sideline Discussion:

I have thought that Symantec has an interesting way to make a living in the TOTP wrapper app scheme they have with the service providers, especially the financial companies. The properties you can see/infer are:

  1. Their app is not protected beyond the phone PIN, making it less safe
  2. A single VIP setup can be used for multiple accounts, giving each account the same VIP ID. If somebody can grab your phone and your PIN, they still don’t directly know what accounts you use it for, but you probably would have to change the 2FA credentials on all the accounts that use the single VIP ID.
  3. Unless the service provider gives alternate/additional 2FAs, this scheme is only suitable if you can recover the account without the 2FA.
  4. If a service provider has a data breach, since the provider doesn’t keep the TOTP secrets, the hackers won’t have the user’s entire login credentials, regardless of how lousy the provider keeps password hashes/plaintexts.
  5. If there is a Symantec breach, even if the hackers have the TOTP secrets, they theoretically don’t know which accounts/persons/service providers use the secrets.
  6. For an unrooted phone, theoretically, there can’t be a TOTP secret breach from the VIP app.
  7. If a person uses the loophole that Symantec still has, e.g. the link you provided, the TOTP secret may be breachable from the app or from the kept extra copies.

So from the safety point of view, I can see why the banks like Symantec setup. More or less, your login credentials cannot be entirely breached from a “single-point” failure, even in a service provider’s data breach. If you are a techie and like to keep things neat, it’s inconvenient, but maybe for a typical consumer with multiple phones, it’s an option as secure as using dedicated token generators.


Last year I hardened my online security profile and discovered 4 patterns in regards to implementations of OTP via SMS text with #3 being the best.
1.Only SIM-based SMS is supported such as by banks and CU’s.
2.The primary authentication method is better than SMS but SMS is the only backup option.
3.SMS texting isn’t offered or can be disabled and replaced with better alternatives for both primary and backup options.
4.SMS texting is explicitly disabled but only if “optional MFA” is enabled but then only a single better option such as one Yubikey is available and no other backup option is offered.