Additional 2-Factor Authentication Options

Hello, with cyber security attacks becoming increasingly prevalent we need more options for 2-factor Authentication. For most people, SMS doesn't give us the peace of mind anymore. It is great that you have that more than anything else but someone recently tried to login to my account and if they were able to spoof my phone number it would have been bad for me.

 

Recommendations are hardware keys such as Yubikey which is becoming increasingly popular. 

49 Comments
Sightseer

Can we use biometric authintication and an aurthenticator like Google or Microsoft TOTP?

Trailblazer

I agree with this... I posted yesterday about the current password reset flow and having to submit my ssn and credit card...  I’d rather go with two factor authentication

Tourist

It has been more than a year since this was suggested.  What's the word?  SMS 2FA is insecure.

Sightseer

This really needs to be addressed. Other institutions have this in place already and I know your IT department is competent, so what is the hold up?

Explorer

BECU should support any trusted authenticator, like MS, Google, 1Password, Symantec, etc. If you don't have a phone, the SMS authentication won't work. Also, as others have stated, SMS is not acceptable and can be intercepted quite easily. 

Sightseer

I definately agree! IU'm not familiar with Yubikey, but one bank has this option. When a person signs in you go to a screen where you request a code, which is then sent to your phone.

Entering the code takes you to your web site.

hs
Sightseer

Many people do not text at all, or do not wants texts constantly sent to their phone as an authentication method, and prefer receiving an email. Many others are in meetings or appointments and do not want texts coming to their phone. A member ought to be able to complete account business without having to go through multiple steps.

 

 

Also, two-factor authentication is a pain and many busy professionals do not have the time nor do not want to do multiple steps EVERY time they log in to an account. Imagine if every account they had required two-factor authentication (and many of us have 12-16 accounts between checking, savings, credit cards, IRA accounts, and accounts at multiple instituitions). It would take half of the day just authenticating yourself and would be a serious inconvenience. I personally do not want to ever be REQUIRED to complete two factor authentication all of time, and I know many others who do not either.

Trailblazer

hi everyone I wanted to express my thanks for the thoughtful responses on this idea.  

 

One thing I wanted to remind everyone when I posted this recommendation awhile ago was that while I supported two factor authentication as a means to recover your password etc.  my main gripe at the time was that I HATED the idea that I had to provide my SSN and a Credit card or debit card to recover my login.    This may have been resolved as it’s been awhile since I reset my password.  

 

While  I agree Two factor authentication can be a PITA (pain in the...) at times im open to the idea for someone to point me to a better means to recover your login info without givin other critical pieces of info but until that time then I think TFA can be an acceptable option.   

Sightseer

I joined to suggest this idea and was glad that it's already been suggested.

 

TOTP (like Google authenticator) should definitely be an option.  SMS is really not the most secure way to handle 2FA and e-mail codes can take too long and they can also be as insecure as SMS.

 

It would be more accessible, and easier for BECU to deploy, if the open standard for TOTP was used instead of having a single proprietary app and method.  This would also allow people to add BECU to an authenticator they already use such as Google Authenticator or even an open-source alterntaive like FreeOTP.

Tourist

Please provide a status update.