Two-factor authentication and improving accounts security

Hi There,

I would like to ask if you could please provide a new implementation of the Two-Factor Authentication so we can better protect our investments against criminals.

I have recently heard a story of a man who had his smartphone stolen on BBC radio 4. The criminals were able to steal all the money on his bank account, and even worse they applied for a loan in his name through the app, which had been approved within minutes, so they were able to steal this amount as well. Hence I have decided to remove all banking and investment applications from my phone, and to manage my bank accounts and investments from my computer at home. Hence I do not want to use the Two-Factor Authentication method which relies on the app on the phone.

The most common way of using Two-Factor Authentication with financial institution is by receiving a 6 digit number by SMS. This certainly increases the security, but this is considered insecure as apparently it is really easy for criminals to get around this. So it would be great if you could provide more secure TFA instead.

Hardware tokens:
The most secure way of implementing Two-Factor Authentication is by using U2F/WebAuthn. The user needs to buy a hardware token such as a Yubikey. The secret key is stored on the hardware, and it is never seen by the computer, hence this approach remains very secure even if the computer of the user was compromised. The main downside is users have to buy one token, or preferably two in order to have a backup in case the primary token is lost. And for this approach to work best, it is important for the website to allow users to register more than one security token so backup tokens can also be recognised.

Software token:
A very common implementation of Two-Factor Authentication is to scan a QR Code with an application such as Google Authenticator or Authy. This does not cost anything, is simple to use, and it is relatively secure. The main downside is that the secure token is accessible through the QR code, and it has to be stored on the user phone. Smartphones are subject to security vulnerabilities hence it is not impossible for software tokens to be accessed by criminals. The security of this approach can be increased a lot by storing the software token on a Yubikey using the Yubico Authenticator application on a computer or phone. This reduces the risk dramatically, but the secret seed can still be stolen at the time it is being transmitted from the website to the user device.

The best implementation I am aware of are on website such as Google and AWS where they allow users to register multiple U2F/WebAuthn hardware tokens, as well as software tokens, so we have the choice and the ability to register multiple tokens in case we loose one. It would be really great if you could provide at least one of the two secure methods described above. I hope this message will also help users increase their own security by following better practices.

More can be done to improve the security. Assuming criminals are able to access someone’s online account, how difficult is it going to be for them to sell the investments and transfer the proceed to their bank account ? Some investment platforms make it very difficult to change the details of the nominated bank account to stop criminals from quickly put theirs and transfer the money. Some investment platform ask for a bank statement and proof of ID and charge a fee for changing the bank account. Also it is possible to send a code by post so only the real owner of the account can change the bank account. Are there already such protections in place on your platform, or do you have any such plans ?

I would really approciate if you could implement such security features on your platform.

Many thanks

Nah, I don’t agree. What I read here is an emotional over-reaction. Besides there’s always more to the story that what the chap claimed on the radio with a lot of drama sprinkled in to milk the victimhood status for all its worth. I dunno, maybe be more aware of your surroundings before flashing the cash in public places. Or your phone in this case. You see it every day; people with their noses glued to their phone screens walking in the roads, bumping in to people and so on. As long as they can see what the latest tik-tok fad is, they don’t care two hoots about their surroundings.

Not sure what bank you are using but all the financial institutions I use are PIN/password protected before being able to access their app on my phone, so that part of the claimed incident on the radio sounds a bit fishy to me.

Current security measures in place are more than adequate and what you are asking to implement will needlessly be over-complicated and then what happens is people start taking shortcuts as it’s too much of a faf to logon. Think of physics; to follow path of least resistance. People are lazy by nature and will always try to do thins in the easiest way with the least amount of steps required or find a way to do so.

How secure do you really think you are on your computer in your home with your browser most likely set to remember site data and logons?

Also, what you suggest contradict your opening statement; If the phone thief has your phone, he’s got your gmail; he’s got your google, so he has access to your so called stored tokens that you want implemented.

To each their own but for me, I have a lot of trust and faith in the Microsoft Authenticator phone app for 2FA requirements.

I am not asking for a rule that forces all users use very strong security. I am just asking for the plaform to support good security standards so everyone is able to use the level of protection they need.

You may only have small amounts invested, in which case I understand that you personally prefer convenience to an increase level of security.

I personally work in the IT sector where I am familiar with security procedures, and I want to apply the good practices to my personal finances. I hope to grow my portfolio to hundreds of thousands over the years, and I would not be confortable having my life’s savings without proper security in place.

I understand that convenience is important, especially for day to day banking. But personally I dont need to be able to trade while I am away from home. So the fact that some people lost a lot of money because of the way they use their phone makes me think twice. They probably did not have the right type of PIN/passwords in place. I definitely prefer over-reacting than losing lots of money. I prefer having too much security than too little. And having to use 2FA each time I connect to the plaform from my computer is not a big deal. This is just my personal choice. I dont store passwords in my browser and I dont trust online password managers. I keep my passwords in an offline password manager, and 2FA software tokens on Yubikeys with Yubikey authenticator. I am happy with the way this works, and it provide strong security without that much extra effort. So in my opinion it is worth it.

hi @francis1981

Thanks for the posts, I’ll flag your points internally regarding other 2fa methods.

I did also just want to flag a general points about IE accounts. We operate a closed loop system with your bank account - i.e. you can only withdraw funds to your nominated bank account. Where customers need to anyone update their nominated bank accounts, we perform further checks to verify the new account is owned by the same account holder.

I strongly agree with Francis. I’m a bit shocked by the lack of security on InvestEngine relative to other online financial services I use. I don’t want to use 2FA that relies on me being logged in to the app on my phone for similar reasons to Francis (logging in with a device you walk around with reduces your security rather than increases it), and with a method that relies on me having to remember a PIN. If I make the PIN the same as my phone PIN, I’m an idiot. If I don’t, I’ll never remember it. So at the moment my account is only protected by a single password, which is a bit scary. Online banks seems to have got this right so I’m surprised InvestEngine hasn’t caught up.

To be fair, most investment platforms are not making the best use of the technology (Hardware of software 2FA tokens). This is not specific to Invest-Engine. I have my SIPP and ISA with the two biggest investment platforms in the UK, and none of them use secure 2FA. They just use codes sent by SMS, which are easy to get around. You would think a FTSE100 company with more than a million customers has the resources to implement proper 2FA and also an interest in making their customers investment as safe as possible. I have also asked them to implement better 2FA as I have been doing here. I will keep pushing for these security features each time I have an opportunity. I know two investments platforms who have supported 2FA based on software tokens (ie Google Authenticator) for many years though. So it is time for all other platforms to catch up.

I find Invest-Engine pretty good overall, so let’s hope they will use this feed back to make it more secure. It is everyone’s interest.

Also thanks to @tom.winterton for confirming that there is some verification happening in order to change the nominated bank account. It will make it much more difficult for criminals to steal our assets. But it is not bullet proof. Criminals can steals you identity, and a open bank account in your name. This is how criminals can sell people’s properties (to legitimate buyers) without their knowledge and then walk away with the money. Fortunately this is not widespread, but tens of properties are stolen this way every year in the UK, as it was explained in the “You and Yours” programme on Radio 4 on 27 Oct 2022. So it is important to be aware of all these scams so we can do the best to protect ourselves.

I’d really appreciate decent 2FA as well. The uk finance industry is well behind the curve on this with US sites adopting the more rigourous implementations of 2FA probably because SMS fraud is a lot more publicised in the US.

Ironically the gov.uk self assessment web site is probably the best / only UK “finance” site I’ve seen that does a half decent 2FA implementation.

I’m another that likes Microsoft Authenticator or my preference Authy for 2FA requirements.

With Authy you can enable multi-device, setup a 2nd device and then disable the multi-device feature again, this that gives you the ability to create a backup device you can keep in a safe place at home in case of loss or damaged device allowing you to still access your services in a pinch.

If your super paranoid, as this type of app works offline by storing the token locally, and if you happen to be using PC only access at home, you could use an old device not connected to the internet. Overkill but an option…

Another security-minded software engineer here who would like the option.
Modern browsers can also make this very user-friendly even to non-tech people.

NS&I do it well as do Nutmeg.

Another software engineer with +1 for 2FA (especially useful where you don’t have a decent password manager). I don’t use the investing app, so a simple authenticator app on my phone would fit with most other 2FA I use day to day.