• Ideas
  • 2FA (authenticator app)

Voor een online bank is het wel raar dat je niet 2FA via een authenticator (Google, lastpass etc) kunt instellen. SMS authenticatie en fingerprint is minder veilig. Een OTP via een authenticator app is echt veiliger. Dit is algemeen bekend daarom snap ik niet dat het er niet is?

    @New-Bronze-Camel-487879361#279900 SMS wordt niet gebruikt bij bunq, vingerafdruk kan je uitzetten als je liever een 6 cijferige beveiligingscode wilt gebruiken.

    Maar 2FA zou inderdaad een mooie toevoeging zijn! Al moet iemand al door twee beveiligingslagen heen (beveiliging telefoon + beveiliging bunq app) om toegang te krijgen.

      Hey there, @New-Bronze-Camel-487879361#279900 ๐Ÿ‘‹
      Thank you for sharing your suggestion regarding 2FA (Two-Factor Authentication) via an authenticator app. We appreciate your concern for security, and we value your input in making bunq even better.

      Rest assured, we're committed to continuously improving our services, and your suggestions contribute to that goal. Let's gauge the interest of other bunq users to see if they also appreciate it! ๐Ÿ™Œ

        Hey @New-Bronze-Camel-487879361#279900,

        OTP codes are based on a shared secret and require manual steps of entering them with time pressure. (Imagine all types of users.)

        The latter will be a problem for non techies who arenโ€™t as quick as techies are, needing to start over.

        Secondly, the shared nature means that whatever tool or system you save the OTP generator, this tool determines if it can be duplicated. Some allow for copying of the shared secret. So it is not an absolute bond between you and your bank. (The latest example showcasing risk is Google Authโ€™s app pushing an update that after years introduces sync without encrypting the data.)

        At the moment (2023-07) bunqโ€™s 2FA is the record-a-video-of-your-face-rotate-and-say-a-number-oud-loud process.

        Not sure if this can be called 2FA but it very strong because it is human-identity based and a very guided process.

        That being said, beyond OTP, more modern forms of MFA would be interesting like WebAuthN for those who want it.

        This includes FIDO2 security keys as well as Passkeys. The first might require a PIN, the latter doesnโ€™t and is Passwordless, relying on Touch ID, Face ID or similar device-local authentication to access the Passkey.

        Would this cover your wish as additional factor?

          een sms code zou een goeie extra beveiliging linie zijn
          ik gebruik zelf mijn vingerafdruk om de app te openen en werk zeer goed
          maar het werkt eigenlijk iets TE goed na mijn idee.

          zo heb ik vorige maand best veel spaargeld over geschreven naar rasain om het vervolgens 6 maand
          in de depositorekening vast te zetten tegen een veel betere rente percentage ( maar dat is een hele andere discussie ) en na dat ik de app geopend had was en hopa in een paar seconde weg. natuurlijk deed ik het zelf
          maar het zou goed zijn als hier een extra laag aan beveiliging bij kwam . wand het ging iets TE makkelijk.

            @beekie#279949 SMS is zeker geen goede toevoeging! SMS is zeer onveilig en kan zeer gemakkelijk worden misbruikt door mensen met slechte bedoelingen...

              6 days later

              Regardless of the method used (SMS or authenticator app), enabling 2FA at least for the savings accounts would be a much valued improvement, especially since it would enable savers to have the bunq app (or run the bunq website) on one device while receiving a 2FA code on another. At the moment, once a single device is authenticated, it is possible to make a transfer to any IBAN using the passcode alone, i.e. anyone who gains access to an authenticated device and the passcode can empty the account.

                20 days later

                I'm a new member, I just opend a savings account. But I won't deposit most of my savings in it, as long as Bunq doesn't enable 2FA! It's astonishing and almost absurd that an online bank (or ANY bank) doesn't enable 2FA these days. Please give us the 2FA option, Bunq!!

                  @New-Lime-Deer-2077408340#281281 Thank you all for the suggestions ๐Ÿ™Œ We understand your concern for security and we will pass them on to our product team and they'll further research the impact of such an addition. In the meantime, rest assured, your savings are already extremely safe with bunq. You can learn more about how we keep your account safe here: https://www.bunq.com/legal/secure-banking ๐Ÿ“š

                    @New-Lime-Deer-2077408340#281281 your words suggest bunq does not have 2FA, but they do; the record-selfie-video-authentication as additional factor.
                    If you want to express wanting a third factor, which one would you prefer? When?

                    Secondly, and this is a question for all: What could be the recovery method for when OTP app/generator is lost or inaccessible? (@New-Bronze-Camel-487879361)

                    Or when a synced Passkey is lost/inaccessible?
                    Or when a device-bound Passkey lost? (On phone / computer)
                    Or a Security Key is lost? (Device-bound Passkey on usb-stick size hardware.)

                    Personally, if I prefer not to fall-back on backup codes for banking.
                    I would suggest multiple recovery paths and let users choose. (Guide them.)

                    Examples:

                    • TimeDelay with Trusted contact (like Apple also uses).
                    • I guess the selfie-video-authentication could also be a fallback if the options mentioned above are an alternative path to it.
                    • If you allow your users to hardlock it to several Passkeys (so it works in sequence to the current authentication), the recovery method if all of them become inaccessible for some reason, could be to authenticate by transferring by 1 cent from another bank account. (iDIN) This unfortunately does not cover everybody.
                    • Not sure if allowed, but DigiD?
                    • โ€ฆ?โ€ฆ

                    If you have any suggestions, share. This topicโ€™s feature (request) is not simple when you get into it. ๐Ÿ˜…

                    P.s. If you want to support a feature, also mention your reason why, it might help designers/developers.

                      @Joeri-Silver-Lynx#281362 I guess, eID cards could also fullfill the role of the second factor. If lost, one gets a replacement from the government rather fast.

                        @Jiopot#281383 Probably not all countries have eID cards(?). Plus, supporting them all would be very difficult for bunq I guess

                          @thijsoost#281389 Could you give an example which country where bunq is operating does not issue an eID-enabled ID card to their residents?

                            @thijsoost#281389 I'm not too deep in the topic, but maybe eIDAS could come handy here somehow, that's EU wide I believe.

                              24 days later

                              @Jiopot#281428 I received an email to switch on 2FA in my Bunq-account, or elsewhere my bunq account would be closed. Email is sent from @web-bunqbericht.com.
                              Feels like not correct...do you agree ?

                                @Johannes-Aquamarine-Owl-3464147496#283414 It's phishing, ignore and delete it!

                                  I would really love to have this. There is no downsides to implementing it when it is made optional. So please bunq team, add this feature! I would keep more of my money with bunq if this feature existe.