Investment Platform with 2 Factor Authentication

naedanger

Linton wrote: »

It would be helpful if someone could explain exactly what risk with broker platforms would be mitigated by a real 2FA. One must balance that risk against the inconvenience. Passwords and pins are a real pain now with one having supposedly different ones across dozens of accounts with different companies. The thought of having to manage perhaps 10 physical electronic gizmos fills me with horror. What about if one is away from home for a while - do you need to carry them all around with you? I cant see the email based logins providing much reassurance to the paranoid - perhaps a privacty attack on an individual would start with email.

The way I think of it is that 2FA is protecting you against the risk that your normal password details, including any security questions, have somehow been compromised. (Perhaps by someone having a keystroke logger remotely installed on your pc. The extra protection with 2FA is that no matter how much the attacker is able to compromise you security pws and questions they still need access to the second factor, e.g. your physical pc or mobile phone, to get into your account.)

The second factor might be a code sent to your phone. In which case you should not need 10 devices but just 10 different people sending you codes e.g. to your mobile. But the key point is that it is access to your phone that is needed.

Some implementations of 2FA mean you only need to enter a code once on each new device (e.g. each new pc/tablet etc) if you select that option e.g. at your home pc. So if you know no-one is going to have access to your home pc you only need to enter a code once on that pc. (Which to me is more convenient than having to answer an additional security question every time I log on.)

So for my gmail account when I log on to my normal pc I type in my full password and that is all (as long ago I set up the other factor), no extra questions, or other security steps. If I go to someone else's pc I will need to have my phone with me to get the 2FA code. The risk I am being protected from is my password was compromised e.g. by being remotely hacked or because I was stupid enough to use the same pw on a number of different websites and one has been hacked.

For me it seems a good balance of security versus convenience. I prefer it to other forms of added security e.g. more added questions and it seems more secure as ultimately all security questions can be compromised remotely e.g. by software remotely installed and logging for long enough.

PS For some people the need to have your mobile phone with you to log on at a new device will be an inconvenience. For me it isn't. (For many of my other accounts it is more inconvenient and risky logging on at a new location because I would need to carry a hint list for all the various different security questions I have spread over many separate log in details.)