Note that Vanguard requires you to enable SMS two-factor authentication first. Security is only as strong as the weakest link - even if you use U2F for the security challenges, an attacker can still hijack your phone number and use that to answer the challenge.
It's still a good sign, but not good enough IMO. Unfortunately other places aren't any better.
In theory, if you're worried about SIM hijacking, you could use something like Skype SMS, and secure your access to Skype by 2FA on the associated Live account.
Perhaps there are services to choose from as well, but, I'd take great care in determining trust here.
It's still a good sign, but not good enough IMO. Unfortunately other places aren't any better.