[Feature] Two factor authentication

The most logical place that I see MFA being applied is at login.

I agree that having to go through MFA each login is not a great user experience.

In that sense, why not maintain an authenticated session, let’s say 30 mins, where you have to login with MFA at beginning and for next 30 mins you won’t need to go through MFA again?

As @OJFord said, the customers may not always know what’s the best, hence why decisions such as those related to security should be enforced by the service and not left up to the users.

Personally I’d hate that.

First login on a new device would be okay, as long as I didn’t have to do it every time my IP changes.

When provisioning a new device.

‘Something you have and something you know’ - once provisioned the device is ‘something you have’ and the (already present) passcode is ‘something you know’.

Security should be a priority no matter what imo.
If your customers are putting thousands onto a platform, it just makes sense have MFA.

I’ve put MFA onto platforms with no monetary value and would argue this should just be standard already.

I’d like to also see 2FA added, especially if we ever see a web version. That being said, I think there needs to be a fail-safe for it, I recently had to factory reset my phone (there was a whole google-caused issue with Android and i couldn’t fix it, factory reset my phone to sort it, turned out there was a fix 8 hours later), basically i thought I’d backed up my google authenticator to be able to reinstate it when i had my phone sorted, however it didn’t work and I was left locked out of some apps.

Every app/website i had linked to it, had a failsafe in case you lost the authenticator, they were still pretty secure ways to authenticate (given, not as secure as 2FA), but it allowed me to access said accounts again. Unfortunately the only thing i couldn’t get back into, was my Freetrade forum account. (I’m still awaiting a response from someone about un-linking it)

So if it is something that gets added, please at least add another way to regain access/authenticate, even if it involves contacting support and proving you are who you say you are.

At every re-install you need to enter characters X, Y and Z of your memorable phrase which is stored server-side and encrypted.
Easy peasy.

Please for the love of god do not do this.

MFA is overbearing and mostly keeps me locked out of my accounts. It is hell and spend my life trying to keep well away from this idea of hell on Earth.

Should be renamed Two Factored Stress.

Another mindless memorable sequence of chars that I put into Notepad on my phone that I have to search for, again.

Let the user make an informed choice and decide if they wish to use some additional authentication process. Indeed we may have thousands held in FT, but we chose to put it there, and must be held responsible for our money. The same goes for our devices. We are responsible.

It isn’t just the user who should decide though If X amount of users say “I don’t want 2 factor” and then a new hack comes out and they all lose money then many will be the most vocal complaining about FT systems being weak. This will reflect badly on FT and be near impossible to repair the reputational damage.

FT won’t be able to say publicly “well you didn’t want full security” and they simply be linked to poor set-up that can be compromised.

Personally I don’t get the fuss as it takes seconds and really isn’t an issue. Just shows how impatient people are nowadays, how did they survive in the olden days when things took letters or phone calls to do something?

We didn’t have all of this to do. I never really used a 'phone. Fax was used lots. Life felt less stressful. I had more patience, but this wears thin over the years regardless.

OK, add the two factor, but please keep it sane. Perhaps use something like Paypal or Amex do it: A simple email sent with a number.

Don’t faff around with SMSes only to a UK mobile: This won’t work when I am travelling, because I swap in a local SIM card. I travel lots and for long periods.

Please no memorable passphase, because these are not memorable and get reused again and again it possible. How many people use qwerty with a hint set to “ytrewq backwards”? P.S I don’t

For comparison: I do not have a bank account that uses two-factor auth.

If a log in is currently defined as entering a PIN, then his is once every 15 seconds.

I have to login (enter the PIN) as soon as the app loses focus after 15 seconds. This would be awful.

I think this must be a local setting on your phone, as my iPhone stays unlocked for 45 seconds with the Freetrade app on screen (untouched). When my phone auto-locks then I have to use FaceID to get back in to the phone (and then again for the app).

I don’t think anyone(?) is seriously suggesting 2FA for every login. But I would like to see it with every time there is a login on a new device. As many others have said, this feels like pretty essential and basic functionality, so I hope it is implemented soon. It would certainly be very bad PR for Freetrade if anything were to happen.

I’ve voted for the idea now and I would encourage others to do the same.

Hi,

I am happy if it only used when setting up a new device.

I think that its use in other cases could be excessive.

I do not have FaceID or any biometrics on my iphone.

The security of two factor authentication is a must.

And for anyone who say its not : i can got to my gfs pc get email password and log into the app with no problem. And sell everything and spend it on something crashing

I would never do that of course but some people would ou of spite. And that is terrible example to be fair.

I want my money protected a much as possible

Quite shocking to read all these comments saying that security is secondary.

Why have banks and financial services introduced stricter control and security over the years? It used to be just a password/pin, but now having MFA is standard for most banks. There is a reason for it becoming industrial standard and regulations.

As for the inconvenience of it, yes it may be slightly inconvenient, but that’s a price I’m willing to pay for improved security. I’ve read some arguments about constantly switching between FreeTrade and another app to view realtime prices before placing an order, but FreeTrade is not (imo) meant for trading. It’s for investing, meaning you don’t need to constantly switch back and forth. Also, it’s unlikely you will be able to buy at the exact price you saw.

How can they make the UX better while having MFA/2FA? - Timeouts and seamless integrations could be some potential options, and I’m sure there are other solutions too.

Just my personal views and opinions.

Freetrade has coupled their security to the security of your email so it already has 2FA. If someone has your phone and biometrics to unlock it and access to your email what more could Freetrade offer? A separate device - that would be a terrible UX.

I don’t see how people can be worried about their Freetrade account and nonchalant about their email.

In my opinion Freetrade building this would be just security theatre, inconveniencing users to make them feel safer without any increased protection.

I think the ideal situation would be to make the 2 factor authentication available and then let each and every one of the users to decide for themselves if they want to use it or not. It’s not a question of deciding if it’s there or not through democratic vote. The option would be there, available for everyone. Do I want to use it or not?! My choice should not affect other people’s choices, because it would be an option for individuals

Whilst I agree with your point to an extent my point was you have 2 scenarios if a hack became available to potentially work

A) You have optional security and some don’t take it then FT gets a reputation for poor security when people lose money and this is impossible to get rid of. No-one will accept it was the users fault as they all go silent on being stupid/impatient etc. This results in a very negative reputation.

B) Full security and no opt-out - A couple people moan on a forum but everyone is safe and reputation is still a secure financial service and no-one loses money.

I do not see how this would be a discussion let alone a serious thought for FT People moan in life about everything but when it hurts them they are usually the loudest complaining about the issue when they lose out

Edit - having read the thread I do think my point is maybe to buying or selling and not just opening the app as that would be OTT. Maybe 2FA for a selling/buying window of an hour or something?

2FA with a ‘Remember Device’ option would do me.

I share this view. Sad