Need an alternative to SMS verification codes

It’s awesome that there’s no fees on international transactions, but I think requiring an SMS code to transfer money outside the bank / perform certain functions will negate the feature. It’s pretty common for people to ditch their Aussie SIM card and get a pre-paid local one when travelling overseas. It would be awesome if Xinja could send the codes via WhatsApp, Signal, email or something else.
Thanks!

6 Likes

Continuing the discussion from Need an alternative to SMS verification codes:

Second this, also not everyone can have their phone on them all the tome. I work at a place that does not allow mobile phones, I work 10 hours a day and often do banking on my work pc, please let us use another alternative method. Also the email link thing to log on is horrible just use Face ID.

1 Like

Hey @Goose - welcome! :ninja_emojis_pink_03: Sorry on the late response here - that’s a very fair point for our travelling customers and I myself can totally relate! Will share this on with the team and send through updates. Keep sending through the feedback :slight_smile:

1 Like

@Camilly welcome! There’s bit a been of discussion on alt verification methods, we’re working on it - can’t say too much but I’ll keep you posted here :slight_smile: Appreciate the feedback

I actually would love an account but I live 3 hours out of mobile reception, this means I’ll have to go to town to set up an account and from there on if I want to do anything from a purchase to a money transfer I’ll have to drive to town. My current bank uses push notifications and i would love it if I could leave them in the dust and join Xinja.

@Smush can I ask how you access your current bank? Or perhaps more importantly, what would be your ideal way of accessing a bank!

Perhaps a standard approach like using HOTP or TOTP with apps like Authenticator? I assume that (behind the scenes) this is what the PIN that is texted to us is anyway…

Definitely the best approach. Please don’t use some bespoke system.
There are a lot of these apps already available. I use one built in to 1Password. Works great!

We are exploring various options of verification currently so all this feedback is super helpful, thank you all :clap::clap:

1 Like

It is always hard to make everyone happy.

Perhaps, offer options?

  • SMS text/call
  • Email
  • 3rd party authentication code app. Authy, Google Authenticator, SAASPASS Authenticator, Microsoft Authenticator, etc.
  • Physical digital device, e.g. key fob
  • Biometric authentication via mobile phone
  • Security questions & answers (last resort if nothing else works given the user circumstances)

We’re looking into some options to make the process more seamless for customers, not sure about having that many options available. It’s such a personal preference and is a balance between our security requirements, a customers circumstances and not wanting our Xinjas to have to download/carry additional verification services unless they’re a real game changer.

1 Like

Still believe the alternative SMS platforms are being underused as business communication systems: WhatsApp, Telegram, Wire, Signal etc. Understand this was a big driver of the recent Facebook US$ 5.7 billion investment into Reliance in India: many Asian businesses use FB primary as a business tool due high SMS cost/low data cost. Anyone remember booking a scooter/car hire entirely, and only on WhatsApp, in Bali? (when we still could!). End to end encryption is supposed to be the big selling point of all these systems - this post is a follow on from a recent chat with a Xinja customer care rep.

Dump your passwords, improve your security. Really


Fast Identity Online
better known as Fido

The technology, called Fido, overhauls the log-in process, combining your phone; face and fingerprint recognition; and new gadgets called hardware security keys.

Security keys are digital equivalents of house keys. You plug them in to a USB or Lightning port, allowing a single digital security key to work securely with many websites and apps.


How it works

Here’s one way Fido-based sign-on works without passwords.

You’ll visit a website login page with your laptop, type in your username, plug in your security key, tap a button and then use the laptop’s biometric authentication, like Apple’s Touch ID or Windows Hello. Conveniently, you’ll also be able to use your phone as a security key.



Google Titan Key

https://store.google.com/us/product/titan_security_key?hl=en-US

Frankly, the most user-friendly secure authentication is one that does not require the user to carry anything extra or remember anything specific.

:woman_red_haired: :eye: :lips: :speaking_head: :raised_hand_with_fingers_splayed: :white_check_mark:

:point_right: Biometric authentication (face, fingerprint, voice, iris, etc.), in that sense, is the way to go.

:100: :policewoman: :ok_hand: :moneybag: :heavy_dollar_sign: :heavy_check_mark: :ok: :ninja_emojis_pink_01:


Use existing biometric verification technology already on mobile phones and laptops - facial and voice.


:rainbow: :rainbow: :rainbow:

Imagine this…

  1. Turn on the Xinja app on mobile or laptop.
  2. You are asked to face the webcam for ID verification via facial recognition.
  3. If you pass that, you are now asked to speak a phrase: “I love Xinja!”
  4. If you are in your usual login locations (e.g. Sydney) - If you pass that, your access is approved.
    If you are not in your usual login locations (e.g. overseas travelling) and you have NOT registered your travel plans - You are asked to take a photo with a thumbs up next to your face (show a picture to clarify instruction), via the webcam

(If you are under duress (e.g. held at knife point), simply close your eyes when you take the photo, and the system automatically recognises there is something wrong and presents a mildly worded error message, e.g. “Sorry, our system is unavailable for maintenance at this time.” In the background, Xinja staff and Australian & local police (depending on login location) are alerted in an email.)

:heart: :green_heart: :blue_heart: :purple_heart: :yellow_heart:

BENEFITS:

  1. Easy - Don’t need to carry anything extra or remember anything specific.
  2. Fast - Authentication can be completed in a few seconds.
  3. Secure - Multi Factor Authentication.
  4. Trouble-Free when overseas.

:+1: :+1: :+1:

Use it for:

  1. App access
  2. Withdrawal authorisation (without any limit)
  3. Credit card replacement request
  4. Adding payee
1 Like

Interesting ideas @ContagiousEnthusiasm, not sure how many of our customers have been held hostage or mugged, hopefully not too many! These conversations always bring up many different approaches to security and the many preferences/frustrations our customers have for them. It’s a tough one for sure but there are certainly lots of good options out there for us to explore.

I like the Fido based sign on system concept especially for traveling overseas. Could be handy. In saying that I am strongly against biometric verification systems and do not use them for anything (more a personal choice). I think systems should always be flexible to give customers a choice in these security protocol matters. Good research from @ContagiousEnthusiasm

1 Like

Other banks like westpac email OTP codes. I hate we have to enter a sms code every time we buy something online

1 Like

As someone who constantly mucks about with, and regrets, 2 factor authentication, I say that email is the best backup method to receive codes.

8/10, a phone is enough. For those remaining times, there’s a strong chance you can access your email account from wherever you are if you need to do some banking on the spot.

I am vehemently against Physical security keys because I have had them & lost then in the past. I’m on the fence vis a vis, authentication apps, they are more secure then text messages but you lose your phone or render your phone unusable in any capacity and you can be in serious trouble.

I factory reset my phone recently and lost the MyGov code generator. Turns out, that’s game over. I still need to create a whole new MyGov account and relink everything. Frankly, that’s not such a bad outcome but it’s an extra hassle that I would have preferred to avoid.

So with authentication apps, even the thought of including an approval notification in the Xinja app, you need to make it so if a user wipes/loses their phone, they can reinstall an authentication app on their new phone and it won’t say, sorry you had this installed on a previous device you cannot install this until you deactivate the other device.

It needs to be multi device installable. This does make it potentially less secure but as long as it requires an initial email verification or is password protected, then you have peace of mind but also have flexibility in case your phone’s goes under a road paver (not hyperbole).

3 Likes

I agree with David it’s too easy to lose physical keys, especially when travelling.

Also agree authentication apps are great, only that MyGov-like process he describes regarding a lost, reset or stolen phone, is required with each and every 2FA account; it’s a very painful process, as this article relates: https://arstechnica.com/information-technology/2020/05/choosing-2fa-authenticator-apps-can-be-hard-ars-did-it-so-you-dont-have-to/. The article pushes Authy as opposed the Google, although it’s relatively simple to set the same Google authenticator app on multiple devices such as an iPhone and an iPad. Just don’t lose both of them!

The article, however, does not really make clear that the move from Google to Authy is not that easy either, as each 2FA account must be processed individually, with some apparently not being available for use with Authy.

So again agree email as a backup is perhaps a good solution.

Thanks @David_Langham! @design.iota.xinja from our conversation the other day…

1 Like