[Feature Request šŸ”§] Two factor authentication

Hello

Please include Multi-Factor authentication as a security feature, I work in security and the app not having this is extremely worrying to me

I canā€™t overstate how important security is in an app like this, and how a single blunder that a normal user canā€™t prevent will undermine trust for the app.

Please add this, its terrifying to plan for the future without basic security features on it.

https://www.bloombergquint.com/onweb/robinhood-users-had-accounts-looted-say-there-s-no-one-to-call

Agree added security would be good

6 Likes

Thereā€™s a previous topic on this.

The previous reply from Freetrade seems to fundamentally miss the point. They mention that a user can enable 2FA on their email. This is essentially passing off the security of Freetrade user accounts to an unknown third party.

Itā€™s fundamentally flawed, and I can only imagine itā€™s near the top of the head of infosecs risk register. (And if itā€™s not heā€™s missed an issue)

Freetrade cannot know what security if any a user has on their email, or even if theyā€™re the only ones who have access to it, so they should be assuming that the email has on average very basic username and password security. And as worst, that itā€™s shared or compromised.

The idea that a user should secure their email while good advice isnā€™t a solution for Freetrade. Itā€™s just bad security practice.

So I do agree that better security is needed at least when logging into the app the first time. It seems to till be a simple email link? Which isnā€™t any form of secure login in my mind, never mind 2FA.

8 Likes

I totally agree, ā€œmostā€ people need to be forced into security features too, itā€™s not enough to just have it laying around buried in the settings, it could seriously damage the platform when and I mean when and not ā€œifā€ a breach happens.

MFA at first login and logout if there is a significant location change, specially when logging in from a high risk country (risk factor authentication) is not just a ā€œfeatureā€ that is good to have, it is a feature that is necessary if you want to keep freetrade as your main investing platform. How can you sleep knowing that your money is not as secure as you need it to be?

2 Likes

Yeah donā€™t get me wrong there is other protections around linked bank accounts etc. But the trend to using just an email link to login seems ill advised in the long run. Thereā€™s more security for me to authenticate to Freetrade on my phone than there is to set it up on a strangers device

3 Likes

Agreed, itā€™s got me worried now as well!

If Freetrade can come out with how they handle things differently to Robinhood from a a security perspective too.

Why havenā€™t we got 2FA? It seems like a no brainer?

4 Likes

Agree that 2FA on login would be good, SMS with a one-time code for example.

For those concerned by the RH breach, its unlikely it could be exactly replicated here. As some others have noted, FT only allow you to withdraw to a linked bank account, which would limit an attackers options to buying and selling shares with your existing funds (appreciate also not ideal) or trying to social engineer the FT team to update the account details (in my experience they normally do additional validation at this point).

1 Like

I donā€™t see the need for this for Freetrade, as previously stated the existing security measures would prevent the RH issue anyway.

Also while FT is an app it already requires access to the userā€™s phone which should be enough security. I concede that a webapp may require an additional factor.

If people donā€™t have 2FA on their email then Iā€™m not sure they can be helped anyway. Whatever measures you put in place will probably be undermined by password post-its and the like.

1 Like

Itā€™s not really about that. From Freetrades perspective it has zero insight into another unknown companies security. Every user could have 2FA on their email and Freetrade would never know. You canā€™t base security on a coin flip.

Itā€™s not so much about access to the app on your phone, as you say Freetrade do think about the security of that. Itā€™s that the first time login is based on an email for which Freetrade assumes on faith is secure, and for the most part of probably is, but Freetrade has no idea.

It would be the same as having zero security on the app and not bothering to check if the phone has any security enabled and just hoping it is.

Itā€™s not a huge deal, but it is an issue, especially if thereā€™s no other checks when making an initial login to the app on a new device.

2 Likes

Hi all,

As has been mentioned already, you can only make withdrawals from Freetrade to a linked bank account. We have a stringent set of rules in place for people that want to change their linked account. That would make the kind of attack described in the Bloomberg article very hard to carry out.

As to 2FA, I will be totally transparent and say that, while itā€™s something that we do want to add, there are other app features and products that are much more in-demand from customers. We have to focus on those first. I do appreciate that this is frustrating but itā€™s also worth remembering that our existing security procedures are still very stringent.

Thanks,

David

12 Likes

Thanks for the response. Could I suggest a possible alternative could be to add some information about securing your account somewhere, pin, faceid, and email security etc. This would ensure thereā€™s somewhere people can go to know what the basics are that they need to do.

As you say withdrawing money still has its security checks in place, but what about the app being installed on other devices if someoneā€™s email if compromised? (Correct me if Iā€™m wrong and thereā€™s something in place to stop this?) Information can be as important as the money in many cases.

1 Like

With the recent RH news coming to fruition, it honestly should be a necessary requirement, particularly as Freetrade is dealing with money - it will just be a matter of time it will become targeted by malicious users.

Freetrade should really be taking security seriously - if you are to graduate among the ā€œbig boysā€.

It is a bit unfortunate that management is prioritising features/bells and whistles over core functionality (security).

Using airlines as an exampleā€¦ you only need one crash/failure to tarnish your reputationā€¦

1 Like

Just to add my 2 penny stocks worth, security is not ā€œa nice feature to haveā€. It is a requirement.

I donā€™t think itā€™s a valid argument to say that MFA is not needed because the same thing that happened to RH canā€™t happen here. Sure they canā€™t withdraw money, but they can sell all your holdings and cost you thousands.

Another point is that your FT account holds a lot of information regarding you, such as address, email as well as the amount you have in the account. This opens up multiple avenues in which an attacker can exploit and use for social engineering attacks.

So whilst I would love to see FT add more functionality and improve the UX (which they are doing well imo) security needs to be top of the list.

Again, security is not a nice to have feature, it is must have requirement.

9 Likes

Even if money canĀ“t be withdrawn, imagine the volume that can be moved on penny stocks to generate winnings somewhere else by taking over a few dozen accounts.

This is a serious security concern. At least for first login and risk country logins it needs to be addressed.

3 Likes

ā€˜Magic emailā€™ logins and codes are security theatre: it doesnā€™t matter if your mail account logins are locked down like fort Knox, emails are fundamentally plaintext. It takes a single hop to a bad-actor mail server for the contents to be read, as there is no enforced end-to-end encryption (any in-flight encryption is purely by servers pinky-swearing not to peek).

With 2FA now in place even for bog standard online transactions, there is zero excuse for it not to be present for access to an account controlling potentially tens of thousands of pounds. Itā€™s not just withdrawal theft that is a concern, having a pool of vulnerable users makes for a nice target for active stock manipulation attacks, for example. And even a basic attack like an unwanted buy or sell order will royally piss off an affected user.

2 Likes

I would agree with the points raised on this thread. As far as I can tell anyone who can access my email account has full control of my Freetrade portfolio (perhaps not withdrawing money but that is not inconceivable). Therefore FT is reliant on unknown email providers for the security of client accounts. Iā€™m not sure this is acceptable for a financial services company. I canā€™t think of another finance app I have come across that does security this way, surely that rings alarm bells.

I use firebase authentication via a magic link for a game app, thereā€™s no way I would rely on it for anything involving money.

I understand the point about having a linked bank account but regardless of whether money can be stolen, taking over an account would be disastrous for FT. The upcoming SIPP offering is great but one security problem in the media would wipe out all the hard work. In that situation I donā€™t think blaming it on someoneā€™s poor email security will look very good.

IMO this is core app functionality / security, not a feature. Itā€™s my biggest concern as an investor.

2 Likes

Apparently Monzo uses magic links for authentication. Interesting discussion here.

Perhaps better than a username / password but still reliant on unknown email accounts.

Thatā€™s a very surprising reply. Itā€™s always going to be, and is for every company that has 2FA on their app/website, a tiny minority of customers that ask for 2FA. (Enterprise customers aside.) Customer doesnā€™t always know best.

Offer it, even enforce it, and reap the reward when you donā€™t get bad press for not having it, or save the day by having it. Honestly, seeing as everyone else has it, I just assumed it was an FSA requirement; itā€™s certainly the norm, and wouldnā€™t look good if something happened and some journalist realised 2FA was the obvious missing solution.

1 Like

Where would you implement it?

Every login? Awful UX
Every buy/sell? Again awful UX
Every withdrawal? No need with a linked account

I donā€™t see the use case for it personally. Implementing 2FA just because, doesnā€™t make the app any safer.

3 Likes

Personally Iā€™d only implement 2FA for when you first download the app, so someone couldnā€™t access your account on a different device

1 Like