Hi All,
Has the team considered implementing this? I think we should at least have the option to enable 2FA, I have this option on almost all other banking/trading/crypto apps and in Freetrades case we should be able to enable it for:
Thanks,
Why do you need it? If you’ve got Touch ID on your phone, on the app and on each transaction then why yet another thing?
It’s good practice nowadays to use 2FA where possible when there is anything sensitive or confidential such as PII (personally identifiable information) or PCI (payment card industry) information involved.
If someone was to hack/bruteforce/other - somehow gain access to my Freetrade account and login as me, what information do they have access to?
Name
Address
Email
Nationality
NI Number
Everything in all Activity Feeds
They may also be able to Buy and Sell funds too, why? Who knows, but they’d be well on their way to stealing your identity.
I realise we have ‘Touch ID’ or whatever it is called on Android, but I am sure there has been an occasion in the past where almost all or in fact all security controls have been bypassed. 2FA provides an additional layer of security where an attacker needs to physically have the device in order to accomplish their means.
If they wanted to install the app on a device after cloning your phone number they’d need to access your email, so there’s a second factor already
I’m not sure if they’d need to clone your number? The right emulator would enable you to install Freetrade on just about anything I would think.
I don’t know if that’s really a second factor in this context, let’s assume Facebook is breached and all emails and passwords are leaked or sold, as is how most hacks of this ilk happen. Now the attacker has millions of user details including email addresses and passwords and a large majority of those users will be using the same password across multiple platforms.
Next up email addresses are compromised, and you can either go on from there and categorise/target accounts, or leak/sell those details onward’s to who knows as well.
It doesn’t take long before an attacker has a list of compromised email accounts all with Freetrade accounts, bank accounts, other accounts etc. And then factor in that compromised account to support an attack on X or Freetrade for example. This is business as usual for lots of online criminals these days, and I’m sure there’s a myriad of other ways one could compromise an account.
Most banking/finance/crypto apps have the security Freetrade has now, and more, 2FA. It’s just another layer of defence and it would be an option, if you don’t want to enable it you don’t have to.
Just a couple of thoughts off the top of my head:
If you’re security conscious enough to use 2FA then perhaps it’s unlikely that you’ll use the same credentials to login to your email account as you use to login to other accounts.
A better solution might be to enable 2FA for your email account as that would have the added benefit of also protecting access to all the other important services & information that your emails contain / enable access to.
As Alex said you should be using a unique password for any website you care about.
Personally I would be happy with the account being temporarily locked out if the wrong pin is entered so many times in a row (I assume this is already set up)
None of my banking apps prompt me with 2FA when sending money; they set a text code when logging in from a new device though
I second 2FA; everything should offer the option of 2FA in 2019!
I get the argument that having 2FA enabled on your email partially mitigates the issue (and it’s something I believe everyone should have enabled), but it doesn’t get around the fact that, a) not every email provider offers 2FA (Virgin Media, looking at you), and, b) by suggesting this, Freetrade are effectively placing the responsibility for 2FA account security onto someone else (the email provider).
Most banks require a second factor. Wealthsimple offer 2FA via an authenticator app, and incentivise using it with a fee reduction. Most crypto wallets offer 2FA. Online market places like Amazon and eBay offer 2FA.
Whilst I believe 2FA should be an option for all accounts these days, that’s doubly true of financial apps. It’s just good practice, and it works.
Any technology to make accounts more secure should be utilised; 2FA is a no brainer.
2FA should be default security. Anything else is a bonus. When it comes to money you have to be very secure.
I was going to suggest this but then found this thread. I added my account to my tablet and was surprised the email link just worked and there is no option to add 2fa. 2fa would be a nice feature to see.
I agree with the use of 2FA. Bottom line is Freetrade manages people’s money so security is a MUST. I understand the argument that the email offer some type of 2FA already but from a security perspective Freetrade shouldn’t be relying on the defences offered by a third party (in this case the email provider) as they have no control over it. Best practices say you should implement layers of defence and based your security on the security controls your service implements (in this case the Freetrade app).
The interesting fact about security is that as Apps become more famous or gain market share they become a target. Look at ZOOM, they have been around for a while and no one ever cared to spend time looking at their security, once they became popular because of the covid-19 all eyes were on them.
2FA to open the app may become tedious. The other use cases I agree with (buy/sell/withdraw/fund).
Agreed, if implemented, please don’t have 2FA required to open the app everytime. Give the option to trust a device moving forward. Both PayPal and IG have this implementation (i.e. it’s required everytime), and it’s a PITA.
Think after the news that a bunch of Robin Hood investors were hacked due to their email accounts being compromised, this is something freetrade should have as an option. Instead of just saying ‘add 2fa on your email’
At the very least they should reassure us accounts can’t be hacked if email gets compromised.
I think just sending a text to confirm it’s you when you log into your account on a new device would be good
2FA should be the standard when it comes to account security. Look at what’s happened with Robinhood recently. We need more account security.
Extra security is better than no extra security.
Another popular Share Dealing app implemented this today …
No, look up sim swapping. 2FA should never involve email or your mobile phone number. The safest 2FA is via an app like Google Authenticator or Authy. Every single financial account should feature this.