Security of the new AJ Bell log in

masonic

hoc said:

masonic said:

A one time code is absolutely enforced the first time you log in on any device. After which, the device becomes your second factor (a fraudster would need to steal and unlock your previously authorised device to access your account without OTP, they cannot observe you logging in to one device and use that to log in elsewhere), and you can choose by modifying your login settings to enforce one time codes every time you log in on all devices. OTP SMS can be completely disabled in favour of the other OTP options. You can even choose to log in using biometrics only if you wish, meaning no password is needed at all. Wherever you sit on the convenience-security spectrum, these changes should make you happy.

As Prism quite rightly points out, there's no more risk of your password being exposed in an AJ Bell data breach due to the need to store the actual password in their database. Use of random characters is worse than that, because the practice encourages the use of less complex passwords in the majority of people.

I don't think any other investment platform gives this degree of control over your security. It does, however, put the onus on you to choose wisely if you want to benefit from the enhanced security, taking into consideration your behaviour and exposure to risks.

AJ Bell's previous method did not necessarily mean passwords could not be hashed. Nor does the current method necessarily mean they are now. Unfortunately I haven't got the energy to get into this or the other academic points to debate on password security.

You are correct, they could take all of the possible 3 character combinations and hash those instead, but it is highly unlikely they would do that. For the 18 character password mentioned a few posts above, that would be 816 hashes they would need to store. They could of course just hash a subset of those 816 and restrict themselves to asking for the smaller number of combinations. However, it is trivially easy to compute hashes for all possible 3-character combinations, so even for a properly salted hash table, it would take little effort to reverse engineer all of the relevant characters to be able to get past this part of the login process. In short, the old system was woefully insecure, whether hashing was used or not.

The change is part of an industry wide initiative to improve security, but the only way to know for certain the change coincides with AJ Bell meeting the good security practice of hashing passwords is to ask. Of course, if they still aren't hashing passwords now that they can, and ever suffer a breach, they can and would be held fully liable by their customers for any consequential losses suffered. I'm satisfied that such a risk would cause their security people sufficient loss of sleep that they would have acted.

If you don't want to get into a debate about the security of the new AJ Bell log in then that's fair enough, but the choice of thread title appeared to invite it. In answer to the question posed in the body of the OP, I think we can safely say AJ Bell isn't going to be making any special exceptions to the login process for individual users beyond what can be configured by all users.

hoc said:

As I said AJ Bell are not enforcing one time codes. They allow the user to optionally set up 2FA. It's not quite the same thing. You are correct I can disable SMS as a verification option by selecting another method like email but this activates 2FA on all devices. I don't want SMS as a verification option especially on a new untrusted device so this is good. But I don't want 2FA on a trusted device either. Many banks automatically disable SMS as an option when the customer has the mobile app and this was my expectation from AJ Bell. The additional 2FA control is great but I don't 2FA.

This is incorrect. 2FA is enforced for all new devices by default. It is not optional, and it cannot be disabled for devices that have not previously been logged in to. Trusted devices do not require a OTP by default (because they already constitute a second factor: something you have), but it can be optionally enabled. Or are you saying that after turning off the option to use OTP "each time" you log in, you've been able to log in using a private browsing window or new device without 2FA? This would be very bad news for your account's security and potentially unintended behaviour that should be reported to AJ Bell.

Although it's taken 3 posts, I'm glad we've finally got to the nub of the issue: you don't like 2FA. I'm afraid you are going to have to put up with it. The FCA has mandated that it must be used in its Strong Customer Authentication regulations. AJ Bell is doing what all financial services companies will have to do, but it is giving a choice over 2FA method, whereas with most other institutions it is SMS only.

Something that might be helpful for you is that you can enable OTP for each log in, but then enable biometrics on your device. This creates an exception for password and OTP on the app in which biometrics are used (something you are replaces something you know), so you wouldn't need to enter a OTP there, but you would everywhere else, including other previously used devices. There would be no full password entry step either. There are of course drawbacks to using biometrics on a device you carry around with you (for example if you are incapacitated someone could use your finger on a fingerprint reader without your consent), but depending on your lifestyle and behaviour, that may be a tolerable risk.

CarolWHerts

As there seem to be some helpful security experts on this thread I wonder if I might extend it to ask a question about biometrics as this is increasingly being offered as an option. I always have terrible trouble with airport systems that want to scan your fingerprints, as mine don't seem to be very clear (my fingertips look pretty normal to me, but the systems don't like them). This has led to anxious long waits at immigration (usually 2am at Mumbai) while people scurry around offering advice on too dry/not dry enough/try vaseline/wipe off that vaseline etc. Sometimes they get what they need but sometimes I think they settle for an incomplete set to get rid of me. So, I'm nervous of trusting access to my AJ Bell or other accounts to these dodgy digits. How sensitive are the phone based readers. Should I just try it and see, or would this risk locking me out if my fingers were having a bad day? 

masonic

CarolWHerts said:

As there seem to be some helpful security experts on this thread I wonder if I might extend it to ask a question about biometrics as this is increasingly being offered as an option. I always have terrible trouble with airport systems that want to scan your fingerprints, as mine don't seem to be very clear (my fingertips look pretty normal to me, but the systems don't like them). This has led to anxious long waits at immigration (usually 2am at Mumbai) while people scurry around offering advice on too dry/not dry enough/try vaseline/wipe off that vaseline etc. Sometimes they get what they need but sometimes I think they settle for an incomplete set to get rid of me. So, I'm nervous of trusting access to my AJ Bell or other accounts to these dodgy digits. How sensitive are the phone based readers. Should I just try it and see, or would this risk locking me out if my fingers were having a bad day? 

The fingerprint sensor on my phone is pretty awful. I regularly have trouble with it. Apps respond differently to failed attempts, from one extreme (e.g. Halifax reverting to password based authentication after the 2nd failed attempt) to the other where you are just restricted by the 30 second lockout after 5 failed attempts and can pick password authentication or wait and try again. Most apps take the latter approach, including AJ Bell. Your experience will vary a lot depending on your device and moisture/grease levels on your hands. In the past I've had readers that have worked really well and those that have been quite poor.

If you want to try it out, it's probably easiest to set it up as an option to unlock your phone as an alternative to a password. Test it out and you always have the option to fall back to password if struggling.

hoc

masonic said:

...Trusted devices do not require a OTP by default (because they already constitute a second factor: something you have), but it can be optionally enabled. ...

Although it's taken 3 posts, I'm glad we've finally got to the nub of the issue: you don't like 2FA. I'm afraid you are going to have to put up with it. The FCA has mandated that it must be used in its Strong Customer Authentication regulations. AJ Bell is doing what all financial services companies will have to do, but it is giving a choice over 2FA method, whereas with most other institutions it is SMS only.

Something that might be helpful for you is that you can enable OTP for each log in, but then enable biometrics on your device. This creates an exception for password and OTP on the app in which biometrics are used (something you are replaces something you know), so you wouldn't need to enter a OTP there, but you would everywhere else, including other previously used devices. There would be no full password entry step either. There are of course drawbacks to using biometrics on a device you carry around with you (for example if you are incapacitated someone could use your finger on a fingerprint reader without your consent), but depending on your lifestyle and behaviour, that may be a tolerable risk.

I don't want SMS to be an option for authentication. The only way to remove it as an option with AJ Bell seems to be to enable 2FA which is really MFA/3FA for trusted devices. This is what I'm getting that.

To eliminate the risks from insecure SMS I have to select a different specific option like email as an additional layer for each log in. So on my "trusted" laptop/browser I am forced to put in my password and also the email code each time. So there's really no difference between my trusted device and any other.

The registration of my laptop/browser as a trusted device with a one time additional method meets the SCA requirement. That's the whole point of registering a device as trusted. I think you understand this so I don't see why you're not following previous point on issue and outcome.

Removing SMS as an option for customers who have registered a mobile app is becoming common practice.

The biometric option may help some unfortunately it is not relevant to me.

masonic

hoc said:

masonic said:

...Trusted devices do not require a OTP by default (because they already constitute a second factor: something you have), but it can be optionally enabled. ...

Although it's taken 3 posts, I'm glad we've finally got to the nub of the issue: you don't like 2FA. I'm afraid you are going to have to put up with it. The FCA has mandated that it must be used in its Strong Customer Authentication regulations. AJ Bell is doing what all financial services companies will have to do, but it is giving a choice over 2FA method, whereas with most other institutions it is SMS only.

Something that might be helpful for you is that you can enable OTP for each log in, but then enable biometrics on your device. This creates an exception for password and OTP on the app in which biometrics are used (something you are replaces something you know), so you wouldn't need to enter a OTP there, but you would everywhere else, including other previously used devices. There would be no full password entry step either. There are of course drawbacks to using biometrics on a device you carry around with you (for example if you are incapacitated someone could use your finger on a fingerprint reader without your consent), but depending on your lifestyle and behaviour, that may be a tolerable risk.

I don't want SMS to be an option for authentication. The only way to remove it as an option with AJ Bell seems to be to enable 2FA which is really MFA/3FA for trusted devices. This is what I'm getting that.

To eliminate the risks from insecure SMS I have to select a different specific option like email as an additional layer for each log in. So on my "trusted" laptop/browser I am forced to put in my password and also the email code each time. So there's really no difference between my trusted device and any other.

Ok, I think I understand what you are getting at now. You'll have to forgive me for not honing in on the point sooner, but several disparate issues were mentioned at the start of the discussion and it wasn't clear to me exactly what you were advocating AJ Bell should do.

If I'm now understanding correctly, you want to be able to disable the possibility of using SMS for a new device, and instead be offered only email, and without turning on MFA for trusted devices. My recollection is that the FCA suggests the choice of SMS and email for SCA when logging in for the first time, and strongly encourages that the user should be presented with a choice of more than one option (including one that doesn't rely on a mobile phone). It does not, as far as I'm aware specify that SMS must be given as an option, and in some cases financial institutions do not offer it as an option.

One thing you could explore is asking AJ Bell to remove your mobile number from the "Mobile number" field of your user profile. This should prevent them being able to send SMS messages to you entirely. It could potentially remain in the "Contact number" field, allowing them to phone you if there were a need to do so. I don't know for sure if this would work, but it might.

hoc said:

The registration of my laptop/browser as a trusted device with a one time additional method meets the SCA requirement. That's the whole point of registering a device as trusted. I think you understand this so I don't see why you're not following previous point on issue and outcome.

There is no way to assert positively that a device is trusted using the AJ Bell logon process, AJ Bell doesn't provide a checkbox to indicate you are logging in from a shared device. I am probably being slightly misleading by using the term "trusted" when it is an assumption rather than an assertion. However, you are correct that there is no requirement in SCA to use MFA every time such a device connects, just for the first time and then periodically thereafter.

hoc said:

Removing SMS as an option for customers who have registered a mobile app is becoming common practice.

Can you give an example of this please? All of the financial institutions I use that have SMS-based 2FA have continued to offer SMS 2FA as an option even after I have set up their app on my phone. For example, interactive investor, Coop bank, Chase bank, Tandem bank, and Paypal offer SMS as the only 2FA option at first log in and continue to ask me for SMS-based OTP with I log in for the first time or some time since the last time it was required (when the cookie expires). The large banking groups such as HSBC and Lloyds use their own methods of mandated 2FA (secure key, automated phone call), regardless of whether a mobile app is registered.

HSBC group have the digital secure key technology, which is equivalent to the external authenticator app offered by AJ Bell, and when this is used it must be used for each log in. The advantage there is that it is contained within the same app rather than an external app, so the process of logging in on the app is seamless, with no manual entry of OTP required. The disadvantage is that the authenticator app and banking app cannot be separated and installed on different devices.

Lloyds group automated phonecalls to a mobile are just as weak as SMS to a mobile for the same reason, and if they have your mobile number (for example to authorise card transactions) it will be offered as an option for the automated phone call.

I don't see any good reason why for any of these companies the customer cannot configure their account to just use email authentication (if offered) from now on, or just offer my landline number for automated phone calls from now on, but perhaps I am missing something in the regulations, or perhaps there simply aren't enough customers for whom this is an important issue.

theJudge

YouInvest's login is now so tight that I cannot login at all

After entering my username & password, I'm given the option of either authenticating via:-

1. text (tells me that I cannot as they don't have a mobile number for the account)
2. email (tells me that I cannot as they don't have a mobile number for the account)
3. authenticator app (tells me I cannot because you need to login using email or text the 1st time).