TreasuryDirect.gov is the official US Treasury website that allows individuals to directly buy securities online, including savings bonds and Treasury bonds. The problem is that they don’t want to take any responsibility for unauthorized access to your account, including reported fraud and theft, which actually makes them less consumer-friendly than even those evil megabanks. In the past, they figured the problem would be best solved with a series of clunky security measures.
I’m not sure why, but they have now streamlined the login process to be more similar to banking industry standards. On November 6th, they sent out the following e-mail to account holders:
TreasuryDirect has completed its security upgrades. Now, it is not necessary to use an access card to log into your account. When you log into your account, you will receive an e-mail containing a one-time passcode and the opportunity to register your computer. Also, for your added security, you will select a personalized image and verify your contact information.
The website was subsequently slammed and completely unusable all day. Always fun to spend the day wondering if your money is still there. Today, I was able to log into my account and check out the new process. As mentioned in the e-mail, here are the new layers of security:
- You must enter your account number, no usernames. So it’s still W-123-456-789, instead of something you would use across multiple websites like “johndoe90210″.
- If your computer is not recognized, a one-time passcode is sent to the e-mail address on file, valid for only 2 hours. You must enter this passcode to go further, and you can set a cookie to remember your computer and skip this step in the future. For some reason, the cookie didn’t work for me, I always have to go the passcode route. (screenshot)
- You must set a personalized image and caption text. This is standard procedure amongst banks now to prove that you are on the valid TreasuryDirect site and not a fake spoofing website.
I see this as an improvement in accessibility, although probably a slight decrease in security. I’m okay with it; I can finally shred my secret decoder ring access card!