I prefer the pin (either 4 or 6) and biometric options. Entering passwords and links that expire via email etc can sometimes become long winded when you want to get into your account quickly. Fingerprint is a fast option.
Hi, I hope to arrive in time to contribute a bit on this subject.
I like the idea of fingerprint authentication, it’s quick and easy. If the fingerprint fails the app could request the PIN (4 or 6 digits with a maximum number of attempts)
About the 2FA, It’s a must in my opinion. The RSA tags are a little bit old school but it may suit some customers. The Apps that provide soft tokens are a bit more convenient, but the best solution is to offer 2FA out of the box. You could store a certificate in the device or a key that rolls every time you log in. That won’t damage the user experience and offer an excellent security level.
If Xinja wants to distinguish from the rest, it could also add other MFA. It could take in account the location, touch recognition while typing the PIN, behaviour recognition. That would be amazing :).
The biggest treat is at registering a new user, new device or resetting the PIN. Xinja should be able to identify its customer. You could add random questions based on the consumption of the card, for instance: How much did you spent in the last transaction? Where did you have lunch yesterday? Please avoid the typical questions and answers that are static. Those are very easy to obtain with Social Engineering of Phishing attacks.
Summarising: In my opinion, the best solution to authenticate users is fingerprint + rolling device keys, and the best way to identify your customers is with customer tailor questions + location base + any biometric.
I second your thoughts on SMS as not only not secure but also a big hindrance when travelling overseas (which is one of the big selling points of the Xinja pre-paid card, right - no fx conversion fees!?)
Personally I use a password manager which can handle long passwords and 2FA just fine.
I was never a fan of those typical security questions, even the ones you set up yourself. The are a hassle and to me are the antithesis of the whole smart banking movement.
Oh, yes and I love logging into the app with my fingerprint!
I wish Sysadmins would come up with a better name than “magic link”. It sounds so cheesy to me
Not sure if you know but the latest generation of password managers actually handles 2FA for you - site-specific and automatically. No authenticator app needed anymore (let alone an actual hardware token)! It actually works quite well. I was impressed.
So I can see an imminent future where 2FA doesn’t get in the way anymore
I like 4 digit pin and biometrics. Simply simple.
Coming in late here but v much agree with @Cavok: [quote=“Cavok, post:12, topic:690”]
Using a software token like Google Authenticator and making it optional and alternative to texts.
I love my soft-token MFA and use it everywhere I can but understand it’s not for everyone. It would be great if you could offer the traditional PIN as the base level, then allow those who want higher levels of security to turn additional levels on. I would REALLY also like to be able to turn some options off at my individual account level: I regard SMS as insecure mainly due to the risk of sim-jacking (unlikely but it has happened and we’re talking about my money here!).
I’d like the ability to get my token authentication from my existing apps/devices - I already have to have three different apps and a device and would prefer not to be forced to add another.
Thanks for sharing your MFA preferences @becstarr we’re considering this option amongst other secure login options for our bank accounts launch (expected mid year, pending receiving our full banking license) - this is really timely! Keep your suggestions coming
I’m feeling more and more like SMS might not be such a great thing: https://www.abc.net.au/news/2019-01-07/emergency-text-service-hacked-warning-about-personal-data-sent/10688748
And there was another discussion of this in another recent article where an insecure SMS provider was able to be spoofed.
Just seems like SMS scamming is getting more sophisticated.
Biometric where possible.
Pin code preferably 4 digits.
Out side of that a pin code and a text when the device is unregistered.
Thirdly a magic link email would also be great. I have enjoyed the prepaid card experience.