PINs vs password vs others?


#1

How do you feel about PINs? 4 digit or 6? Same as your card or different?

What about email address and password? (bit long?)

What about magic links via email that expire?

Biometrics? (thumb print or getting fancy with eye, voice or video/photo?)

How about additional levels? Do you like 2FA via email? sms? other?

And what about secret question answers? What’s the smoothest way for you in an app that keeps you feeling safe?

We’ve noticed people have lots of opinions on this - we’d love to hear yours.

Help us make a decision! Jump in @two_seven @weeksy_j @psychsplash @Xan @Xinjarebel @ruski @mmees @Robbiedog @Leumas @NoDowt


Token login verification
Android app feedback
#2

The only account that feels secure to me, has a 6 digit pin that can initially only be set over a phone line, to a robot and not a real person. After this then the website is the only way to change it.

I don’t mind having the ability to change my pin within the App. However, a 2FA authentication process is a must in my opinion.

I don’t really trust the redundant part of the mobile network generally used for these authentication codes, and email seems a little old school, and emails have a habit of not turning up, especially if a mail server is busy or falls over.

I still like the RSA secure tags, however there are other options to the tag which would be worth a try.

I don’t mind paying a fee for the RSA tag I currently use and the more options the better.

Secret questions are always good. However if your going to use them, the only option I have seen that is as close to perfect as you could get with secret questions, was one where there where as many as you wanted to answer, and then when required to answer, you would get two or three random questions from the list you created.

Nothing is ever going to be perfect, but I think Xinja will eventually be as close as anyone has ever gotten to it. :yum:


#3

Thanks @Xinjarebel 2FA can come in various formats and can be very relevant when higher levels of security required. That’s good to hear you have a willingness to pay for an RSA tag and spend time to complete more security questions, to be more secure. Sounds like you like you’ve got your security loopholes all sewn up! We will keep these in mind :ninja_emojis_blue_02:


#4

6 digit pin

Dont mind email and password cause I use a password manager

What would be a use scenario for magic links?

I like being able to use fingerprint ID to get into my existing ubank and ing, after logging in fully. Also requiring login again after app updates

2fa via sms works well for me when logging into mygov

what other levels are there?

cmoputershare uses a system of secret questions and a dedicated ‘seal’ that you should see before proceeding with login

I do like being told when my account has been logged into.


#5

Thanks @psychsplash - helpful thoughts. Interesting. Sounds like you’re open to a range of options. :ninja_emojis_blue_01: There are RSA tags as @Xinjarebel mentioned, for 2FA as an extra layer if your mobile is compromised, or facial recognition side of biometrics.


#6

2FA with mobile is a must and P.s. I personally hate secret questions. I think that they are an almost useless security feature that is more pain than it is worth.

Security has to be balanced by user experience, being locked out of an account is a huge hassle.

Finger print authentication is pretty standard amung banking apps and works well. I usually keep my bank passcode the same as my card. (not the most safe I know but it is convenient)


#7

I’m a fan of both pin and biometric options overall. I think having the option of a 4 or 6 digit pin would be good - some people are genuinely bad at remembering passwords (like my parents… :stuck_out_tongue:). Also prefer SMS authentication for new payees etc rather than the physical security token, although I don’t understand the technicality of which is more secure - or how secure it needs to be compared to the risk and customer experience. Having said that, I did like having the flexibility of a security token when I was overseas in case I was unable to receive SMS on my Australian number, but I really wouldn’t want to have to carry it on me all the time.


#8

Hi @leumas. The tokens you carry around are not the only option available.

There are also, I believe they are calling them “soft tokens” which is just an app that is constantly providing a 6 digit code on your phone etc. there are a number of these available.

I personally have security issues with SMS Otc’s because the part of the “worldwide” mobile network that is used to deliver them, is a redundant part of the worldwide network that’s not maintained or secure.

It’s articles like this one on wired that I have read over a period of time , and as it’s a pretty reputable source, I tend to give it some credence.

So unless they have made major changes, it should certainly be an option, but it should only be an option and not a requirement

Personally I’m not a hacker, so I can’t tell you how they hack a Mobile network, all I know, is experts say it’s not safe.

The more options Xinja has without going overboard. The better I believe.

Secret questions should also be an option only.
I get it that some people don’t remember their secret, and that’s a pain indeed, however it helps people like me feel secure.

I would personally not rule out any option that was either a popular option, or one that was easy to administer by Xinja and customer alike.


#9

Thanks for your thoughts @Leumas The overseas occasion is an interesting use case to work through. :ninja_emojis_blue_01:


#10

Thanks @Xinjarebel for the share, its about striking the right balance of giving Xinjas enough 2FA options that are the latest and greatest in security best practice, and great human UX.


#11

Thanks for your views @Xan, super helpful. We agree some of the security questions can seem dated and downright ridiculous e.g. name of your first pet!

We’re thinking a lot about the UX here for sure.

You may want to change up that passcode given this is a public forum! :ninja_emojis_blue_02::ninja_emojis_pink_02:


#12

They are a poor investment. They have been compromised in the past. Using a software token like Google Authenticator and making it optional and alternative to texts.

4 or 6 digit pin, no matter, as long as the back end locks out accounts who try too many times.


#13

SMS is not two factor. It’s also not an assured delivery, it’s best efforts. It may be useful for flagging unusual activity or a helpful Second message for adding sensitive things like payees or transfers.


#14

I’m totally fine with either.

I’m not a fan of 2FA for banking, I always think it’s going to be helpful but usually it just gets in the way.

I think that 6 figure PINs would be good, though the default for most is that people make them their birthday, so just need an auto in the verification that you can’t make it your birthday :smile:


#15

Hi @psychsplash Gareth - you would have used a magic link signing up to the Xinja prepaid card - you enter your email, we send you one, you click on the link etc - it’s actually pretty widespread these days.


#16

@Cavok lots of things around SMS agree - depends on context and product - useful when you’re trying to prove ownership of multiple devices simultaneously when that becomes relevant.


#17

Agree - @weeksy_j Jason - have you seen trainspotting 2 re pins? :wink:


#18

Do you know (hard to believe) I’ve seen neither Trainspotting nor Trainspotting 2 despite being told the former is a must see film…


#19

man! go! and watch for serious pin security issue in 2 :wink:


#20

Thanks for the info @Xinjarebel and @Cavok that’s interesting. The soft token definitely sounds like a more secure option than SMS, and would be more useful when overseas.