Additional 2-Factor Authentication Options

Hello, with cyber security attacks becoming increasingly prevalent we need more options for 2-factor Authentication. For most people, SMS doesn't give us the peace of mind anymore. It is great that you have that more than anything else but someone recently tried to login to my account and if they were able to spoof my phone number it would have been bad for me.


Recommendations are hardware keys such as Yubikey which is becoming increasingly popular. 


This is exactly my ask.  Part of my job is online security and I know only too well how insecure SMS is.  Something such as a Yubikey or Google Titan Key would be fantastic but even generating code via mobile app would be better than SMS.


At the ripe old age of 75, my memory isn't it what used to be, especially with pass codes, etc.  I frequently give up trying to appease the pass code god an skip trying to conduct  on-line business.  Is the "key" a digital device that changes it's passcode on a timed basis?  I used to have that where I was employed and it made life much more user friendly. Rather than depending on using a cell device to receive passcodes, an independent  key fob would be preferred.  My phone and I are frequently not on speaking terms.


I like the suggestions for TOTP (time dependent one time passwords); especially since I already use an open source TOTP smartphone app.


Whoo Hoo!!! 

Hey BECU I saw the 2FA authentication experience today when i had to login twice after forgetting to do something.  Not sure if you fully rolled this out OR if you're testing this feature with a small set of folks but anyway.  Loved the experience and I felt confident and secure with it! 


thanks BECU



agree that phone based app is least intrusive, but whatever the solution, please allow users that don't want 2FA to disable.  For me, I would prefer a better set of alert options on my accounts.  In my experience this is better way for me to catch fraud than the numerous PITA login prevention techniques.   however, my main request is let users choose.


I'm new to BECU, and I was disappointed at the level of security of my BECU account(s):


  • I don't know if my password is salted and hashed/encrypted on storage, but the WWW site limits my password to 32 characters. There shoud be no password length limit and, if you're salting and hashing properly (and storing just the hash), there should be no password length limit at all. If I want to enter 50 or 100 or 200 bytes, so be it.
  • SMS authentication is poor. If you're uncertain on that, talk to any security expert (or read prior responses here). Support Yubikey and time-based 2FA (Google Authenticator, 1Password, Microsoft Authenticator, etc). Support SMS only as a last resort, but offer other options first!
  • I like the password and security questions. But: Once you prove you're you, the WWW shouldn't prompt for security questions on every single login. That's annoying and makes the WWW site a hassle to use. Username, password, and 2FA (not via SMS) is fine for unproven connections. Use the security questions for password resets.

+1 for TOTP authentication like most sites offer (allowing use of an app such as Google Authenticator to generate the 2-factor codes)

Community Manager

@Xavier You do have the option to disable 2-factor authentication. When logged into your Online Banking (on a desktop or mobile browser):


  • Click "Edit Profile" next to your name at the top, left of the screen
  • Select "Manage Security Options"
  • Enter security code, which will be texted to your device
  • Click on the red button that reads "Security Questions and Answers"

If you have any questions, please let me know. JohnS


+1 for TOTP authentication (app such as Google Authenticator) for 2FA.

Is there a timeline for implementing at BECU?


This is very much needed.

Yubikey are starting to integrate with most modern browsers and all you need to do is to touch the key to obtain a very strong MFA. I would love to see this added the BECU portal.