Or just disable it on demand:
https://together.bunq.com/d/15629-bunq-web-disable-enable-on-demand

@Arcardy#106240 an attacker needs both access to your email and your 6-digit code. Not impossible but pretty secure. Some banks only need a username and password. But I agree: a configurable toggle in the App would be a welcome addition.

Your security was our 1st priority building bunq Web. To login you either authenticate right from the mobile bunq app (QR scan) OR through a double verification where you first confirm your email address and (only after a successful verification) you're asked for your 6-digit login code to login.

Once logged in we apply very strict limits to requiring further authentication (e.g. confirming a payment in the bunq app if it exceeds a certain amount).

@Pain-blue-quokka#106285 Wie hoch ist denn dieser Betrag?
Es wäre awesome, wenn man diesen Betrag selbst festlegen könnte

@Flo1979#106308

• Each payment from bunq Web asks for confirmation with your 6-digit login code
• More thorough authentication depends on a few factors but you can be assured that it requires either passphrase (on bunq Web) or confirmation with Hand Recognition (in the bunq app) for payments above a €1000

Once you authenticated on a certain level our system will remember this on your current session for a little time (up to 15 minutes). We will consider your suggestion to allow setting a custom limit for this right from the app from additional security 🙂Thanks!

@Arcardy#106269 That’s called brute forcing. Assumption is the mother of all f-ups, but I do assume bunq kept that in mind when designing the security features of the web interface.

@LH-Black-Wolf#106353 Yeah correct, no way to brute force on the 6-digit login code thanks to both the email verification as well as strict rate limiting

Email and 6-digit code is really not secure! Friends and partner might know it and how many people use birthdates for this pin?
2FA would be awesome for Weblogin! With TOTP (time-based one-time passwords) and tools like Enpass or 1Password it is really simple and easy to use. (Implementation of TOTP for web-login by webdebelopers is easy, too.)

@Freek#106565 You‘re right, the others must have access to your mail account to be able to log in to the web interface, so just knowing the email and the 6-digit pin is not enough. Maybe TOTP is already a useful extension because you don‘t need your phone and you‘re not depending on receiving the 2fa-mail from bunq.

The best security is off course to don't allow any access... But many bunqers wished for a fallback when their phone got somehow unavailable, for instance to block their cards.

Any access method has its flaws and we can all find better methods that provide more security. The problem however is that most of these methods may be more secure, but are less user friendly. Those whom know these methods are more likely to be advanced users and thus will manage to use these more secure methods. As a large part of the users are on a more elementary level, they will have problems to use these more advanced methods. In fact, they won't be able to use them at all and thus having no access. The feature would be useless as most users will not be able to use it. The problem is that most untrustworthy people are advanced users and would be the only ones to obtain access, which you off course would not want either.

So we could all come up with more advanced security, but have to bear in mind that access has to be user friendly to all users. I think bunq did a great job: the easy way is off course the QR-code, the fallback is a 'magic link' to the email which has its own security (the email client), with a one-off link (which I guess has a time out) and the 6-digit code (which I presume is only active during the time out of the magic link). Brute force attack will be blocked by a limited amount of attempts..

So to gain access via email I would have to have access to the email, have to know whether there is a magic link active and would have to know the code... I could off course create a magic link when I have the email credentials, but I would still have to know the code. When others know this code, it's a security breach of its own, and a PEBCAK-issue, same goes for easy to guess codes such as birthdates.

Engineers can not work around PEBCAK as it either makes the solution not user friendly, or the solution has flaws due to PEBCAK.

The email / Pin sounds pretty secure to me. For nog payments I still need to confirm using my phone. I think this separation is perfect, simple actions like freezing a card can be done with a "simple" login while impactful operations require verification in the app. 🙂

I presume the email address(es) are restricted to those that are set in my profile (on phone). Correct?
Can I limit the the addresses to be available for Bunq web access?

@Theodorus-Orange-Zebra#107306 obviously you can only log in using email addresses known to bunq via your profile. (You can use those also to log in on the mobile app after all). There’s no way to specify which email addressess can and can not be used for the web application. 🙂