[Feature Request šŸ”§] Two factor authentication

The most logical place that I see MFA being applied is at login.

I agree that having to go through MFA each login is not a great user experience.

In that sense, why not maintain an authenticated session, letā€™s say 30 mins, where you have to login with MFA at beginning and for next 30 mins you wonā€™t need to go through MFA again?

As @OJFord said, the customers may not always know whatā€™s the best, hence why decisions such as those related to security should be enforced by the service and not left up to the users.

1 Like

Personally Iā€™d hate that.

First login on a new device would be okay, as long as I didnā€™t have to do it every time my IP changes.

1 Like

When provisioning a new device.

ā€˜Something you have and something you knowā€™ - once provisioned the device is ā€˜something you haveā€™ and the (already present) passcode is ā€˜something you knowā€™.

Security should be a priority no matter what imo.
If your customers are putting thousands onto a platform, it just makes sense have MFA.

Iā€™ve put MFA onto platforms with no monetary value and would argue this should just be standard already.

1 Like

Iā€™d like to also see 2FA added, especially if we ever see a web version. That being said, I think there needs to be a fail-safe for it, I recently had to factory reset my phone (there was a whole google-caused issue with Android and i couldnā€™t fix it, factory reset my phone to sort it, turned out there was a fix 8 hours later), basically i thought Iā€™d backed up my google authenticator to be able to reinstate it when i had my phone sorted, however it didnā€™t work and I was left locked out of some apps.

Every app/website i had linked to it, had a failsafe in case you lost the authenticator, they were still pretty secure ways to authenticate (given, not as secure as 2FA), but it allowed me to access said accounts again. Unfortunately the only thing i couldnā€™t get back into, was my Freetrade forum account. (Iā€™m still awaiting a response from someone about un-linking it)

So if it is something that gets added, please at least add another way to regain access/authenticate, even if it involves contacting support and proving you are who you say you are.

At every re-install you need to enter characters X, Y and Z of your memorable phrase which is stored server-side and encrypted.
Easy peasy.

1 Like

Please for the love of god do not do this.

MFA is overbearing and mostly keeps me locked out of my accounts. It is hell and spend my life trying to keep well away from this idea of hell on Earth.

Should be renamed Two Factored Stress.

Another mindless memorable sequence of chars that I put into Notepad on my phone that I have to search for, again.

Let the user make an informed choice and decide if they wish to use some additional authentication process. Indeed we may have thousands held in FT, but we chose to put it there, and must be held responsible for our money. The same goes for our devices. We are responsible.

2 Likes

It isnā€™t just the user who should decide though :+1: If X amount of users say ā€œI donā€™t want 2 factorā€ and then a new hack comes out and they all lose money then many will be the most vocal complaining about FT systems being weak. This will reflect badly on FT and be near impossible to repair the reputational damage.

FT wonā€™t be able to say publicly ā€œwell you didnā€™t want full securityā€ and they simply be linked to poor set-up that can be compromised.

Personally I donā€™t get the fuss as it takes seconds and really isnā€™t an issue. Just shows how impatient people are nowadays, how did they survive in the olden days when things took letters or phone calls to do something? :joy:

2 Likes

We didnā€™t have all of this to do. I never really used a 'phone. Fax was used lots. Life felt less stressful. I had more patience, but this wears thin over the years regardless.

OK, add the two factor, but please keep it sane. Perhaps use something like Paypal or Amex do it: A simple email sent with a number.

Donā€™t faff around with SMSes only to a UK mobile: This wonā€™t work when I am travelling, because I swap in a local SIM card. I travel lots and for long periods.

Please no memorable passphase, because these are not memorable and get reused again and again it possible. How many people use qwerty with a hint set to ā€œytrewq backwardsā€? P.S I donā€™t :slight_smile:

For comparison: I do not have a bank account that uses two-factor auth.

1 Like

If a log in is currently defined as entering a PIN, then his is once every 15 seconds.

I have to login (enter the PIN) as soon as the app loses focus after 15 seconds. This would be awful.

Hi,

I am happy if it only used when setting up a new device.

I think that its use in other cases could be excessive.

I do not have FaceID or any biometrics on my iphone.

1 Like

The security of two factor authentication is a must.

And for anyone who say its not : i can got to my gfs pc get email password and log into the app with no problem. And sell everything and spend it on something crashing

I would never do that of course :joy: but some people would ou of spite. And that is terrible example to be fair.

I want my money protected a much as possible

2 Likes

Quite shocking to read all these comments saying that security is secondary.

Why have banks and financial services introduced stricter control and security over the years? It used to be just a password/pin, but now having MFA is standard for most banks. There is a reason for it becoming industrial standard and regulations.

As for the inconvenience of it, yes it may be slightly inconvenient, but thatā€™s a price Iā€™m willing to pay for improved security. Iā€™ve read some arguments about constantly switching between FreeTrade and another app to view realtime prices before placing an order, but FreeTrade is not (imo) meant for trading. Itā€™s for investing, meaning you donā€™t need to constantly switch back and forth. Also, itā€™s unlikely you will be able to buy at the exact price you saw.

How can they make the UX better while having MFA/2FA? - Timeouts and seamless integrations could be some potential options, and Iā€™m sure there are other solutions too.

Just my personal views and opinions.

2 Likes

Freetrade has coupled their security to the security of your email so it already has 2FA. If someone has your phone and biometrics to unlock it and access to your email what more could Freetrade offer? A separate device - that would be a terrible UX.

I donā€™t see how people can be worried about their Freetrade account and nonchalant about their email.

In my opinion Freetrade building this would be just security theatre, inconveniencing users to make them feel safer without any increased protection.

2 Likes

I think the ideal situation would be to make the 2 factor authentication available and then let each and every one of the users to decide for themselves if they want to use it or not. Itā€™s not a question of deciding if itā€™s there or not through democratic vote. The option would be there, available for everyone. Do I want to use it or not?! My choice should not affect other peopleā€™s choices, because it would be an option for individuals

2 Likes

Whilst I agree with your point to an extent my point was you have 2 scenarios if a hack became available to potentially work

A) You have optional security and some donā€™t take it then FT gets a reputation for poor security when people lose money and this is impossible to get rid of. No-one will accept it was the users fault as they all go silent on being stupid/impatient etc. This results in a very negative reputation.

B) Full security and no opt-out - A couple people moan on a forum but everyone is safe and reputation is still a secure financial service and no-one loses money.

I do not see how this would be a discussion let alone a serious thought for FT :+1: People moan in life about everything but when it hurts them they are usually the loudest complaining about the issue when they lose out :man_facepalming:

Edit - having read the thread I do think my point is maybe to buying or selling and not just opening the app as that would be OTT. Maybe 2FA for a selling/buying window of an hour or something?

1 Like

2FA with a ā€˜Remember Deviceā€™ option would do me.

2 Likes

I share this view. Sad

3 Likes

1 + 1 = 2 ? Correct?

FT doesnā€™t have 1FA as of now.
Click on the email link. Job done.

What if FT email provider is hacked or my email is compromised?

Now please donā€™t say money can be withdrawn to your linked bank account only.

Some one accessing my FT portfolio is already scary.

@Freetrade_Team