I was able to enable it myself through the web interface, no contacting customer support required.
>And to enter it, you ... append it to your password?
Are you implying this is wrong somehow? It's a fairly common way to do 2FA and there's nothing wrong with it. On the backend, all it's doing is taking the input, substringing the final 6 characters and inputting that as the code, and then uses the remaining characters as the password input. It's essentially just a shortcut that allows you to log in with one click rather than having to enter your password, click submit, enter a code, then click submit again.
Per the FAQ, if you for some reason don't want to append it to your password, it'll send you to a normal "Enter your 2FA code" form like you're probably used to.
The main issue for me is that the 2FA is locked to using the Symantec VIP 2FA app, which is disappointing from a usability standpoint.
On its own, there's nothing inherently wrong with it, aside from it being a very awkward user experience.
But here's where it can go wrong, using ETrade as a specific example. ETrade appends the 2FA token to your password, but also enforces a password character limit. Yep, that means turning on 2FA reduces your password character limit. From what I hear, it has some surprising behavior if your password is already at the character limit and you turn on 2FA.
(Aside: ETrade has some very sketchy security practices, like apparently letting you use the 2FA token on its own to reset your password (according to a coworker), but that's another discussion.)
FWIW, World of Warcraft has had a sublime 2FA solution for like a decade at this point. So when schwab has 1) weird UX around logging in and 2) you have to contact customer support to enable something that should be standard security functionality in 2020, then yeah, I'm going to hold off on endorsing their 2fa implementation.
You can optionally input it at the end of your password. If you don't then they will prompt you for it. The option to append it to your password when logging in saves you from having to fill out two input boxes.
For me, it sends me to a secondary login page that asks specifically for the Symantec VIP or hardware token. If they are appending it to the end of my password, it's not evident to me.
>And to enter it, you ... append it to your password?
Are you implying this is wrong somehow? It's a fairly common way to do 2FA and there's nothing wrong with it. On the backend, all it's doing is taking the input, substringing the final 6 characters and inputting that as the code, and then uses the remaining characters as the password input. It's essentially just a shortcut that allows you to log in with one click rather than having to enter your password, click submit, enter a code, then click submit again.
Per the FAQ, if you for some reason don't want to append it to your password, it'll send you to a normal "Enter your 2FA code" form like you're probably used to.
The main issue for me is that the 2FA is locked to using the Symantec VIP 2FA app, which is disappointing from a usability standpoint.