2-Factor Authentication

Many banks in Asia and large financial institutions in the US, like Charles Schwab, Fidelity Investments, E*Trade and others are now offering 2-factor authentication for their online services. These features require a user to use a USB token or receive an SMS message on their cellphone, in addition to entering their password. This requires users to both know something (password) and have something (registered cellphone or usb token), in order to gain access to their account. The benefit is that if your password is compromised, a physical item is still required for a theif to gain access to online banking. Implementing 2-factor authentication at BECU would greatly enhance member online security.
35 Comments
BECU Employee

@aweb- Thanks for your support of this idea! I heard back from our digital experts and we're currently still researching our security options for the mobile app. As always, we're working to determine the best way to balance added security and access. We'll be sure to share updates here. Cheers, KristinA 

Sightseer

Adding two factor authentication support needs to be better than SMS. The Federal goverment deemed SMS unsafe as a two factor solution last year based on all of the vulnerabilites with the technology. There's a number of articles written about it. You're cell phone is a computer and it's always on. That makes those SMS codes vulnerable to attacks and being stolen.  Yes, it's better than nothing, but it's defintely not ideal. Other solutions, like a hardware token, should at least be given as an option. Something that's not cell phone and/or password centric.

BECU Employee

@DannyL- Thanks for joining the discussion and sharing additional information! Cheers, KristinA 

Tourist

I agree, but I believe some of your older members may not be quite electronically savvy enough for Two Factor Authenification. Perhaps providing a choice of using it or not?

Adventurer

The security landscape keeps evolving and SMS, as a 2-factor security feature, is nolonger enough.

Hackers can use SS7 to intercept SMS messages and access one-time pins.  I hope BECU will look into implementing other 2-factor mechanisms.

Perhaps Google Authenticator, U2F or RSA tokens..  https://www.wired.com/2016/06/hey-stop-using-texts-two-factor-authentication/  

Adventurer

Ironically, older folks are the most at risk of having their accounts compromised... @Searock

BECU Employee

@Gpickford- Thanks for checking back in, we're continuing to explore the evolving landscape and I'll most certainly be sharing your feedback and article with the right people. Google Authenticator keeps bubbling up so I know we're paying attention. Cheers, KristinA 

Sightseer

Just signed up for 2FA via my empolyment at the UofW using DuoMobile app on my phone - i am not especially tech savvy but this process was quite painless and makes a lot of sense. just my two-cents

Trailblazer

How about adding Yubikey and other devices? I have a Yubikey I could use. I'd like to use it with BECU.

Trailblazer

I wanted to add my support for the option to use a USB token (Yubikey) or 2FA application. This would be helpful while traveling when I do not have access to cell service.