Egregious Missing Feature Request: Multi-factor Authentication (MFA)

It is 2018, why don't you support MFA?

50replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • I second that opinion!

    Reply Like 1
  • Hi Navy Blue Sander !

    Are you referring to MFA in order to link your bank accounts? That should be in place depending on the bank. Or are you referring to MFA for the mobile app? Right now, there isn't an option to set a passcode, but it's in the works! :)

    Reply Like
    • Faness at YNAB was referring to your app. 

      When we're sharing our bank login information with you (and any 3rd parties of yours, like Finicity and MX), it would go a long way to know that you guys are following best practices when it comes to authentication.  I work in information security and like everyone should be, I am very cautious about sharing important financial login information with anyone.

      At a minimum, even if you don't have MFA for your customers, I hope YNAB staff require 2FA/MFA for all administrative duties.  I'd hate for one of your folks to get phished, resulting in our money flying away. 💸

      Reply Like 2
    • Navy Blue Sander I can confirm that MFA is required for YNAB administrative accounts - those funds are staying put if we have anything to do with it. :)

      As for the app, we're working on the passcode feature to up security. I want to assure you that MX and Finicity aren't able to make changes to your actual bank accounts. Even if someone was to access your YNAB account, they'd know your account balances (as portrayed in YNAB) but account numbers and other sensitive information isn't accessible through our Direct Import partners. The only way this information could be seen, is  if a user chooses to write it into the notes section, which we Strongly advise against.

      Here are some highlights from our security policy:

      - All connections are encrypted and data is encrypted at rest.
       - We underwent a security audit and a database audit from one of the top consulting firms. This is done on an annual basis. 
       - Our password policy does not allow the top 1,000 passwords. By not allowing common passwords, we prevent customers from putting themselves at risk. 
       - To that end, we don’t store passwords. We do mathematical stuff to customer passwords so if the passwords do ever fall into the wrong hands, they still aren’t decipherable. 
       - We’re built on the same infrastructure as the CIA’s internal cloud service.

      We know more security is never a bad thing and the passcode feature is meant for just that! I'll let our development team know you're eargerly awaiting its implementation. :)

      Reply Like 2
  • *cough* yubikey support *cough*

    Reply Like 3
  • Yes, a "passcode" would be a step in the right direction.  But without any details, the word "passcode" is just that, not a real MFA solution. 

    The response about a passcode "it's in the works!" was posted 5 months ago.  In the modern age of CI/CD, the fact that you haven't produced an initial passcode solution is concerning.  As in very concerning

    I would like to also encourage you to research providing support for a Yubi Key solution.  As a side note, Google now requires all of their employees to use a MFA key solution, very similar to Yubi Key.  And your developers can find all that they need to know here:

    https://developers.yubico.com/

    Additional features around important security practices should really be at the top of your development list.

    Thanks for your consideration.

    Reply Like
    • Hi Magenta Mermaid !

      Thank you for posting that information! Would you mind submitting it via Feature Request? That form goes directly to our development team for future consideration. :)

      Reply Like
  • This response shows a ridiculous lack of concern for customer's welfare.  When the inevitable hack comes and everyone's personal financial information is released, then it will all of the sudden become important.  Meanwhile, no new meaningful features in years.  Where are our annual fees going?

    Reply Like
    • Hi Tomato Camera !

      One of the reasons we use a third-party direct import partner, is to add an extra layer of security. Your financial information (account numbers, routing numbers, etc.), is not stored in the app. Even if our systems were to be hacked, though we take a number of precautions to prevent that, that personal information would not be available. 

      However, a passcode option for the mobile app is still in our plans for the future! :)

      Reply Like 2
    • Faness How does the manner in which YNAB internally connects with bank accounts relate in any way to the concerns raised here?  How can you seriously say, after all this, that "Personal information would not be available"?  And to suggest that a passcode somehow addresses the concerns raised by so many here shows a complete lack of understanding of the security issues being raised.  I am beginning to lose any hope that YNAB takes security seriously.

      Reply Like
  • Thank you, Since Jessie and your developers and support people say they use YNAB and they seem to be very intelligent people using YNAB is low risk if you follow all their instructions and don’t put your actual account numbers or bank particulars anywhere in your budget(s).

    Reply Like 2
  • Still amazingly tone-deaf.  I am not talking about importing data or my bank account numbers.

    The budget data itself is incredibly sensitive personal data, including all transactions that have been imported for every credit card purchase and bank transaction.  This is protected *only* by a simple password.  This is NOT SAFE. 

    As the OP suggested, this is completely unacceptable and irresponsible in today's day and age.   Every other financial site has MFA through either a phone text verification code, google authentication, or something similar.

    YNAB used to be a desktop app.   YNAB forced our data into the cloud so they could collect a monthly subscription fee, then completely failed to protect our data in the cloud.  

    As you can see, they still don't even acknowledge that there is a problem.

    Reply Like
      • Herman
      • herman
      • 3 mths ago
      • Reported - view

      Tomato Camera  Excluding account number, user id, password, help me understand what transaction/budget data could possibly be used for?  I don't see the risk and would like to be educated. 

      Reply Like
      • a_different_joel
      • Helping people stay on YNAB4
      • A_different_joel
      • 3 mths ago
      • Reported - view

      Herman There's probably GPS information.  If you have a need for someone specific to not know where you live, and they were able to gain access to your budget, they could know where you've been or where you frequently purchase items and potentially show up there un-wanted.

      If you have personal information about medications, doctors, insurance etc in the memos or notes, this could also be taken advantage of. 

      Sure... suggesting everyone who uses the app to 'dont put sensitive info in your budget' just doesn't seem like a great way to go.

      (I am not a nYNAB user for other reasons, I would still use it without 2FA)

      Reply Like
      • Herman
      • herman
      • 3 mths ago
      • Reported - view

      a_different_joel That seems like a stretch to me but ok. I don't care about 2FA but I'll give it a 'slightly' elevated risk level based on that.

      Reply Like
      • a_different_joel
      • Helping people stay on YNAB4
      • A_different_joel
      • 3 mths ago
      • Reported - view

      Herman Same here.  Definitely a stretch.  I think they should do it just for the optics.  A “financial” (...budget) app without 2FA just appears lacking...  a missing checkbox on a feature list is all.

      Reply Like
      • Herman
      • herman
      • 3 mths ago
      • 1
      • Reported - view

      a_different_joel You may have hit on one of the reasons I'm indifferent,  I don't really consider a  budget app a financial app.  I agree with you on the optics.  I suppose all my ynab 4 data sitting on dropbox was a risk too.

      Reply Like 1
      • Brad Hull
      • Since YNAB Pro
      • sinceYNABPRO
      • 3 mths ago
      • Reported - view

      Herman 

      For sure that YNAB4 is a lot more vulnerable to hacking than the web YNAB version . 

      Reply Like
  • Herman  Imported transaction data contains lots of neat things like: where your kids go to school, where they go to daycare and camp, what kind of car you drive, the names of the doctors and hospitals you visit, who your insurance company is, names of the financial institutions that you have accounts with, where you were every day for the last few years, where you like to shop and eat (and when), how much you paid in taxes, how much money you make each month, all of your favorite charities, who is your mortgage provider and payment. where and when you like to take vacations, to name just a few.

    If you think there's no risk, would you  consider scanning in all of your financial statements for the last 3 years, and post them here (after scratching out your account number)?  Probably not a good idea.

    Reply Like
      • Herman
      • herman
      • 3 mths ago
      • Reported - view

      Tomato Camera although not all that information is there, I'll assume it is and still ask, what is someone going to do with that?  

      Reply Like
    • Herman  First, which of the things that I mentioned would not be contained in someone’s imported transaction data, if they used a credit or debit card to pay for it?   

      Reply Like
      • Herman
      • herman
      • 3 mths ago
      • Reported - view

      Tomato Camera  How much you pay in taxes is not reflected anywhere but as I said I'll assume it is all there, what is someone going to do with it?

      Reply Like
    • Herman  Wrong.  I, like many, budget for taxes.  There is no need for assumptions.  Any other items in my list incorrect?  

      Reply Like
      • jenmas
      • jenmas
      • 3 mths ago
      • Reported - view

      Tomato Camera Whoa.  Herman is genuinely asking you a question on how Personally Identifiable Information can be used in a negative way. Many people don't understand the full risks that PII can pose and are under the impression that as long as SSN and account numbers are protected, so are they. Maybe cut the guy a break?

      Reply Like
      • Herman
      • herman
      • 3 mths ago
      • Reported - view

      Tomato Camera  If you can't or don't want to answer my question just say so

      Reply Like
      • Herman
      • herman
      • 3 mths ago
      • Reported - view

      Tomato Camera  Not to mention budgeting for taxes is not the same as importing tax data from your financial accounts, unless of course you don't have taxes withheld from your pay.  But I digress.  I will stipulate that all that data you listed is available in "your" budget.    Please answer my question or end this discussion.

      Reply Like
    • jenmas It seems that Herman is being disingenuous with his question, given the original tone and continued dismissal of the underlying assumptions.

      Nonetheless, one simple answer is identity theft.  Of course, there are also the infinite other possibilities in the criminal mind, that I won't presume to understand.  Herman seems very capable of googling terms like PII, cybersecurity, and other terms mentioned here to get answers he would trust more than mine.

      Reply Like
      • Herman
      • herman
      • 3 mths ago
      • Reported - view

      Tomato Camera actually my question was genuine and you chose to instead tell me what data was in the records.  Identity theft is certainly the logical assumption but I see very little risk of this data being used for identity theft.  I would love some specific examples of how.  I could see some social engineering use., possibly to help guess the answers to security questions but I thought maybe someone so adamant would have more specific ideas.  I did not dismiss the underlying assumptions, I indicated that not ALL that information is there in my opinion.  My "attitude" changed the minute you decided to aggressively challenge me without answering what should be a pretty straight forward question for someone so adamant that ynabs security policy shows a complete lack of concern for customers welfare.  

      Reply Like
  • Ahhh, it was as exactly I expected: a disingenuous question from a well-informed person, that  already knew the answer and had a solidly formed opinion.  This was very clear from the tone of your original question - as you were not really asking "to be educated".   All of the information I mentioned has a very good possibility of being in many peoples accounts - and I didn't even scratch the surface as you are well aware.

    Herman If you remain so confident in the lack of risk, why haven't you scanned in your bank/credit card statements from the last three years and posted them here (scratching out the account numbers, names and addresses).  Or simply export your budget and all transactions from YNAB to excel and post here.  What could anyone possibly do with it?

    I suspect that you are well aware of the risks, and won't post your data, but are choosing to play down the risks in defense of YNAB. 

    It is a shame that YNAB also plays down the risks.   If MFA isn't important, then their internal security protocols are not important.   It's the same attitude that so many companies have until there is a hack or data theft and everyone's very personal data is released.  Then all of the sudden we will hear things like "We take security very seriously at YNAB and will take all appropriate steps to ensure that this does not happen again".  Responsible companies do the right thing before it happens.

    Reply Like 1
      • Herman
      • herman
      • 3 mths ago
      • Reported - view

      Tomato Camera  Again, i have thoughts which i shared  but was hoping for more concrete examples as I am admittedly not that well informed.  I've tried to consider ways this data could be used and came up with a few low risk options (IMHO) and I wrongly assumed that those putting this out there as a massive security failure on ynab's part would have more ideas. 

      Honestly I don't understand your insistence that i scan data to "prove" my lack of concern for the risk from not having MFA. I'd much rather you explain to me what i'm missing in the risk department and then i can join the call for ynab to improve their security.    I suspect maybe you aren't that well educated on the topic and that is why you refuse to have a discussion about the real risks and continue to fall back on attacking me.  

      Reply Like
    • Tomato Camera  "It is a shame that YNAB also plays down the risks.   If MFA isn't important, then their internal security protocols are not important.   It's the same attitude that so many companies have until there is a hack or data theft and everyone's very personal data is released.  Then all of the sudden we will hear things like "We take security very seriously at YNAB and will take all appropriate steps to ensure that this does not happen again".  Responsible companies do the right thing before it happens." Well said.  

      Faness While we appreciate the step in the right direction with the app passcode, it is 1). Overdue 2). Not enough. As a YNAB customer, the security of our data should be at the top of the list. Speaking for myself YNAB is a very excellent product for doing what it intended to do. However, several folks in this thread have responded in favor of improved security. Would you please take this observation to the developers, and even Jesse, to get more weight behind it. 

      Herman I hope you come to understand the importance of MFA at some point if you have not already Google'd it.  This thread was more for security enthusiasts to voice their concern about a missing essential security feature and less about explaining its relevance. You should definitely keep researching MFA and information security, however, the YNAB forum probably is not the best place for that.

      @ Everyone At this point, I am going to unfollow this thread, have some scotch, submit MFA support via Feature Request and hope YNAB does right by us before a competent competitor shows its head with better security posturing. 

      Reply Like 1
      • Herman
      • herman
      • 3 mths ago
      • Reported - view

      Ivory Motherboard (b85dd6bb939c) another person that won't explain why it is so important in context of the data that ynab contains.  Thanks, google is no help there.  

      Reply Like
  • I also agree that the information in YNAB is confidential, above and beyond the banking integration credentials.

    Optional MFA would be one great way to alleviate a lot of concerns.

    First big reason: identity fraud

    • When I phone my bank's customer support, they verify my identity with a set of questions. The answers to some of the questions can be guessed from the data in my YNAB. For example, the bank asks "name two account types that you have with us", and your YNAB accounts may be named after their bank account products.
    • If you are the victim of identity fraud, your YNAB budget may reveal the existence of investments that the fraudster may not have been aware of before. Now those can become targets of fraudulent withdrawal transactions made in your name.

    Second big reason: privacy

    • Most your coworkers and bosses are pro-choice, but you donate to a pro-life charity. Or the other way around.
    • You're a paid subscriber of the "Seattle Antifa" or "Proud Boys Texas" or "The Swinging Life" or "Traditionalist Marriage" podcasts.
    • Consultations at urology clinics. Fertility treatments. Porn. Other transactions that may be embarrassing  if they leaked out.

    Third big reason: peace of mind

    • Since YNAB's data lives in the general vicinity of your finances, there's always going to be some concern. Without MFA, you have to think really hard whether there's something you overlooked that a criminal could misuse, and you'll always worry that you overlooked something, since you're not a security professional.
    • I'd rather have MFA and realise I don't need it, than not have it and realise too late I needed it.

    Herman , does this answer your question?

    Reply Like 1
      • Herman
      • herman
      • 3 mths ago
      • Reported - view

      Pieter Nagel yes, thank you,  those are good points.

      Reply Like
  • I can't second this strong enough! To everybody who has posted here: please send your 2FA/MFA requests to the proper ynab channel. This needs to happen asap. https://docs.google.com/forms/d/e/1FAIpQLSfNVCZCXFaokj9PjsnKXDau5-F2-cu-rdK9AgrBkdAa_xgjww/viewform

    Reply Like 1
  • shukhov I am afraid that it is hopeless.  Done that before.  When YNABs best response in this thread brags that "Our password policy does not allow the top 1,000 passwords." is a serious modern security policy and an app passcode is a solution, it's clear that they don't appreciate scope of the problem.  I've been requesting this feature since they forced us into the cloud (and started charging recurring fees).  They just do't get it.  It's a decent product, and I've given them all the leeway I can, but sad that they just want to collect the fees without investing in the product.  Will cancel and  start fresh in 2019 with something else.

    Reply Like 1
  • Hey everyone!

    I wanted to leave a quick link to our What’s Up Next page. If you take a look, you'll see that passcode authentication is now on the roster and coming soon! :)

    Reply Like
      • ebeth81
      • ebeth81
      • 12 days ago
      • Reported - view

      Faness It does not appear that this MFA which is what the original poster was asking about.  If it is MFA then possibly the whats up next page should receive an update to the description.

      Reply Like
    • Hi ebeth81 !

      It is not. It's passcode authentication, which will allow requiring pin entry before accessing the account. It's an added step of security that I thought users in this thread would like to know about. :)

      Reply Like
    • I am stunned that, after reading all of the details above, that YNAB would be proud to announce this Passcode nothingburger of a solution.  It ranks just higher than their proud announcement above that their security policy will not allow us to use "password" (one of the top 1,000 passwords) as a password.  Woohoo. Move on.  YNAB is clearly not concerned with security.

      Reply Like
  • If "passcode authentication" means that our YNAB accounts will now have both a PIN and a password, I have to give it a vehement thumbs down.

    For security-savvy users, there is no benefit to requiring a 5 digit PIN alongside your password that you don't get by just making your password a few characters longer. And security savvy users tend to user better passwords anyway, since they tend to be more likely have the infrastructure in place to manage their passwords better.

    For security naive users, adding a PIN is just a BDSM way to force them to use stronger passwords. But since these users tend to struggle with passwords more anyway, they'll just end up using 12345 as PIN, and the whole exercise is now of dubious value but definite annoyance.

    Reply Like 1
    • Pieter Nagel I freely admit I am assuming here but i don't think they mean you will have a oassword and a code to login, rather when you login to the mobile app you can lock it with a pin code so you can secure your account without re-entering your password, which is of limited use and had nothing to do with the requested multi factor authentication but i can see how the two could be confused by ynab's support staff.

       

      That said there is something to the idea that mfa might be overkill for ynab because unless u put sensitive info in notes it's pretty mundane stuff, if you really care how much i spent on groceries enough to hack my 20 character randomly generated password then by all means ill just tell you. Does that mean ynab should ignore supporting it, no but it will be a lower priority because ynab isn't trying to secure state secrets or anything of serious value.   And to say that it is an egregious meaning feature imho id just click bait and yes i fell for it

      Reply Like
    • Coral Battery 

      See my comment above as to why financial data in YNAB can be more sensitive than one would think.

      In a world where MasterCard, VISA, Paypal and Stripe are increasingly forcing companies to stop doing business with people whose politics they don't like , these concerns are just more urgent.

      As to protecting YNAB mobile with a pin, that's what the screen lock is for. I don't see any value. I hope the feature will be optional.

      Reply Like 1
    • Pieter Nagel if someone can call your bank and access your money simply by knowing what type of accounts then your issue should be with your bank not ynab.

      And as far as embarrassing transactions you choose what you name your payees if you're that concerned.

      Reply Like
      • Brad Hull
      • Since YNAB Pro
      • sinceYNABPRO
      • 10 days ago
      • Reported - view

      Coral Battery

       Well said. YNAB in its existing design cannot create any transaction in any financial institution. YNAB has instructed users to NOT include any reference to the bank name, route numbers or account numbers any place  in any of your budgets.

      Reply Like
    • The concern is not that the information inside a YNAB budget will give hackers direct access to make financial transactions.

      The information in a YNAB budget can often contribute part of the information needed for identity theft, which when combined with information gleaned from elsewhere can indirectly lead to unauthorised transactions.

       

      For example, no one can impersonate me in a phone call to my bank just by knowing what type of accounts I have. But if in addition they also know a previous address or two, my current and previous employer, which trusts (if any) I have registered, and which properties I own, then they have a good shot at passing the random question security check.

      Further, I am not concerned that anyone will specifically target me personally and spend time to hack just my YNAB account. That's not how online fraud happens in most cases.

      Instead, if YNAB gets breached, then every YNAB users' password will effectively get posted on the black market. An enterprising hacker will realise they can use that to trawl the YNAB API, yielding a nice huge dataset they can again sell on the black market for money or fame. Another hacker will realise they can correlate that with other other information on the black market, and then find a few hundred people for whom they now have sufficient information to attempt identity theft.

      With MFA done right, that breach is now mitigated because they will need to steal my cellphone too before they can get at my data.

      Reply Like 2
    • Brad Hull .  As you say "YNAB has instructed users to NOT include any reference to the bank name, route numbers or account numbers any place  in any of your budgets." ... Agreed - they could not make a clearer statement or admission that we should have ZERO expectation that any information in YNAB is secured. 

      Reply Like
    • Pieter Nagel as you pointed our quite correctly the chances of your account being targeting is not likely,  if they're is a breach in ynab it won't come at the individual user level it will be a mass breach either of ynabs staff administrative access or directly into their database at which point it wouldn't even matter if you personally have mfa enabled because ynabs system at that level they will have every user's data regardless of your individual account settings so your best defense is awareness of what you put in ynab and not putting anything too sensitive like your ssn.

      That said if you really want to push ynab to secure their system they need well done client side data encryption that they don't have any way to decrypt but imo that's overkill for the data ynab has on MOST users,  though I concede that some user may or in super private info but that's not ynabs phone so it's really not their job to take the extrondonary efforts to secure that kind of data.

      Sounds like your bank might be your real security issue if they're security questions can be answered that easily.  You should really talk to them a lot their security procedures and see what you can do on their end,  maybe try to get them to invent a security question you the user can choose and stop a secure passphrase for your answer to that.

      And most importantly stop account activity alerts and if anything fraudulent does occur report it to your bank immediately.

      Reply Like
  • Faness by "passcode authentication" does YNAB mean a passcode for the phone app or the web app?

    Reply Like
      • Herman
      • herman
      • 11 days ago
      • 1
      • Reported - view

      GlossyGot The link she shared indicates it is for the mobile app.

      Reply Like 1
Like7 Follow
  • Status Answered
  • 7 Likes
  • 8 days agoLast active
  • 50Replies
  • 2300Views
  • 17 Following