cancel
Showing results for 
Search instead for 
Did you mean: 

Additional 2-Factor Authentication Options

Hello, with cyber security attacks becoming increasingly prevalent we need more options for 2-factor Authentication. For most people, SMS doesn't give us the peace of mind anymore. It is great that you have that more than anything else but someone recently tried to login to my account and if they were able to spoof my phone number it would have been bad for me.

 

Recommendations are hardware keys such as Yubikey which is becoming increasingly popular. 

14 Comments
Community Manager

Hey @techguy206 I originally reached out to our Security team for more info about this when you posted and I'll continue to research. Apologies for not acknowledging sooner. JohnS

Community Manager
Status changed to: Under BECU Review

Hi @techguy206 We're posting a survey and Idea Exchange about this idea soon - keep an eye out for that. Thanks for starting the conversation! JohnS

Community Manager

Good morning @techguy206! We just launched a new idea exchange and survey about this very idea and we'd love to get your feedback on the survey when you have a few minutes. You can check it out here. Have a great day! JohnS

Sightseer

I agree that the use of SMS messages to send a one time authentication code is a step in the right direction to improve password only solution, it still is not strong enough when it comes to acessing financial accounts online, especially after hearing stories of users getting their cell number switchted to a phone that they don't control by a person trying to get to bank accounts and thus getting access to SMS authentication messages. I like the idea of two factor with use of a physical security token or key that could be used to authenticate access to online accounts.   

 

 

 

kz
Sightseer

+1 to the other ideas on this thread.

* Using SMS isn't that great.

* Using TOTP (Google or Microsoft Authenticator) is the current standard and should be the minimum.

* Using a USB device that supports Yubikey OTP, would be a step better.

* Using a USB device that supports U2F would be another step better, though this is a more modern standard, but isn't tied to a specific manufacturer. Newer Yubico devices support this.

 

 

Community Manager

@kz Thanks for joining the conversation! We recently hosted a survey that addressed this topic and have provided the results and additional feedback we've received from the community about additional multi-factor authentication including biometrics. We'll keep you posted on new enhancements as we know more. Thanks! JohnS 

Sightseer

Many of the new cellular devices do not have facilities for a hardware base communication. I use an IPad and an IPhone as well as a desktop and laptop running Windows. Only the desktop and laptop have a hardware port so multi level security using a USB would limit my flexibility. 

 

This fact does not mean advanced security is a bad idea, far from that. A robust security protocol appeals to me as long as it is not hardware dependent or too complicated. 

Sightseer

2FA is a GREAT idea.  Integrate with a service that generates QR codes that a 2FA client (like Duo) and can use, and it makes it super easy for security-conscious folks. 

Sightseer

SMS can be fairly easily intercepted, so I would prefer a dedicated app on my cell phone. When I try to log in to my account, the app pops up on my phone, and gives me a short-lived code that I need to use. (1 to 2-minute expiry.)

 

This method would allow encrypted transmission of the data, and public-key security, all within the pleasant and easy-to-use wrapper of an app.

 

(I am basically describing the Authy app, which I am very impressed with. Simple, effective.)

Community Manager

@MPGjon and @Boombachicken - Thanks for the additional examples! I'll pass these along as we continue to explore new and existing ways to enhance our authentication measures. JohnS