Two factor authentication

Ficheall · 27-05-2019 12:10pm #1

I received an email today from AIB informing me that from September, if I need to use my online banking, I will either need to install their app or dig out their poxy card reader, in the name of two-factor authentication.

I don't want an app with all my financials on my phone - I have Revolut, which is incredibly handy for foreign travel, but I don't keep a large balance therein.

I can appreciate the need for two-factor authentication with chip and pin, granted, but by and large two-factor authentication seems to be a pain - especially for online stuff. I need to receive a text message every time I log into Microsoft Outlook (a university account, I would not use it by choice). Gmail habitually sends me emails about suspicious activity when I log in from anywhere new, and has on multiple occasions locked me out of my account and forced me to change my password. Twitter sends me an email about an "unknown device" every single time I log in, no matter what I do.

I realise I am just a) lazy and b) behind the times in not wanting everything I do to be connected to my phone/facebook/google account/whathaveyou, and I fully expect that the majority may disagree with me, but I'm just wondering, to convince me of the error of my ways - can anyone give me examples of when two-factor authentication for a website has proven of benefit to them?

Skylinehead · 27-05-2019 12:13pm

Ficheall wrote: »

can anyone give me examples of when two-factor authentication for a website has proven of benefit to them?

Security is a benefit

DelBoy Trotter · 27-05-2019 12:15pm

Ficheall wrote: »

I don't want an app with all my financials on my phone

You still have to log into the app every time you open it, so it's no easier for anybody to see your bank account if they get hold of your phone

Ficheall · 27-05-2019 12:21pm

Skylinehead wrote: »

Security is a benefit

Right, but presumably if Google et al are warning me every time I try to log into my account, then they would do the same if anyone else had ever done so, right? Examples of that ilk are sort of what I was after, I think.

Ficheall · 27-05-2019 12:24pm

DelBoy Trotter wrote: »

You still have to log into the app every time you open it, so it's no easier for anybody to see your bank account if they get hold of your phone

Granted, I don't know how the AIB app will work yet, but I need a five and six digit number to log into my AIB account online, whereas I log into the Revolut app with four digits (and did not have the option to pick a longer number).

Boom_Bap · 27-05-2019 12:48pm

The app wont store anything on your phone.

rivegauche · 27-05-2019 12:59pm

I assume a banking application will allow you to see account details without 2FA but for important activities 2FA will be required like money transfer, communication with the bank, adjusting overdraft and direct debit details, etc...
At least that is what my online banking accounts allow.

daheff · 27-05-2019 1:13pm

2FA is a product of PSD2

In my experience of this with banks, essentially its like Google authenticator. You have a number generator linked to your account (kind of, but not really*). When you try to log on, you are requested to provide the number the app generates. Once that passes you get logged in. Not a big inconvenience.

*essentially the app is validating that the correct number generator is working vs what they see on their system. Once that passes then you are allowed past the gateway to your account. Personal data isnt stored on the app.

BailMeOut · 27-05-2019 1:28pm

MFA is a good thing and anywhere online that you use just a username/password that support MFA/2FA should should always enable.

Skylinehead · 27-05-2019 1:59pm

Ficheall wrote: »

Right, but presumably if Google et al are warning me every time I try to log into my account, then they would do the same if anyone else had ever done so, right? Examples of that ilk are sort of what I was after, I think.

Someone keeps trying to access my old steam account. I get the confirmation emails, always with a dodgy IP. That's a crude form of 2FA but it's still effective.

wakka12 · 27-05-2019 2:47pm

I agree and feel the same way , it is a pain. But we will utlimately be thankful whenever anybody tries to hack us and we are saved by it

BailMeOut · 27-05-2019 4:55pm

wakka12 wrote: »

I agree and feel the same way , it is a pain. But we will utlimately be thankful whenever anybody tries to hack us and we are saved by it

my front door has a yale lock and a deadbolt and it is a complete pain that I need to use two keys to open it!

Proper security whether physical or virtual requires multiple factors and this is your bank account where your hard earned money sits so any inconvenience is well worth it.

TheValeyard · 27-05-2019 5:08pm

I use two step all the time with my gaming accounts. Greatly reduces reduce the risk of your account getting hacked, banned or items stolen. I've had some of these accounts since 2004.

Harry Palmr · 27-05-2019 5:23pm

PTSB uses the Debit Card number, password and then the personal access number which is 3 random selections from 6 digits which you create when the online account is set up. Dunno about the mobile app it should be said, maybe it different.

Ficheall · 27-05-2019 5:37pm

I get the idea. I know how it works. I'm just curious as to whether anyone has experienced the 2SA preventing unauthorized access. (Skylinehead's computer game account aside.)

hots · 27-05-2019 5:43pm

Ficheall wrote: »

I get the idea. I know how it works. I'm just curious as to whether anyone has experienced the 2SA preventing unauthorized access. (Skylinehead's computer game account aside.)

Gaming is the only time I've had someone try to get into an account and fail because I had a second factor set up too.

It's a pain in the nuts and the implementations aren't great but it's better than not having it. Also it's more or less tough luck as every bank will be implementing some version of and app, card reader & text message options for the second factor.

BailMeOut · 27-05-2019 6:21pm

Ficheall wrote: »

I get the idea. I know how it works. I'm just curious as to whether anyone has experienced the 2SA preventing unauthorized access. (Skylinehead's computer game account aside.)

yes - every day I see it with Office 365 where users fall for a phishing trap and username and password are compromised however account cannot be accessed as the hacker cannot get past the MFA. I see they at least 2-3 times a week.

MFAs work and if you have anything important online you need to make sure you enable and your personal email (example GMAIL) should also mave MFA enabled. Most apps support "push" approvals so the process is really simple and quick.

Rows Grower · 27-05-2019 6:55pm

Harry Palmr wrote: »

PTSB uses the Debit Card number, password and then the personal access number which is 3 random selections from 6 digits which you create when the online account is set up. Dunno about the mobile app it should be said, maybe it different.

The most annoying thing with PTSB for me is if I am transferring money online, I go through the 3 steps you mentioned then when I'm just about to take a sip of coffee up pops a message "we have sent a verification code to your mobile which is valid for the next 5 minutes".

They don't seem aware that not everyone has mobile reception in the home. It could take me 5 minutes farting around outside in the rain ringing some number to just get mobile coverage and that's if I'm lucky.

I called into an AIB branch to enquire about opening a new business account as I heard they offer new business customers free banking for two years and when I explained my situation I was told I would be provided with a card reader for free that would eliminate the problem.

That alone has made me slowly but surely change my everyday banking to AIB.

Tombo2001 · 16-09-2019 10:53am

This thing appears to be going live.

The cynic in me says this is AIB getting lots of people to download an AIB app.

wonski · 16-09-2019 10:57am

It's the new directive that pushed all banking institution to introduce additional security features. Emails, texts or/and letters were sent well in advance to customers of all banks and credit card providers.

jester77 · 16-09-2019 11:14am

Tombo2001 wrote: »

This thing appears to be going live.

The cynic in me says this is AIB getting lots of people to download an AIB app.

It's part of PSD2, nothing to do with AIB or any other bank trying to get downloads.

This will have lots of advantages for the consumer such as better security or the ability to see all your bank accounts in a single piece of software because of the open banking project. It should make mortgage applications easier, no having to grab accounts from everywhere to show to the lender, you just grant the lender permission and they will be able to pull up all your financial details within a few seconds.

Tombo2001 · 16-09-2019 11:18am

jester77 wrote: »

It's part of PSD2, nothing to do with AIB or any other bank trying to get downloads.

This will have lots of advantages for the consumer such as better security or the ability to see all your bank accounts in a single piece of software because of the open banking project. It should make mortgage applications easier, no having to grab accounts from everywhere to show to the lender, you just grant the lender permission and they will be able to pull up all your financial details within a few seconds.

Why is it necessary to download the AIB app to set up two factor authentication?

wonski · 16-09-2019 11:31am

Tombo2001 wrote: »

Why is it necessary to download the AIB app to set up two factor authentication?

Because that's their design.

Not sure what wrong with AIB app is if you want access to your banking on the phone tbh.

Tombo2001 · 16-09-2019 11:33am

wonski wrote: »

Because that's their design.

Not sure what wrong with AIB app is if you want access to your banking on the phone tbh.

Simply - I don't want it.

Thanks, too many apps.

I have no problem with two factor authentification - but as I said, they are using this as a way to get people to download to app.

16-09-2019 11:33am

Tombo2001 wrote: »

This thing appears to be going live.

The cynic in me says this is AIB getting lots of people to download an AIB app.

Use your card reader instead of the app.

purpleisafruit · 16-09-2019 11:34am

Rows Grower wrote: »

The most annoying thing with PTSB for me is if I am transferring money online, I go through the 3 steps you mentioned then when I'm just about to take a sip of coffee up pops a message "we have sent a verification code to your mobile which is valid for the next 5 minutes".

They don't seem aware that not everyone has mobile reception in the home. It could take me 5 minutes farting around outside in the rain ringing some number to just get mobile coverage and that's if I'm lucky.

I called into an AIB branch to enquire about opening a new business account as I heard they offer new business customers free banking for two years and when I explained my situation I was told I would be provided with a card reader for free that would eliminate the problem.

That alone has made me slowly but surely change my everyday banking to AIB.

I too live in an area with little to no mobile reception. Verified by Visa and their insistence on using text messages as the 2nd factor leads me to not buy stuff online.

hots · 16-09-2019 11:35am

Tombo2001 wrote: »

Simply - I don't want it.

Thanks, too many apps.

I have no problem with two factor authentification - but as I said, they are using this as a way to get people to download to app.

What would you prefer?

Nicetrustedcup · 16-09-2019 11:53am

Have had 2fa on all my accounts since they started to turn it on.

To me one of the best things they have ever brought in. Yes it's tied to your number but it's quite handy stopping people from logging into your account.

Your never going to be 100% but as long as I am close I am happy.

In work to log into some systems I need a rsa key, 2fa and a password haha.

Then I also have a thing called a yubikey to log into other systems. Its a little key that I plug into my USB. I 1st need to enter a password then it asks me for my yubikey I press it and I am now log in.

jester77 · 16-09-2019 12:03pm

Tombo2001 wrote: »

Why is it necessary to download the AIB app to set up two factor authentication?

It shouldn't be necessary, it just needs to be a different device. I'm not familiar with AIB, they could have provided customers with a piece of hardware to do 2FA, but that costs money. Nearly everyone has a mobile and usually have it with them, so it's the obvious choice.

16-09-2019 12:13pm

jester77 wrote: »

It shouldn't be necessary, it just needs to be a different device. I'm not familiar with AIB, they could have provided customers with a piece of hardware to do 2FA, but that costs money. Nearly everyone has a mobile and usually have it with them, so it's the obvious choice.

You can use your AIB card reader instead so they did provide a device.

16-09-2019 12:27pm

My friend sent the deposit for a house to an incorrect account due to poor security on the end of the estate agent. There was someone monitoring all the emails up until the point of the transaction and sent a faked email from the estate agent with the fraudulent bank details.

Yeah so that's why.

16-09-2019 12:58pm

the trick to avoid 2FA, is to take all your money out of your account on payday and keep it under your mattress.

That's the safest way of banking, I don't care what anyone says.

(I don't actually do this. All my banking is via my ulster bank app, which I think is really good)

TheValeyard · 16-09-2019 1:07pm

Aegir wrote: »

the trick to avoid 2FA, is to take all your money out of your account on payday and keep it under your mattress.

That's the safest way of banking, I don't care what anyone says.

(I don't actually do this. All my banking is via my ulster bank app, which I think is really good)

Dont listen to this guy he is lying. The trick to leave all your money under MY mattress.

podgeandrodge · 19-09-2019 7:27pm

Tombo2001 wrote: »

Why is it necessary to download the AIB app to set up two factor authentication?

jester77 wrote: »

Nearly everyone has a mobile and usually have it with them, so it's the obvious choice.

I have 2 elderly relations, both with Android phones with operating systems a couple of generations old, and the AIB app cannot be downloaded - not compatible. The phones are only about 3 years old.

The card reader is not suitable for elderly people. So now they need to get a new phone.

If anyone knows another option let me know. But I don't understand why AIB could not have made an app that wasn't so Android version critical.

wonski · 19-09-2019 7:35pm

podgeandrodge wrote: »

I have 2 elderly relations, both with Android phones with operating systems a couple of generations old, and the AIB app cannot be downloaded - not compatible. The phones are only about 3 years old.

The card reader is not suitable for elderly people. So now they need to get a new phone.

If anyone knows another option let me know. But I don't understand why AIB could not have made an app that wasn't so Android version critical.

Card reader is more suitable than a phone in many cases. Playing the elderly card is all fine until you see many of them managing just fine.

jaxxx · 19-09-2019 7:40pm

I'm hoping that one day we get some sort of penile/vaginal verification system for this kinda thing.

Skip to 0:40:

_Kaiser_ · 19-09-2019 7:44pm

podgeandrodge wrote: »

I have 2 elderly relations, both with Android phones with operating systems a couple of generations old, and the AIB app cannot be downloaded - not compatible. The phones are only about 3 years old.

The card reader is not suitable for elderly people. So now they need to get a new phone.

If anyone knows another option let me know. But I don't understand why AIB could not have made an app that wasn't so Android version critical.

I'd guess there's 2 main reasons..

- older versions of android won't be receiving any updates and are thus more vulnerable to exploits

- it's cheaper to support 2/3 versions of it rather than 4/5

cj maxx · 19-09-2019 7:47pm

Skylinehead wrote: »

Security is a benefit

It is but I'm locked out of mine !

The J Stands for Jay · 19-09-2019 7:48pm

Ficheall wrote: »

I received an email today from AIB informing me that from September, if I need to use my online banking, I will either need to install their app or dig out their poxy card reader, in the name of two-factor authentication.

I don't want an app with all my financials on my phone - I have Revolut, which is incredibly handy for foreign travel, but I don't keep a large balance therein.

I can appreciate the need for two-factor authentication with chip and pin, granted, but by and large two-factor authentication seems to be a pain - especially for online stuff. I need to receive a text message every time I log into Microsoft Outlook (a university account, I would not use it by choice). Gmail habitually sends me emails about suspicious activity when I log in from anywhere new, and has on multiple occasions locked me out of my account and forced me to change my password. Twitter sends me an email about an "unknown device" every single time I log in, no matter what I do.

I realise I am just a) lazy and b) behind the times in not wanting everything I do to be connected to my phone/facebook/google account/whathaveyou, and I fully expect that the majority may disagree with me, but I'm just wondering, to convince me of the error of my ways - can anyone give me examples of when two-factor authentication for a website has proven of benefit to them?

All those times that russian lads bought my passwords from hacks of old sites, the 2FA kept them out and saved me the bother of having to change the passwords.

The J Stands for Jay · 19-09-2019 7:51pm

Harry Palmr wrote: »

PTSB uses the Debit Card number, password and then the personal access number which is 3 random selections from 6 digits which you create when the online account is set up. Dunno about the mobile app it should be said, maybe it different.

The PTSB way of loging in is a pain in the hole.

podgeandrodge · 19-09-2019 7:54pm

wonski wrote: »

Card reader is more suitable than a phone in many cases. Playing the elderly card is all fine until you see many of them managing just fine.

I disagree that the card reader is more suitable. They found it too difficult to read and use. But you clearly have the final say on things!

Where did I "play the elderly card" - that expression suggests I'm elderly and trying to get special treatment.

Irish Guitarist · 19-09-2019 8:16pm

Last week I tried to sign into my account on my laptop and was told to pair my phone with my account. I have no idea what that even means but I doubt the €20 phone I bought from Argos can do whatever it is. I clicked on the link offering an alternative way of signing in, entered my phone number and waited for a text. I entered the number they texted me and thought that would be the end of it. Instead they said they'd send me a letter in the next four to five days. Now I have to dig my phone out any time I want to sign into my account.

I strongly suspect they're hoping everyone who doesn't have a smartphone will buy one. Someone must be getting a kickback from Apple or Samsung.

wonski · 19-09-2019 8:22pm

Irish Guitarist wrote: »

Last week I tried to sign into my account on my laptop and was told to pair my phone with my account. I have no idea what that even means but I doubt the €20 phone I bought from Argos can do whatever it is. I clicked on the link offering an alternative way of signing in, entered my phone number and waited for a text. I entered the number they texted me and thought that would be the end of it. Instead they said they'd send me a letter in the next four to five days. Now I have to dig my phone out any time I want to sign into my account.

I strongly suspect they're hoping everyone who doesn't have a smartphone will buy one. Someone must be getting a kickback from Apple or Samsung.

Or a Huawei. Or HTC.

They all out there to get your money.

Because every bank in Ireland and Europe is now out there selling phones...

No. They just try to make sure your account is safe and it cost money.

There are few issues with that for a small number of customers, but those customers had issues or would have anyway.

Its like complaining that the TV now have a remote and some can't use it...

wonski · 19-09-2019 8:26pm

podgeandrodge wrote: »

I disagree that the card reader is more suitable. They found it too difficult to read and use. But you clearly have the final say on things!

Where did I "play the elderly card" - that expression suggests I'm elderly and trying to get special treatment.

Not really.

Elderly would need help in many areas, always.

I just can't see how card reader is any more difficult than a phone.

I am young now, late 30's, but can understand obstacles the elderly can have, but can also see how online banking of elderly person can be compromised easily these days.

TopOfTheHill · 20-09-2019 3:21pm

wonski wrote: »

Or a Huawei. Or HTC.

Its like complaining that the TV now have a remote and some can't use it...

And the remote must be kept on top of the TV ...

If I log into laptop online banking, I now need my phone beside me to 'Confirm'

nothing · 20-09-2019 4:59pm

What's supposed to happen on the phone? I tried setting it up, I try to login on my laptop, it says check phone, but nothing is happening on my phone! Is it supposed to be a text or something in the app?!

beejee · 20-09-2019 5:12pm

Strangely enough, I just had triple factor authentication installed on every jacks pot in the house.

There's buttprint analysis followed by an email sent directly to my nominated toilet guardian. Once they get the text they'll inform next of kin who will send a letter with a code to the bank to send to my phone via an app linked to my MySpace profile.

It's might be more than triple secured, but it's all worth it at end of the week when I get to use my own toilet without fear of it being hacked by cyber people

TopOfTheHill · 22-09-2019 2:18pm

nothing wrote: »

What's supposed to happen on the phone? I tried setting it up, I try to login on my laptop, it says check phone, but nothing is happening on my phone! Is it supposed to be a text or something in the app?!

You need to be logged into the app to get the confirmation request

showgirlrita · 26-09-2019 11:19am

nothing wrote: »

What's supposed to happen on the phone? I tried setting it up, I try to login on my laptop, it says check phone, but nothing is happening on my phone! Is it supposed to be a text or something in the app?!

I set up my phone for verification yesterday & tried to log in on Desktop & nothing is happening on my phone either :rolleyes:

ytpe2r5bxkn0c1 · 26-09-2019 11:39am

purpleisafruit wrote: »

I too live in an area with little to no mobile reception. Verified by Visa and their insistence on using text messages as the 2nd factor leads me to not buy stuff online.

This is our problem too. Ulster Bank insist on now sending a Text verification code - we have no mobile reception in the house.

nkl12xtw5goz70 · 26-09-2019 11:49am

Gregory Rapping Apprentice wrote: »

This is our problem too. Ulster Bank insist on now sending a Text verification code - we have no mobile reception in the house.

Text verification is widely acknowledged to be an insecure form of two-factor authentication because it's vulnerable to SIM swap attacks. A 2FA app such as Google Authenticator is more secure. Better still, a U2F key.

Two factor authentication

Comments