OptionsHouse offers two-factor authentication with a Google compatible authenticator and an additional PIN to make security related account changes. This seems to be pretty good security, but if you have multiple accounts, you have to enable the security PIN separately for each account. If you don’t you can get to your two-factor authentication settings from the account(s) without a security PIN, even though the two-factor authentication settings are global.
There are two things I did to increase the security of my Charles Schwab account despite the 6–8 character password restrictions:
- Changed my username for secrecy
- Added an Authenticator Token
With the 8 character password limit, I set a 20 character random username. While many security researchers recommend a random username, I generally rely solely on strong passwords. In this case, going form 8 to 28 characters an attacker needs to guess is a very good improvement.
If you call Schwab, you can also request a physical authenticator token. It is a physical Symantec VIP token, so its an extra device to carry. It was easy enough to setup and Schwab allows you to sign in two different ways with it. You can concatenate <password><authenticator code> in the password field, or you follow the standard flow of entering your username and password before being prompted for the authenticator code. The concatenated option is nice because it enables the authenticator to work with financial management software that only supports username and password fields.
I verified that the authenticator works with the Schwab website, Schwab iOS app, and Mint.com.
Edit: May 14, 2014
If you have any programs or services that periodically updated, you should disable them when adding the authenticator. I think failed login attempts from one of these programs caused Schwab to lock my account.