Egregious Missing Feature Request: Multi-factor Authentication (MFA)
It is 2018, why don't you support MFA?
Yes, a "passcode" would be a step in the right direction. But without any details, the word "passcode" is just that, not a real MFA solution.
The response about a passcode "it's in the works!" was posted 5 months ago. In the modern age of CI/CD, the fact that you haven't produced an initial passcode solution is concerning. As in very concerning.
I would like to also encourage you to research providing support for a Yubi Key solution. As a side note, Google now requires all of their employees to use a MFA key solution, very similar to Yubi Key. And your developers can find all that they need to know here:
Additional features around important security practices should really be at the top of your development list.
Thanks for your consideration.
Still amazingly tone-deaf. I am not talking about importing data or my bank account numbers.
The budget data itself is incredibly sensitive personal data, including all transactions that have been imported for every credit card purchase and bank transaction. This is protected *only* by a simple password. This is NOT SAFE.
As the OP suggested, this is completely unacceptable and irresponsible in today's day and age. Every other financial site has MFA through either a phone text verification code, google authentication, or something similar.
YNAB used to be a desktop app. YNAB forced our data into the cloud so they could collect a monthly subscription fee, then completely failed to protect our data in the cloud.
As you can see, they still don't even acknowledge that there is a problem.
Herman Imported transaction data contains lots of neat things like: where your kids go to school, where they go to daycare and camp, what kind of car you drive, the names of the doctors and hospitals you visit, who your insurance company is, names of the financial institutions that you have accounts with, where you were every day for the last few years, where you like to shop and eat (and when), how much you paid in taxes, how much money you make each month, all of your favorite charities, who is your mortgage provider and payment. where and when you like to take vacations, to name just a few.
If you think there's no risk, would you consider scanning in all of your financial statements for the last 3 years, and post them here (after scratching out your account number)? Probably not a good idea.
Ahhh, it was as exactly I expected: a disingenuous question from a well-informed person, that already knew the answer and had a solidly formed opinion. This was very clear from the tone of your original question - as you were not really asking "to be educated". All of the information I mentioned has a very good possibility of being in many peoples accounts - and I didn't even scratch the surface as you are well aware.
Herman If you remain so confident in the lack of risk, why haven't you scanned in your bank/credit card statements from the last three years and posted them here (scratching out the account numbers, names and addresses). Or simply export your budget and all transactions from YNAB to excel and post here. What could anyone possibly do with it?
I suspect that you are well aware of the risks, and won't post your data, but are choosing to play down the risks in defense of YNAB.
It is a shame that YNAB also plays down the risks. If MFA isn't important, then their internal security protocols are not important. It's the same attitude that so many companies have until there is a hack or data theft and everyone's very personal data is released. Then all of the sudden we will hear things like "We take security very seriously at YNAB and will take all appropriate steps to ensure that this does not happen again". Responsible companies do the right thing before it happens.
I also agree that the information in YNAB is confidential, above and beyond the banking integration credentials.
Optional MFA would be one great way to alleviate a lot of concerns.
First big reason: identity fraud
- When I phone my bank's customer support, they verify my identity with a set of questions. The answers to some of the questions can be guessed from the data in my YNAB. For example, the bank asks "name two account types that you have with us", and your YNAB accounts may be named after their bank account products.
- If you are the victim of identity fraud, your YNAB budget may reveal the existence of investments that the fraudster may not have been aware of before. Now those can become targets of fraudulent withdrawal transactions made in your name.
Second big reason: privacy
- Most your coworkers and bosses are pro-choice, but you donate to a pro-life charity. Or the other way around.
- You're a paid subscriber of the "Seattle Antifa" or "Proud Boys Texas" or "The Swinging Life" or "Traditionalist Marriage" podcasts.
- Consultations at urology clinics. Fertility treatments. Porn. Other transactions that may be embarrassing if they leaked out.
Third big reason: peace of mind
- Since YNAB's data lives in the general vicinity of your finances, there's always going to be some concern. Without MFA, you have to think really hard whether there's something you overlooked that a criminal could misuse, and you'll always worry that you overlooked something, since you're not a security professional.
- I'd rather have MFA and realise I don't need it, than not have it and realise too late I needed it.
Herman , does this answer your question?
I can't second this strong enough! To everybody who has posted here: please send your 2FA/MFA requests to the proper ynab channel. This needs to happen asap. https://docs.google.com/forms/d/e/1FAIpQLSfNVCZCXFaokj9PjsnKXDau5-F2-cu-rdK9AgrBkdAa_xgjww/viewform
shukhov I am afraid that it is hopeless. Done that before. When YNABs best response in this thread brags that "Our password policy does not allow the top 1,000 passwords." is a serious modern security policy and an app passcode is a solution, it's clear that they don't appreciate scope of the problem. I've been requesting this feature since they forced us into the cloud (and started charging recurring fees). They just do't get it. It's a decent product, and I've given them all the leeway I can, but sad that they just want to collect the fees without investing in the product. Will cancel and start fresh in 2019 with something else.
If "passcode authentication" means that our YNAB accounts will now have both a PIN and a password, I have to give it a vehement thumbs down.
For security-savvy users, there is no benefit to requiring a 5 digit PIN alongside your password that you don't get by just making your password a few characters longer. And security savvy users tend to user better passwords anyway, since they tend to be more likely have the infrastructure in place to manage their passwords better.
For security naive users, adding a PIN is just a BDSM way to force them to use stronger passwords. But since these users tend to struggle with passwords more anyway, they'll just end up using 12345 as PIN, and the whole exercise is now of dubious value but definite annoyance.
I have used YNAB for a couple of years now but just became aware of the increasing threats to our online presence. I have purchases Yubikeys for both my wife and I to protect our most sensitive data. I would really like it if YNAB can support 2FA (Yubikey support would be preferred) really soon. At this time, I am re-evaluating all of my software choices based upon their security and YNAB is currently lacking. I appreciate it on so many other levels, but this can't be ignored in today's environment.
I just finished reading through this thread, and wow - there's a lot of passion around the desire to have MFA :-) I'm an IT professional, and I've watched in amazement at the number of data breaches that have occurred over the last few years. Hacker'\s have demonstrated one thing very clearly: if they want to execute a data breach, they can, and they will. Successfully. The probability that it's just a matter of time before a data breach occurs is why there are many on this thread who are frustrated with the perceived apathy on YNAB's part. The emphasis on perceived is because we don't really know what goes on behind the scenes, right?
That said, I have a few observations:
1) From what I've read, implementing MFA from a development standpoint can be really expensive. Like - REALLY expensive. Executing that would possibly result in a price increase. I don't want that.
2) As an interim step, YNAB could consider implementing Data Loss Prevention (DLP) protocols that would detect data that "looks" like sensitive info and prevent it from remaining in the notes field for each account.
3) Several people on this thread feel that YNAB is expensive, and that's a valid opinion. However, in comparison to some competing products that I won't mention here, I think that dollar for dollar the value of YNAB is really good. That's a biased opinion, mind you. I'm a bit of a YNAB fanboy.
4) I did a cursory review of a few other cloud-based budget solutions. Does it seem that they don't employ MFA either?
Too much heat and too little light. I think the discussion is going around in circles because we keep conflating separate issues:
- Is the data inside YNAB sensitive enough to warrant protection?
- Will MFA actually provide that extra protection or not?
- If so, is the added security sufficient enough to warrant YNAB spending resources to develop it?
As far as I am concerned, number 1 is unequivocally true. Number 3 is up to Jesse and his company. But there is scope for reasonable people to disagree regarding point 2.
Whether or not MFA adds security depends on how it is implemented. MFA is indeed, as others have pointed out, not a magic "make stuff secure" wand. Done wrong, it will not help. But done right, it can help greatly.
For example, if YNAB budget data is actually encrypted at rest on YNAB's servers, and if MFA is implemented in such a way that the extra factors needed to log in also form part of the encryption key(s), then MFA will greatly increase security. Hackers could get in to YNAB's servers, and still not read your data without having access to your cellphone or your yubikey as well. (It is simply not true, as some claim on this thread, that if hackers get in to YNAB's servers, everything is lost).
There is tremendous pressure on companies all over the world to implement encryption of their data at rest, driven by regulations like the EU's GDPR and the general trend of other countries enacting copycat regulations. The GDPR does not specifically say "thou shalt encrypt sensitive data at rest", but legal opinions tend to agree that encryption at rest is industry best practice, and if you don't do that, you'll have a hard time in court convincing the judge that you took "adequate measures" to protect sensitive personal information.
The other way MFA can protect you is in situations like a public wifi hotspot. MFA (done right) will ring-fence the potential damage there, because whatever damage a hacker can do in that situation, at least they can not gain future access to your YNAB without also being in possession your cellphone/yubikey (or whatever second factor(s) YNAB chooses to implement).
Maybe its because I am a baby boomer and a little old fashioned, but this is a non issue for me. I love YNAB, but would never trust my details to go anywhere unencrypted. As a result I have my YNAB set up with unlinked accounts. I do manual imports when I want to reconcile to my bank account. The data inside of my YNAB budget is very anonymized and honestly, if someone hacked my account, I doubt they would even be able to determine my name. None of my budget accounts contain any account information, user names or passwords. I keep all of that type of detail in an encrypted keepass file. Heck even my account names in my budget are fairly generic like "checking", "savings", "401K", etc. I really don't have to worry too much about YNAB security as a result, and I lose nothing in the process except automatic importing of transactions. But the CPA in me is not comfortable with that anyway. I like to tic and tie to the bank statement. And because I reconcile every couple of days, the effort is not huge. YMMV but this works for me.