Any chance of two factor authentication coming soon?

I know its been asked for a few times, but two factor authentication (2FA) is the only thing stopping me from even trialing YNAB (which I really want to, from all the reviews I've read about it).  At this point, anything that touches my finances or other PII has to have 2FA enabled.  If it doesn't, I basically shut it down / stop using it.  All my credit cards, banks, email, social media, health, etc have some form of 2FA enabled at this point.

2FA isn't a guarantee of absolute security, but its definitely been shown to slow attackers down.  I realize that it's probably not a "simple" feature request and probably has far reaching implications on how your site functions.  However, if this isn't on your roadmap I'd really strongly encourage it.  I'd be willing to be there is a non-trivial number of like-minded folks out there who are being held from trying YNAB due to this requirement.  I also think it isn't a bad idea to inject a little security best practices in with the financial best practices you're already imparting to people.

Thanks!

https://twofactorauth.org/

https://securityintelligence.com/why-you-should-drop-everything-and-enable-two-factor-authentication-immediately/

29replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • Hi Orange Packet !

    Thanks for taking the type to share how important this feature is to you! :)

    I'm happy to report Two Factor Authentication is on our road map! It has been for a while and we had to figure out the details of what kind of authentication step we wanted to enable. The current plan is to bring a passcode feature to the mobile app, however, I can't currently offer a time frame for when that will be available.

    Stay tuned to the Release Notes and you can also sign up for the Weekly Roundup. We will be announcing its arrival loud and clear in both spots! :)

    Reply Like 1
  • A passcode for the "mobile app" is good, and I assume we're talking iOS/Android, but that is access which already requires access to a physical device and a credential to unlock it. What is more urgent in my opinion is 2FA for the web based service which can be accessed from anywhere with a simple credential.

    Reply Like 5
    • Up The Creek +1. Also an email when a new login is detected from a foreign IP. Both TFA and this email are standard on most services now. Google Authenticator should be sufficient, or a text message with a one time code.

      Reply Like 2
    • Hi Slate Gray Transistor !

      Would you mind submitting this through a Feature Request? That'll put it on our development team's radar! :)

      Reply Like
  • The two-factor authentication is yet to come because of the application needs to manage all the parameters of the two-factor authentication. Quickbooks support is still not having the two-factor authentication.

    Reply Like 1
  • 2FA is negligible at best given that the mobile app doesn't even support a pin code, much less Touch/Face ID Or Android fingerprint. I found out that wasn't an option after starting my trial, and honestly I might not renew it given that my choices are 1. Have all my financial information easily accessed via my phone or 2. Not have my budget information easily accessible on my phone, which should not be an option in 2018. 

    Reply Like 1
    • Hi Gold Case !

      Sorry for the inconvenience here! If you log out of the mobile app when you aren't using it, that will password protect your budget - as you'd need to log back in in order to access it (we actually mention logging out after each budgeting session in our Terms of Service).

      If you have a moment, you can submit a Feature Request to let our development team know you'd like to see this option! :)

      Reply Like
  • Thank you for your consideration of implementing 2 factor authentication in YNAB. I think, it really is a key feature for internet security for all users. Let's not forget, that in YNAB we have not only very detailed financial private data, but also references to the bank accounts we all are using and maybe also some indication to the identities we use there.

    Still, I do have a problem with the idea, that YNAB 2FA might (only?) rely on a push notification to the app on the mobile device. On one hand, this would by definition leave the mobile app to be unprotected by 2FA (okay, one might argue, that the web application might be more under attack), it is also a less convenient way for those users, who already do use 2FA seriously with many services. For people like me, who use TOTP standardized 2FA with a hardware token like the Yubikey, a solution, that would only allow 2FA be used via its own app, is certainly an inconvenience. Not only this, but also those, who want to use a TOTP based setup with a good password manager, could not use 2FA to their full potential.

    Also, no 2FA is as easy, as using a U2F token such as the Yubikey for 2FA!


    Also, as it might not be important for many users, but in some cases I like to be not to be dependend on my mobile device, to be able to do some stuff regarding my finances. While it is not often, there are cases, that I have network access with my laptop, but not with my smartphone. Especially when travelling abroad and not having wifi but only cable internet. This is often also a problem, when having a text message sent to your mobile is the only possibility for 2FA with a service. Yes, this might be a rare occasion, but there are ways around this, when using TOTP standardized 2FA.

    So, please, sure, use your mobile app for easy 2FA for those, who want an easy solution, but please also provide a TOTP based QR code option for us, who have already established 2FA with many other services. U2F would also be a great addition!

    Reply Like 2
    • Hi Patrick H !

      Thank you for taking the time to share your opinion on this issue! It's great that you feel so strongly about this and we appreciate you explaining your view! Would you mind submitting this via Feature Request? That form goes directly to our development team and I think that information is best in their hands! :)

      Reply Like
      • Patrick H
      • Aquamarine_Jackal_eac0b
      • 4 mths ago
      • 1
      • Reported - view

      Faness Thank you! I now took my time and wrote the feature request.

      Reply Like 1
    • I came here to make this same basic point. It's important to me that the 2FA not be done via the YNAB mobile app, and instead be able to use a Yubikey or even a service like Authy or Google Authenticator.

      Reply Like 1
  • I also am very leery of Ynab security. That is why I don't want to link my accounts.   I have fingerprint identification for many of my apps on my phone and they don't have my bank information in them.  I second the idea of 2FA and I will also put in feature request for that.  Many applications will let you opt in or out depending on personal preference. 

    Let us know, as soon as the security is beefed up, I bet you will get many more customers. 

    Reply Like 1
    • Orange Mainframe Thank you for taking the time to submit that Feature Request! We have a number of features in store and we hope you'll like them! :)

      Just in case you haven't seen it, you may find our security policy reassuring. 

      Reply Like
    • Faness yes I have reviewed the security policy and the type of encryption used. Please put security at the top of the requests. I really really like ynab and I think it is revolutionary for people's finances. I cannot put my accounts and information at risk.

      Reply Like 1
  • TOTP (and maybe U2F) is a must for financial account. Furthermore, TouchID/FaceID is also needed for the iOS app.

    Reply Like 2
  • I've done a huge amount of work importing my information and took it for granted that this site had the same level of security as almost every other financial product.  They now have all my accounts and anyone who hacks my email now has all my information.  This is very bad.  More importantly, how do we know this product and it's developers are around for the long haul?  This topic has gone on for a very long time and it is almost 2019...

    Reply Like
    • Hi Cyphire !

      I wanted to leave a quick link to our Feature Request for your feedback. :)

      Also, a link to our security page. Security is a top priority for us and a passcode option for the mobile app is on our to do list. I assure you, we plan to stick around for the long haul! 

      Reply Like
  • Cyphire I hear you.  Make sure to voice your concerns via the app (i.e. they don't check the forum here for customer input).

    Reply Like
      • Cyphire
      • cyphire
      • 2 mths ago
      • Reported - view

      Is true, but since everything else is locked down with 2 factor, google authenticate, it makes me nervous...

      Reply Like
      • Cyphire
      • cyphire
      • 2 mths ago
      • Reported - view

      shukhov I will thanks... I haven't even installed the app yet, doing everything in the browser...

      Reply Like
      • GlossyGot
      • glossygot
      • 2 mths ago
      • Reported - view

      Cyphire you can also use the web to do this, fyi

      Reply Like
  • It's not quite so bad... If your YNAB account was compromised, they wouldn't have access to your bank credentials, but they could view your bank transactions. Not great, but they wouldn't be able to login to your banks or initiate any transactions.

    Reply Like 1
  • Hey everyone!

    I wanted to leave a quick link to our What’s Up Next page. If you take a look, you'll see that passcode authentication is now on the roster and coming soon! :)

    Reply Like
    • Faness Nice,pPasscode is a good step forward. Will you then start to implement a real two-factor authentication for your entire eco-system (web and app) ?

      Reply Like
    • Green Jackal Thanks for that feedback! That's not on the roadmap yet, but we won't ever stop improving YNAB! Would you mind submitting your idea via the Feature Request Form? From there it's collected in a database, and just about every day, our Design Team combs through them all!                                                                                                                                                                

      Reply Like
  • Other YNAB-like products consider web app 2FA and/or MFA essential. "Safety/security first" is a motto found in all kinds of industries. The following is a link to Mint's web page regarding this topic. Their approach represents what I would consider the bare minimum but would be leaps-and-bounds better than what YNAB today offers in terms of user login security. https://help.mint.com/Login-and-Multi-Factor-Authentication/888972681/What-is-multi-factor-authentication-in-Mint.htm

    Reply Like
  • I too am eagerly awaiting true 2FA or MFA. I submitted a feature request back when I began my trial with YNAB. A passcode on the mobile app is a helpful feature, but I will never link financial account information without 2FA established. While any additional security on the mobile app is helpful, today's age of data breaches demands a higher level of security, particularly when the user base is craving it.

    Reply Like
    • Navy Blue Router You don't need two factor authentication.  Even if you do link your accounts ynab can see transactions not account numbers and ynab cannot initiate any transactions (besides on your payment card you used to buy ynab), even your banking username and password isn't stored by ynab but by their third party provider and it can only be changed not read. Thus ynab will have no more information for an attacker about you if you link your account besides they could see which bank holds your account.

      Secondly there really is minimal risk for most people of having your ynab account targeted, a good strong password should be more than sufficient given what ynab stores. 

      Reply Like 1
  • TOTP (Time-base One Time Password) please! Its an open standard and way more secure than SMS! 

    Reply Like
Like12 Follow
  • Status Answered
  • 12 Likes
  • 8 days agoLast active
  • 29Replies
  • 2065Views
  • 22 Following