bunq Together

2FA (authenticator app)

New-Bronze-Camel-487879361

Voor een online bank is het wel raar dat je niet 2FA via een authenticator (Google, lastpass etc) kunt instellen. SMS authenticatie en fingerprint is minder veilig. Een OTP via een authenticator app is echt veiliger. Dit is algemeen bekend daarom snap ik niet dat het er niet is?

thijsoost

Alex SMS wordt niet gebruikt bij bunq, vingerafdruk kan je uitzetten als je liever een 6 cijferige beveiligingscode wilt gebruiken.

Maar 2FA zou inderdaad een mooie toevoeging zijn! Al moet iemand al door twee beveiligingslagen heen (beveiliging telefoon + beveiliging bunq app) om toegang te krijgen.

sotirios-Black-Moose

Hey there, Alex 👋
Thank you for sharing your suggestion regarding 2FA (Two-Factor Authentication) via an authenticator app. We appreciate your concern for security, and we value your input in making bunq even better.

Rest assured, we're committed to continuously improving our services, and your suggestions contribute to that goal. Let's gauge the interest of other bunq users to see if they also appreciate it! 🙌

Joeri-Silver-Lynx

Hey Alex,

OTP codes are based on a shared secret and require manual steps of entering them with time pressure. (Imagine all types of users.)

The latter will be a problem for non techies who aren’t as quick as techies are, needing to start over.

Secondly, the shared nature means that whatever tool or system you save the OTP generator, this tool determines if it can be duplicated. Some allow for copying of the shared secret. So it is not an absolute bond between you and your bank. (The latest example showcasing risk is Google Auth’s app pushing an update that after years introduces sync without encrypting the data.)

At the moment (₂₀₂₃-07) bunq’s 2FA is the record-a-video-of-your-face-rotate-and-say-a-number-oud-loud process.

Not sure if this can be called 2FA but it very strong because it is human-identity based and a very guided process.

That being said, beyond OTP, more modern forms of MFA would be interesting like WebAuthN for those who want it.

This includes FIDO2 security keys as well as Passkeys. The first might require a PIN, the latter doesn’t and is Passwordless, relying on Touch ID, Face ID or similar device-local authentication to access the Passkey.

Would this cover your wish as additional factor?

New-Chestnut-Whale-2403004226

Alex ik zou ook graag zien dat 2FA met een authenticator app (Google) mogelijk is bij Bunq.

beekie

een sms code zou een goeie extra beveiliging linie zijn
ik gebruik zelf mijn vingerafdruk om de app te openen en werk zeer goed
maar het werkt eigenlijk iets TE goed na mijn idee.

zo heb ik vorige maand best veel spaargeld over geschreven naar rasain om het vervolgens 6 maand
in de depositorekening vast te zetten tegen een veel betere rente percentage ( maar dat is een hele andere discussie ) en na dat ik de app geopend had was en hopa in een paar seconde weg. natuurlijk deed ik het zelf
maar het zou goed zijn als hier een extra laag aan beveiliging bij kwam . wand het ging iets TE makkelijk.

thijsoost

marcel SMS is zeker geen goede toevoeging! SMS is zeer onveilig en kan zeer gemakkelijk worden misbruikt door mensen met slechte bedoelingen...

New-Ivory-Baboon-278987501

Regardless of the method used (SMS or authenticator app), enabling 2FA at least for the savings accounts would be a much valued improvement, especially since it would enable savers to have the bunq app (or run the bunq website) on one device while receiving a 2FA code on another. At the moment, once a single device is authenticated, it is possible to make a transfer to any IBAN using the passcode alone, i.e. anyone who gains access to an authenticated device and the passcode can empty the account.

New-Lime-Deer-2077408340

I'm a new member, I just opend a savings account. But I won't deposit most of my savings in it, as long as Bunq doesn't enable 2FA! It's astonishing and almost absurd that an online bank (or ANY bank) doesn't enable 2FA these days. Please give us the 2FA option, Bunq!!

Alexia-Hummingbird

Martina Thank you all for the suggestions 🙌 We understand your concern for security and we will pass them on to our product team and they'll further research the impact of such an addition. In the meantime, rest assured, your savings are already extremely safe with bunq. You can learn more about how we keep your account safe here: https://www.bunq.com/legal/secure-banking 📚

Joeri-Silver-Lynx

Martina your words suggest bunq does not have 2FA, but they do; the record-selfie-video-authentication as additional factor.
If you want to express wanting a third factor, which one would you prefer? When?

Secondly, and this is a question for all: What could be the recovery method for when OTP app/generator is lost or inaccessible? (@Alex)

Or when a synced Passkey is lost/inaccessible?
Or when a device-bound Passkey lost? (On phone / computer)
Or a Security Key is lost? (Device-bound Passkey on usb-stick size hardware.)

Personally, if I prefer not to fall-back on backup codes for banking.
I would suggest multiple recovery paths and let users choose. (Guide them.)

Examples:

TimeDelay with Trusted contact (like Apple also uses).
I guess the selfie-video-authentication could also be a fallback if the options mentioned above are an alternative path to it.
If you allow your users to hardlock it to several Passkeys (so it works in sequence to the current authentication), the recovery method if all of them become inaccessible for some reason, could be to authenticate by transferring by 1 cent from another bank account. (_iDIN) This unfortunately does not cover everybody.
Not sure if allowed, but DigiD?
…?…

If you have any suggestions, share. This topic’s feature (request) is not simple when you get into it. 😅

P.s. If you want to support a feature, also mention your reason why, it might help designers/developers.

Jiopot

Joeri I guess, eID cards could also fullfill the role of the second factor. If lost, one gets a replacement from the government rather fast.

thijsoost

Sergio Probably not all countries have eID cards(?). Plus, supporting them all would be very difficult for bunq I guess

Jiopot

Thijs Could you give an example which country where bunq is operating does not issue an eID-enabled ID card to their residents?

Jiopot

Thijs I'm not too deep in the topic, but maybe eIDAS could come handy here somehow, that's EU wide I believe.

Johannes-Aquamarine-Owl-3464147496

Sergio I received an email to switch on 2FA in my Bunq-account, or elsewhere my bunq account would be closed. Email is sent from @web-bunqbericht.com.
Feels like not correct...do you agree ?

Jiopot

thijsoost

John Lipman It's phishing, ignore and delete it!

Alexia-Hummingbird

Hey John! We appreciate the heads-up 🙏 The email you got isn't from us and might be an attempt at phishing. To ensure your security, avoid scanning the QR code or following any links it contains.

Can you help us delve deeper into this by reporting the email at: https://www.bunq.com/report 📢?

berzan

I would really love to have this. There is no downsides to implementing it when it is made optional. So please bunq team, add this feature! I would keep more of my money with bunq if this feature existe.