Investment Platform with 2 Factor Authentication

RD69

Hello MSE world.

I wonder if anyone knows of an investment platform that supports two-factor authentication (2FA)?

Described here: en.wikipedia.org/wiki/Two-factor_authentication

(Sorry, can't paste a complete link)

This should be an important consideration in choosing a platform, but various comparison pages don't mention it. Neither does it appear in any marketing blurb.

Thanks & regards
RD

Linton

None of the platforms I use (iii, BestInvest, Youinvest, Fidelity) does. Come to that, neither does my bank, except for changes in payees.

If you are only interested in mainstream dealing platforms I dont think it is a serious risk since you are restricted to dealing with a pre-registered bank account and using regulated investments - quoted shares etc.

If two factor authentication is a requirement for you I believe you will have to give up the idea of online investing.

RD69

Thanks for your post.

My view is coloured as I am a developer of secure web sites and I find the inconvenient, ramshackle of miss-applied measures used by many supposedly secure web sites to be particularly galling.

IMHO it will only be a matter of time before the FSA (or some other organisation) mandate the use of 2FA (or even Multi-Factor) for any site that claims to be secure. This is happening in the US now:

(See the Whitehouse web site press release on 2014-10-17. I'd post a link but this site prevents me.)

Imagine what you could do with access to 1000 HL accounts...

Sorry if this sounds a bit of a rant, it is not meant personally, just my bafflement at the apparent lack of secure implementations.

Ah well, thanks again for posting.

dunstonh

Imagine what you could do with access to 1000 HL accounts...

Nothing that would result in a third party obtaining funds.

Futuristic

Fidelity does have 2FA with their new login system. Every time you login from a new location/pc/browser it will send a code to your email address to enter.

Atreyu107

RD69 wrote: »

This should be an important consideration in choosing a platform, but various comparison pages don't mention it. Neither does it appear in any marketing blurb.

In your opinion.

I couldn't give two figs about 2FA for my broking and investment accounts.

As previous posts have already stated, AML procedures among the big firms are pretty tight. You are only ever able to withdraw directly to your nominated bank account, and if you want to change that, it has to be verified (either electronically or by providing bank statements etc).

I'd dust off my tin-foil hat, but I get terrible hat hair...

RD69

If there were 10,000 hacked accounts, could some price manipulation be done?

Maybe I'm being simplistic, or misunderstanding something, but if 10,000 hacked accounts start selling Pork Bellies then the price is going to change. The hacker can then benefit from that.

OK, there would be some optimal point in this. 10,000 raises alarms, but some known lower threshold could be used.

Is the point that this could not be done via platform(s)? If not, how so?

At the level of an individual, if my investments are sold as part of this hack then recovering any consequential loss is going to be a pain.

Thanks & regards

jimjames

I guess it's possible but not exactly quick unless they're paying in new money too. Stolen cards on 10,000 accounts?

Selling investments and then buying isn't instant so would probably trigger alerts well before then.

Have you actually got an account on a platform to see how they work?

RD69

Price manipulation is just one scenario. Perhaps more likely is a phishing scam: i.e. someone has your account details; phones you claiming to be from your platform provider; makes a special offer, but you have to transfer funds to a nominated account within 24 hours etc.

There are several other scenarios I could suggest, all dependent on platform account security.

Yes, I do have an existing account on a trading platform. I see how the nominated account/AML stuff works, but also how easy it may be to compromise a login.

It is my opinion that 2FA is more secure and more convenient.

The current fashion appears to be entering random characters of a password that you have to write down so that the right sequence of upper-case, lower-case and special characters is easier/possible to read. How the encryption of this kind of password works is beyond my ability to understand.

Maybe I'm over-sensitive to it, but I think we've only seen a few early examples of mass "cyber-crime". I think there is much worse to come.

And where my money is concerned, my tin-foil hat is pulled on tight.

bowlhead99

RD69 wrote: »

It is my opinion that 2FA is more secure and more convenient.

To me it can be more demonstrably more secure but cannot be more convenient if it is an extra factor that was not otherwise there and requires more than just my memory.

For example, I still have to remember a password, but the second factor may be a software token (so I can only use it when I am at my usual PC or have my mobile phone with me, depending which one of them has the software token installed)

Or it may be a physical device (so I can only use it when I have that piece of hardware, e.g. code generator with me)

Or it may be something like a proprietary card reader that has to be used in conjunction with a debit card or smartcard to generate control codes and then I have to have those two physical items with me and probably remember a pin number too, all these things together considered as the 'second factor' in addition to my lengthy and complex password which is the first factor.

So I'm not sure that you can say it is more secure and more convenient.

I guess you can say that some of the forms of multi-factor authentication are more convenient than just having yet more passwords to remember; if I have to remember one complex password plus three security questions plus have a mobile phone in my pocket, then as someone who always has his mobile phone in his pocket, it's better than having to remember two passwords plus the security questions. However it's very inconvenient if my phone battery dies or I leave it at home and then want to transact.

naedanger

bowlhead99 wrote: »

To me it can be more demonstrably more secure but cannot be more convenient if it is an extra factor that was not otherwise there and requires more than just my memory.

It can be implemented to have minimum inconvenience.

For example gmail (assuming 2FA is operational) only asks for the second factor if you are using a new pc/mobile/tablet for the first time. (So it protects against someone remotely getting access to your details, but does not give second factor protection against someone with access to your pc/mobile/tablet.)

Whereas Investec send a text message every time you try to log on. This is rather inconvenient as the text seems much longer than necessary - I would have thought 6 characters would have been sufficient for a one time code.

I would welcome the gmail implementation of 2FA on all my financial accounts. I think the slight inconvenience is well worth the extra protection. But I would be less keen on Investec's version.