Additional 2-Factor Authentication Options

Hello, with cyber security attacks becoming increasingly prevalent we need more options for 2-factor Authentication. For most people, SMS doesn't give us the peace of mind anymore. It is great that you have that more than anything else but someone recently tried to login to my account and if they were able to spoof my phone number it would have been bad for me.

 

Recommendations are hardware keys such as Yubikey which is becoming increasingly popular. 

45 Comments
Sightseer

a year and a half later and we are still only offered SMS, when will we see some more choices? 2FA MFA why is the banking community so slow to offer protection options against hacking? 

Trailblazer

Is U2F or TOTP being considered today? The SMS method is now regarded as barely better than just a password.

 

Wanderer

I would like to see BECU adapted yubikey token for secutiry. I have been using yubikey for long times now in different website like Google chrome and many others. 

Sightseer

Supportability matters. Yubikey wouldn't be bad, but it's also a niche option that only information security professionals like me are likely to use.

 

Google Authenticator and the like -- I think anyone who recommends this has never had to support it. Users don't expect their MFA to stop working when they change their phone and didn't back up a list of reset codes 2 years ago when they originally downloaded the app!

 

HSBC and Wells Fargo both offer RSA hardware token options which are a reasonable balance of security and convenience. However, there are also adaptive authentication products such as Ping Identity that combine multi-factor authentication with other verification methods reducing the need to prompt every time.

 

One other thing to look at is being smarter about when MFA is required. Viewing my bank balance and transaction history is a less sensitive activity than transferring money. This is particularly true if I'm viewing my bank balance and transaction history from a known browser on a known device at a known IP address in Olympia versus transferring money to somewhere I've never transferred it before, from an unknown browser and device, at an unknown IP address in Belgrade.

Wanderer

Do BECU security teams reading this comments? Your comments are 2 years old and there is nothing about hardware key replied from them. Please give people this choice of yubikey or something like that. I'm waiting a few years now.

 

Thanks 

Tourist

I also would love to see multi-factor authentication expand with BECU to include 3rd party authenticators like Authy.

Sightseer

I joined the idea exchange specifically to see if there was any discussion around improving 2FA. I'd like to give a +1 to supporting Google Authenticator, and better yet Yubikey.

Wanderer

@techguy206 wrote:

Hello, with cyber security attacks becoming increasingly prevalent we need more options for 2-factor Authentication. For most people, SMS doesn't give us the peace of mind anymore. It is great that you have that more than anything else but someone recently tried to login to my account and if they were able to spoof my phone number it would have been bad for me.

 

Recommendations are hardware keys such as Yubikey which is becoming increasingly popular. 


I would recommend a numeric algorithm depending on day of the month, would change to insure password security. A person could keep it in personal notes AND change it at a moments notice if desired, noting that it was not a consistent process. You can work out a 30 day, and then adjust on any given month or a

day an unexpected update. Pretty simple, but deeply affective.

Wanderer

Any updates for us regarding the progress of implementing something more robust than SMS? In the short term, could SMS at least be made mandatory for logins, if enabled by the account holder. I have logged into foreign devices and have not been prompted for verification. I’d rather optionally sign up for the hassle of always having to enter my code, for the peace of mind having an always on second factor requirement in place. 

As someone who worked in cybersecurity for several years I no longer keep very big sums of money at BECU due to this issue. Recently an engineering manager in the Botcoin space got hacked via a SIM swapping attack and they stole $100,000+ worth of bitcoin from him. https://medium.com/coinmonks/the-most-expensive-lesson-of-my-life-details-of-sim-port-hack-35de11517...

 

With the ease of social engineering phone numbers NIST no longer considers SMS 2FA to be a viable 2nd factor. For most people, bank accounts are the crown jewels of their online accounts and ease of use with online transfers and external accounts can mean high impact to people's livelihood in the event someone is able to login and access your accounts.