Additional 2-Factor Authentication Options

Hello, with cyber security attacks becoming increasingly prevalent we need more options for 2-factor Authentication. For most people, SMS doesn't give us the peace of mind anymore. It is great that you have that more than anything else but someone recently tried to login to my account and if they were able to spoof my phone number it would have been bad for me.

 

Recommendations are hardware keys such as Yubikey which is becoming increasingly popular. 

49 Comments
Sightseer

100% agree, you need to support TOTP based solutions like google authenticator, microsoft authenticator, etc. 

Sightseer

bump for two factor authentication, either google or ms.  i joined just to request after googling how to enable 2 factor authentication on becu.

Former Community Member
Not applicable

It has been 2 years since the OP's comment was posted and it's still under review. The current 2FA implementation on the website is intermittent. That is not sufficient to provide even a basic level of protection beyond the username/password.

Sightseer

I would like to see the 2 step log-in process. Even with a great password I don't feel as safe anymore. I'd like to get a text message every time I sign in, with a unique pass code each time.

Trailblazer

+1 for two factor authentication, while keeping it an "opt in" choice for the user. The SMS security is about at the limit of my 79 year old mother, anything beyond that if enforced would cause her to throw in the towel for online banking. Otherwise, Authy, Duo, and Google Authenticator have my vote, with hardware options such as Yubikey for the more tech saavy. I use 2FA wherever available, and the applications which provide this functionality have come a long way in making it easy for the user to set up.

Tourist

Any updates on this? its been more than 2 years since this idea was posted. 

Former Community Member
Not applicable

Here's some back-and-forth I had with BECU back in July. [Added letters "Q" and "A", otherwise no editing.] The reps were certainly polite.

-------------------------------------------

Q. Hello - I really wish you would implement a 2-factor authorization method that would be required for every log in. Your online services are among the most heavily targeted types of websites on the Internet, but I find your security measures inadequate. Please escalate your work in this area. Thanks.

A. Thank you for contacting us via Message Center. I am happy to help you today.

BECU does offer a two factor authentication process for Online Banking. The first authentication is User ID and Password, while the second authentication is a Security Question or the Text Message Verification.

You may modify your security options in Online Banking by logging in and selecting Edit Profile >> Manage Security Options. Here you will be able to change your security questions or enroll in the text message verification option.

I hope this is helpful! If you have additional suggestions, you are welcome to use the “Send a Suggestion” link, located at the bottom of our home page, or you can visit the Member Idea Exchange (MIX). This is an interactive forum where our members can collaborate with one another to provide suggestions to our community managers for review. After a suggestion is submitted you can monitor the progress as we review the idea for approval and possible implementation.

Thanks again for reaching out to us and I hope you have a wonderful day!

 

Q. Hello - Your two-factor authorization system is intermittent. It needs to be applied to every log in instance. Otherwise it is insufficient to protect access to the account. Thanks.

A. Thank you for your reply. Our 2FA authentication system is designed to learn the signature of your computer or mobile device and not ask for additional authentication on a trusted device. If something happens on your trusted device, such as a missed or reset password or an unusual transaction, you may be asked to enter in the authorization codes for a period of time afterwards.

BECU uses cookies, your IP address and several other factors to determine if the location you are logging in from is a trusted device. If you update your browser, clear your cache, cookies, and history, reset your router or modem or your ISP updates your address, we may not recognize your trusted device for a time.

Also, if BECU is notified of a threat, such as an email from someone pretending to be with BECU going to our members, we may ask for additional verification for a time.

BECU takes the security of your accounts very seriously. However, we do want to balance security with the convenience that our members have come to expect from our website and app.

I hope this will help to explain why you are not always asked for secondary authentication on every log in. Please let us know if you have additional questions.

Explorer

BECU's implementation of SMS-based two-factor authentication was so terrible I had to turn it off. Why? Because it was requiring me to authenticate EVERY SINGLE TIME I USED THE APP. Smiley Mad This went on for weeks. I contacted customer service and they said it was working as expected, which is insane because once a device has been authenciated it should be trusted for at least 30 days. I uninstalled the app on my phone, re-installed it; no difference. So then I had to turn it off entirely, which is incredibly frustrating - having to reduce my security because of a shoddy implementation is not acceptable.

 

BECU should switch to a token-based authentication so apps like 1Password and Google Authenticator can be used. Hardware keys are pretty hardcore and I don't know how many people use them, but support for them could come next after software-based authenticators.

Explorer

I very much would want the "authenticate every single time" to be an option - I'm a little surprised that people want to authenticate every single login. That level of hassle would be very irritating to me - and there's no other service I use that required 2FA every login. 2FA is really a third layer of protection beyond username + password and the physical security of your phone/laptop/computer/tablet.