The most logical place that I see MFA being applied is at login.
I agree that having to go through MFA each login is not a great user experience.
In that sense, why not maintain an authenticated session, letās say 30 mins, where you have to login with MFA at beginning and for next 30 mins you wonāt need to go through MFA again?
As @OJFord said, the customers may not always know whatās the best, hence why decisions such as those related to security should be enforced by the service and not left up to the users.
āSomething you have and something you knowā - once provisioned the device is āsomething you haveā and the (already present) passcode is āsomething you knowā.
Iād like to also see 2FA added, especially if we ever see a web version. That being said, I think there needs to be a fail-safe for it, I recently had to factory reset my phone (there was a whole google-caused issue with Android and i couldnāt fix it, factory reset my phone to sort it, turned out there was a fix 8 hours later), basically i thought Iād backed up my google authenticator to be able to reinstate it when i had my phone sorted, however it didnāt work and I was left locked out of some apps.
Every app/website i had linked to it, had a failsafe in case you lost the authenticator, they were still pretty secure ways to authenticate (given, not as secure as 2FA), but it allowed me to access said accounts again. Unfortunately the only thing i couldnāt get back into, was my Freetrade forum account. (Iām still awaiting a response from someone about un-linking it)
So if it is something that gets added, please at least add another way to regain access/authenticate, even if it involves contacting support and proving you are who you say you are.
MFA is overbearing and mostly keeps me locked out of my accounts. It is hell and spend my life trying to keep well away from this idea of hell on Earth.
Another mindless memorable sequence of chars that I put into Notepad on my phone that I have to search for, again.
Let the user make an informed choice and decide if they wish to use some additional authentication process. Indeed we may have thousands held in FT, but we chose to put it there, and must be held responsible for our money. The same goes for our devices. We are responsible.
It isnāt just the user who should decide though If X amount of users say āI donāt want 2 factorā and then a new hack comes out and they all lose money then many will be the most vocal complaining about FT systems being weak. This will reflect badly on FT and be near impossible to repair the reputational damage.
FT wonāt be able to say publicly āwell you didnāt want full securityā and they simply be linked to poor set-up that can be compromised.
Personally I donāt get the fuss as it takes seconds and really isnāt an issue. Just shows how impatient people are nowadays, how did they survive in the olden days when things took letters or phone calls to do something?
We didnāt have all of this to do. I never really used a 'phone. Fax was used lots. Life felt less stressful. I had more patience, but this wears thin over the years regardless.
OK, add the two factor, but please keep it sane. Perhaps use something like Paypal or Amex do it: A simple email sent with a number.
Donāt faff around with SMSes only to a UK mobile: This wonāt work when I am travelling, because I swap in a local SIM card. I travel lots and for long periods.
Please no memorable passphase, because these are not memorable and get reused again and again it possible. How many people use qwerty with a hint set to āytrewq backwardsā? P.S I donāt
For comparison: I do not have a bank account that uses two-factor auth.
The security of two factor authentication is a must.
And for anyone who say its not : i can got to my gfs pc get email password and log into the app with no problem. And sell everything and spend it on something crashing
I would never do that of course but some people would ou of spite. And that is terrible example to be fair.
Quite shocking to read all these comments saying that security is secondary.
Why have banks and financial services introduced stricter control and security over the years? It used to be just a password/pin, but now having MFA is standard for most banks. There is a reason for it becoming industrial standard and regulations.
As for the inconvenience of it, yes it may be slightly inconvenient, but thatās a price Iām willing to pay for improved security. Iāve read some arguments about constantly switching between FreeTrade and another app to view realtime prices before placing an order, but FreeTrade is not (imo) meant for trading. Itās for investing, meaning you donāt need to constantly switch back and forth. Also, itās unlikely you will be able to buy at the exact price you saw.
How can they make the UX better while having MFA/2FA? - Timeouts and seamless integrations could be some potential options, and Iām sure there are other solutions too.
Freetrade has coupled their security to the security of your email so it already has 2FA. If someone has your phone and biometrics to unlock it and access to your email what more could Freetrade offer? A separate device - that would be a terrible UX.
I donāt see how people can be worried about their Freetrade account and nonchalant about their email.
In my opinion Freetrade building this would be just security theatre, inconveniencing users to make them feel safer without any increased protection.
I think the ideal situation would be to make the 2 factor authentication available and then let each and every one of the users to decide for themselves if they want to use it or not. Itās not a question of deciding if itās there or not through democratic vote. The option would be there, available for everyone. Do I want to use it or not?! My choice should not affect other peopleās choices, because it would be an option for individuals
Whilst I agree with your point to an extent my point was you have 2 scenarios if a hack became available to potentially work
A) You have optional security and some donāt take it then FT gets a reputation for poor security when people lose money and this is impossible to get rid of. No-one will accept it was the users fault as they all go silent on being stupid/impatient etc. This results in a very negative reputation.
B) Full security and no opt-out - A couple people moan on a forum but everyone is safe and reputation is still a secure financial service and no-one loses money.
I do not see how this would be a discussion let alone a serious thought for FT People moan in life about everything but when it hurts them they are usually the loudest complaining about the issue when they lose out
Edit - having read the thread I do think my point is maybe to buying or selling and not just opening the app as that would be OTT. Maybe 2FA for a selling/buying window of an hour or something?
If X amount of users say āI donāt want 2 factorā and then a new hack comes out and they all lose money then many will be the most vocal complaining about FT systems being weak. This will reflect badly on FT and be near impossible to repair the reputational damage.
