SGT Lefty
Occasional Contributor

Since I couldn't find a place to submit a feature request, I'll post it here. 


As a user, I would like the option to add 2 fator authentication to my usaa.com account.


SGT Lefty,



Thank you for your feedback. USAA does offer two factor authenticaton; which you can learn about here:


Security Center (general security information)

Enhanced Logon Options (2FA options and Q&A’s included here)


Thanks again for commenting!

I would like to submit Authy as a 2FA application, which is much more secure than Symantec's clunky and privacy-invasive application. Can you add that as well?



Another vote for authy/google authenticator support. Since paypal and ebay have abandoned vip access, nothing else I use needs it. Authy is nice becase you don't have to set everything up again every time you get a new phone.

I'd also really like support for other time based one time password (TOTP) applications besides VeriSign. I use 1Password, but any service like Authy or Google Authenticator are essentially the same. I have all my other TOPT tokens stored in 1Password — USAA is the only site I frequent that requires the use of VeriSign.


Today, I disabled 2FA on USAA because it's very inconvenient to use this one other 2FA app just for this one site. Also, I am unable to connect my budgeting app, YNAB, to USAA when 2FA is enabled (this was brought up in another post in the forum). Again, every other site I use with 2FA, e.g., Twitter, GitHub, Dropbox, AWS (which many banks run on), etc., supports TOPT via third party apps. USAA is the only one that does not.


Based on some cursory research, USAA appears to still be ahead of other banks that only offer SMS based 2FA, which is actually worse than no 2FA and really should not be offered as on option. So while USAA is leading the pack, I'd love it if you pulled even further ahead and were the first bank to support third party TOTP apps.

For the technically-inclined:  One can generate a Symantec VIP Access token using Dan Lenski's fork of cyrozap's python-vipacces, a free and open source software implementation of Symantec's VIP Access client.  The credential type needed for USAA is "VIP Access Mobile (no TrustZone)," for which the applicable prefix is "SYMC." I am using a token generated via this method with Duo Mobile on Android to authenticate to USAA's site.  Duo Mobile holds tokens for a variety of uses, and I no longer need the VIP Access application.



Any chance that you could privde a sample of the command that you used to generate a VIP access token using Dan Lenski's fork fo python-vipaccess?

Verisign (the app that is suggested by USAA), no longer functions.

The recommended app is VIP Access from Symantec. It works fine.

USAA does offer 2factor in the form of CyberCode Token and CyberCode Text. To order a physical CyberCode Token, you must call. To learn more, visit the Security Center.