2-Factor Authentication

Many banks in Asia and large financial institutions in the US, like Charles Schwab, Fidelity Investments, E*Trade and others are now offering 2-factor authentication for their online services. These features require a user to use a USB token or receive an SMS message on their cellphone, in addition to entering their password. This requires users to both know something (password) and have something (registered cellphone or usb token), in order to gain access to their account. The benefit is that if your password is compromised, a physical item is still required for a theif to gain access to online banking. Implementing 2-factor authentication at BECU would greatly enhance member online security.
35 Comments
Community Manager

Thanks for adding your voice to this conversation @wakeroh and welcome to the MIX! We'll continue to update this thread when we have additional information. JohnS

Wanderer

I'll have to echo the comments about people concerned SMS may not be secure enough. Here is a few scenarios I can think of:

 

Example #1:

Phone gets stolen. Even if it is passcode locked, presumably someone could put the sim card in a new phone and get txt messages. This is why it is a good idea to call your carrier and disable the phone's SIM card as soon as possible after it gets stolen. 

 

Example #2:

Potential interception of the code by a 3rd party hacker in the middle exploiting some security vulnerability. E.g. "SS7" hacking.

 

Example #3:

Someone claiming to be you convinces your carrier to port your number over to an account they control (this would be a type of "social engineering" attack).

 

Unfortunately, protecting from hackers is not simple these days. Of course one would also need the username and password, in addition to the one-time SMS code, to do something bad. Two-factor auth methods like Google Authenticator, Authy, RSA and yubikeys certainly seem to be better protected against the "man-in-the-middle" and "social engineering" attack vectors then SMS.

Community Manager

Good morning All! We just launched a new idea exchange and survey about this idea and we'd love to get your feedback on the survey when you have a few minutes. You can check it out here. Have a great day! JohnS

Adventurer

Hi John,

 

I just want to clarify about "Google Authenticator" as an option. Microsoft Authenticator is also a popular option among 2-Factor users, and I wanted to make sure that it would be supported as well (they work the same way so I would expect so) if BECU decides to support Google Authenticator (which they should).

Community Manager

Thanks for the call out @EpikYummeh!  We have that on our radar and will be sure to share your specific comment with our curious stakeholders. JohnS