Any chance of two factor authentication coming soon?

I know its been asked for a few times, but two factor authentication (2FA) is the only thing stopping me from even trialing YNAB (which I really want to, from all the reviews I've read about it).  At this point, anything that touches my finances or other PII has to have 2FA enabled.  If it doesn't, I basically shut it down / stop using it.  All my credit cards, banks, email, social media, health, etc have some form of 2FA enabled at this point.

2FA isn't a guarantee of absolute security, but its definitely been shown to slow attackers down.  I realize that it's probably not a "simple" feature request and probably has far reaching implications on how your site functions.  However, if this isn't on your roadmap I'd really strongly encourage it.  I'd be willing to be there is a non-trivial number of like-minded folks out there who are being held from trying YNAB due to this requirement.  I also think it isn't a bad idea to inject a little security best practices in with the financial best practices you're already imparting to people.

Thanks!

https://twofactorauth.org/

https://securityintelligence.com/why-you-should-drop-everything-and-enable-two-factor-authentication-immediately/

52replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • Hi Orange Packet !

    Thanks for taking the type to share how important this feature is to you! :)

    I'm happy to report Two Factor Authentication is on our road map! It has been for a while and we had to figure out the details of what kind of authentication step we wanted to enable. The current plan is to bring a passcode feature to the mobile app, however, I can't currently offer a time frame for when that will be available.

    Stay tuned to the Release Notes and you can also sign up for the Weekly Roundup. We will be announcing its arrival loud and clear in both spots! :)

    Reply Like 2
  • A passcode for the "mobile app" is good, and I assume we're talking iOS/Android, but that is access which already requires access to a physical device and a credential to unlock it. What is more urgent in my opinion is 2FA for the web based service which can be accessed from anywhere with a simple credential.

    Reply Like 6
    • Up The Creek +1. Also an email when a new login is detected from a foreign IP. Both TFA and this email are standard on most services now. Google Authenticator should be sufficient, or a text message with a one time code.

      Reply Like 2
    • Hi Slate Gray Transistor !

      Would you mind submitting this through a Feature Request? That'll put it on our development team's radar! :)

      Reply Like
  • The two-factor authentication is yet to come because of the application needs to manage all the parameters of the two-factor authentication. Quickbooks support is still not having the two-factor authentication.

    Reply Like 1
  • 2FA is negligible at best given that the mobile app doesn't even support a pin code, much less Touch/Face ID Or Android fingerprint. I found out that wasn't an option after starting my trial, and honestly I might not renew it given that my choices are 1. Have all my financial information easily accessed via my phone or 2. Not have my budget information easily accessible on my phone, which should not be an option in 2018. 

    Reply Like 1
    • Hi Gold Case !

      Sorry for the inconvenience here! If you log out of the mobile app when you aren't using it, that will password protect your budget - as you'd need to log back in in order to access it (we actually mention logging out after each budgeting session in our Terms of Service).

      If you have a moment, you can submit a Feature Request to let our development team know you'd like to see this option! :)

      Reply Like
  • Thank you for your consideration of implementing 2 factor authentication in YNAB. I think, it really is a key feature for internet security for all users. Let's not forget, that in YNAB we have not only very detailed financial private data, but also references to the bank accounts we all are using and maybe also some indication to the identities we use there.

    Still, I do have a problem with the idea, that YNAB 2FA might (only?) rely on a push notification to the app on the mobile device. On one hand, this would by definition leave the mobile app to be unprotected by 2FA (okay, one might argue, that the web application might be more under attack), it is also a less convenient way for those users, who already do use 2FA seriously with many services. For people like me, who use TOTP standardized 2FA with a hardware token like the Yubikey, a solution, that would only allow 2FA be used via its own app, is certainly an inconvenience. Not only this, but also those, who want to use a TOTP based setup with a good password manager, could not use 2FA to their full potential.

    Also, no 2FA is as easy, as using a U2F token such as the Yubikey for 2FA!


    Also, as it might not be important for many users, but in some cases I like to be not to be dependend on my mobile device, to be able to do some stuff regarding my finances. While it is not often, there are cases, that I have network access with my laptop, but not with my smartphone. Especially when travelling abroad and not having wifi but only cable internet. This is often also a problem, when having a text message sent to your mobile is the only possibility for 2FA with a service. Yes, this might be a rare occasion, but there are ways around this, when using TOTP standardized 2FA.

    So, please, sure, use your mobile app for easy 2FA for those, who want an easy solution, but please also provide a TOTP based QR code option for us, who have already established 2FA with many other services. U2F would also be a great addition!

    Reply Like 3
    • Hi Patrick H !

      Thank you for taking the time to share your opinion on this issue! It's great that you feel so strongly about this and we appreciate you explaining your view! Would you mind submitting this via Feature Request? That form goes directly to our development team and I think that information is best in their hands! :)

      Reply Like
      • Patrick H
      • Aquamarine_Jackal_eac0b
      • 1 yr ago
      • 1
      • Reported - view

      Faness Thank you! I now took my time and wrote the feature request.

      Reply Like 1
    • I came here to make this same basic point. It's important to me that the 2FA not be done via the YNAB mobile app, and instead be able to use a Yubikey or even a service like Authy or Google Authenticator.

      Reply Like 1
  • I also am very leery of Ynab security. That is why I don't want to link my accounts.   I have fingerprint identification for many of my apps on my phone and they don't have my bank information in them.  I second the idea of 2FA and I will also put in feature request for that.  Many applications will let you opt in or out depending on personal preference. 

    Let us know, as soon as the security is beefed up, I bet you will get many more customers. 

    Reply Like 1
    • Orange Mainframe Thank you for taking the time to submit that Feature Request! We have a number of features in store and we hope you'll like them! :)

      Just in case you haven't seen it, you may find our security policy reassuring. 

      Reply Like
    • Faness yes I have reviewed the security policy and the type of encryption used. Please put security at the top of the requests. I really really like ynab and I think it is revolutionary for people's finances. I cannot put my accounts and information at risk.

      Reply Like 1
  • TOTP (and maybe U2F) is a must for financial account. Furthermore, TouchID/FaceID is also needed for the iOS app.

    Reply Like 2
  • I've done a huge amount of work importing my information and took it for granted that this site had the same level of security as almost every other financial product.  They now have all my accounts and anyone who hacks my email now has all my information.  This is very bad.  More importantly, how do we know this product and it's developers are around for the long haul?  This topic has gone on for a very long time and it is almost 2019...

    Reply Like
    • Hi Cyphire !

      I wanted to leave a quick link to our Feature Request for your feedback. :)

      Also, a link to our security page. Security is a top priority for us and a passcode option for the mobile app is on our to do list. I assure you, we plan to stick around for the long haul! 

      Reply Like
  • Cyphire I hear you.  Make sure to voice your concerns via the app (i.e. they don't check the forum here for customer input).

    Reply Like
      • Cyphire
      • cyphire
      • 11 mths ago
      • Reported - view

      Is true, but since everything else is locked down with 2 factor, google authenticate, it makes me nervous...

      Reply Like
      • Cyphire
      • cyphire
      • 11 mths ago
      • Reported - view

      shukhov I will thanks... I haven't even installed the app yet, doing everything in the browser...

      Reply Like
      • GlossyGot
      • glossygot
      • 11 mths ago
      • Reported - view

      Cyphire you can also use the web to do this, fyi

      Reply Like
  • It's not quite so bad... If your YNAB account was compromised, they wouldn't have access to your bank credentials, but they could view your bank transactions. Not great, but they wouldn't be able to login to your banks or initiate any transactions.

    Reply Like 1
  • Hey everyone!

    I wanted to leave a quick link to our What’s Up Next page. If you take a look, you'll see that passcode authentication is now on the roster and coming soon! :)

    Reply Like
    • Faness Nice,pPasscode is a good step forward. Will you then start to implement a real two-factor authentication for your entire eco-system (web and app) ?

      Reply Like
      • Jannelle
      • jannelle_ynabsupport
      • 10 mths ago
      • Reported - view

      Green Jackal Thanks for that feedback! That's not on the roadmap yet, but we won't ever stop improving YNAB! Would you mind submitting your idea via the Feature Request Form? From there it's collected in a database, and just about every day, our Design Team combs through them all!                                                                                                                                                                

      Reply Like
      • Beige Deer
      • Beige_Deer
      • 9 mths ago
      • Reported - view

      Jannelle but @Faness said in https://support.youneedabudget.com/r/y7j19s that 2-factor auth is on the roadmap. Unbelievable to me that you say 2FA is still not on the roadmap. How many Feature Requests does it take to make this a priority? The lack of 2FA is the primary reason I will not migrate from YNAB 4. But as YNAB 4 will not work on future releases of macOS, I will regrettably have to switch to another product.

      Reply Like
      • Brad Hull
      • Since YNAB Pro
      • sinceYNABPRO
      • 9 mths ago
      • Reported - view

      Beige Deer 

      I strongly disagree that 2 factor authentication is needed for the current version of YNAB. It would be much more appropriate for YNAB 4 for many reasons, YNAB 4 is very easy to gain immediate access to all the information that you should protect from access.  If web YNAB users download their transactions manually from their financial institutions then those files contain ALL the details of your transactions, except for your user names and passwords.

      Reply Like
      • Patrick H
      • Aquamarine_Jackal_eac0b
      • 9 mths ago
      • 1
      • Reported - view

      Beige Deer just to avoid confusion: There is a 2FA feature on the roadmap, using the app to generate passcodes (YNAB team please correct me if I'm wrong here), but this is not the kind of TOTP based 2FA feature that Green Jackal was asking for. This one is (as far as I understand) not on the roadmap (although I myself liked it, if it were).

      Brad Hull  Regarding 2FA for YNAB4, this idea doesn't make sense, at least not with any form of additional time-based passcode. YNAB4 does store its data offline, there is no entity like a server, that will controll access to it or could limit any (offline cryptographic) attacks on the data, where 2FA could be of any use to stop the attacker. 2FA also depends on the trust that you have in the authorizing service, it just helps you, that your password alone won't be enough to grant access. If you have access to your data offline, you must always assume, that the attacker also controls the algorithms for the decryption of the data. So the software in its offline version is no trusted instance to help you with the 2FA.

      Reply Like 1
      • Beige Deer
      • Beige_Deer
      • 9 mths ago
      • Reported - view

      Patrick H Thanks for the clarification.

      Reply Like
  • Other YNAB-like products consider web app 2FA and/or MFA essential. "Safety/security first" is a motto found in all kinds of industries. The following is a link to Mint's web page regarding this topic. Their approach represents what I would consider the bare minimum but would be leaps-and-bounds better than what YNAB today offers in terms of user login security. https://help.mint.com/Login-and-Multi-Factor-Authentication/888972681/What-is-multi-factor-authentication-in-Mint.htm

    Reply Like 1
  • I too am eagerly awaiting true 2FA or MFA. I submitted a feature request back when I began my trial with YNAB. A passcode on the mobile app is a helpful feature, but I will never link financial account information without 2FA established. While any additional security on the mobile app is helpful, today's age of data breaches demands a higher level of security, particularly when the user base is craving it.

    Reply Like 1
    • Navy Blue Router You don't need two factor authentication.  Even if you do link your accounts ynab can see transactions not account numbers and ynab cannot initiate any transactions (besides on your payment card you used to buy ynab), even your banking username and password isn't stored by ynab but by their third party provider and it can only be changed not read. Thus ynab will have no more information for an attacker about you if you link your account besides they could see which bank holds your account.

      Secondly there really is minimal risk for most people of having your ynab account targeted, a good strong password should be more than sufficient given what ynab stores. 

      Reply Like 1
    • Coral Battery "Need" isn't the issue here. The information contained in YNAB can be used as a "tool in the toolkit" of nefarious parties to gain access to actual banking accounts.  Some banks rely on this type of information for security questions in conjunction with others (Can you tell me the dollar amount of your last transaction? What is the current balance of your account)?

      YNAB's prioritization of features is questionable when my social media accounts provide better security options than one with financial connections. For the record, I don't sync with my bank and the account names are 100% arbitrary because I am a self-professed paranoid person. 😂

      Reply Like 1
    • Tomato Router +1, just today my bank asked my my current credit card balance in order to authenticate me.

      Reply Like
  • TOTP (Time-base One Time Password) please! Its an open standard and way more secure than SMS! 

    Reply Like 1
  • Hi, just wanted to chime in as well. I'm currently trialing YNAB, and considering switching away from Mint. Part of my reason for looking for an alternative to Mint is that they still don't support 2FA. I'm astounded to discover that YNAB doesn't either, especially considering it's a paid service (and rather expensive), unlike Mint.

    Take security seriously and implement 2FA! Preferably TOTP, so that it provides the flexibility to use it with whatever authentication app the user prefers.

    Reply Like 1
  • Real two factor along the lines of a customer owned code generator really should be priority number one. There are plenty of apps that already support the code generation part (Google Authenticator, Microsoft Authenticator, Yubico Authenticator) so there's really no excuse. Just like several of the people above mentioned, I'm on a trial and imported all my stuff assuming that there was no way you could not use 2FA.

    Being that this is apparently now a web based service (as opposed to an client side application, you are too big of a target to not support 2FA

    Reply Like 3
      • Khaki Storm
      • YNAB book topics online: https://support.youneedabudget.com/r/q5w48j
      • Khaki_Storm.1
      • 9 mths ago
      • Reported - view

      JF I'm still learning how things get done, but until I figure it out, let's keep this post active until it's accomplished. Sorry YNAB community monitors.

      Reply Like
    • Khaki Storm
    • YNAB book topics online: https://support.youneedabudget.com/r/q5w48j
    • Khaki_Storm.1
    • 8 mths ago
    • Reported - view

    In YNAB you can sign in with your google account. On your google account, you can turn on 2 factor authentication. Does that accomplish this goal?

    Reply Like
    • Ben Khaki Storm No this does NOT do the same thing.  It's actually dangerous to use oAuth like this for accounts.  Why?  Because if one account gets compromised (say your facebook account) and you are using it as the sign in for say your bank, your email, your spotify account, your amazon account, .... you lose access to them all.  It is always better to create separate usernames and passwords for all your logins and store them in a secure area like LastPass or 1Password.  

      Reply Like 3
  • Just an FYI, but you really don't need to provide any PII to make YNAB work. If someone hacked my YNAB account, they may be able to see the email address I use as my login ID, but that's it.  None of my accounts are linked and I import all of my data manually via QFX files. None of my accounts inside of YNAB have my name, address, account number, login or password. They are all generically titled (i.e., "checking",  "savings", 401(K)", etc.) and you probably couldn't even get to the actual name of my bank.  Everything works as expected this way with the exception of automatically importing transactions, which I prefer to not have anyway. If you are good about consistently entering transactions on your phone as they occur, there is almost no reason to automatically import transactions that I can see.

    Reply Like 3
    • krevbot
    • A nobody trying to tell everyone about Somebody.
    • krevbot
    • 8 mths ago
    • 2
    • Reported - view

    Want to put my 2 cents in there...

    I would also love to see 2FA.

    Yes, it is possible to use YNAB without providing PII

    Yes, it's also possible to link a Google Account to YNAB and authenticate through my Google account.

    But it's also possible that I don't want workarounds...I want to securely use a service the way I want (by importing from my bank account, and without having to tie to Google account).

    Reply Like 2
  • My 2cents as starting user and a web applications consultant.  You need to rethink your road map ASAP and put security priority one. These are financial accounts.  As a consultant I see companies like this get caught with their pants down on a regular basis.  Real 2-factor athentication stops 80% of the attacks on accounts according to a study done by Navigant.  A google study showed that 2-factor stopped 100% of automated bot hack attempts.   Just jaunt on over to Security Now podcast by the Gibson Research Center and search for two factor authentication if you want all the "in the weeds" of why it's so powerful.  PII has nothing to do with 2FA, logging in using oAuth from say a google account is not the same security.  You want TOTP (time based ontime password) where your customers are downloading the free Authy or Google Authenticator apps to gain the code they will use.  SMS one-time passwords are still vulnerable to man-in-the-middle attacks.  That being said... SMS 2FA is still better than nothing.

     

    Your roadmap doesn't even show 2FA and you have things like zapier infront of security.  My opinion, probably should rethink that.  I see where you have "passcode" authentication for the mobile app.  While this is all and good it  really doesn't help the fact that your account can be compromised without your device.  Hackers are going to go for the online login not your phone.  If someone has their phone locked properly with a 6 digit pin and it's a modern phone it's going to be almost impossible to decrypt that phone short of being a state actor or a well equiped police department depending on the phone.  Here is where iphones shine.  Secure enclave!

    Get the open google authentication API integrated with your main platform.  Your framework  seems to be  PHP with a wordpress CMS so nothing that can't be easily dropped into your front and backends.  The implemention is really trivial.  I have several firms that can help and are very fast with this type of thing and it's realtively inexpensive to implement.  Just trying to help out and keep everyone safe.  This stuff should be STANDARD now for anyone developing an app.  Cheers!

    Reply Like 5
    • Hi Cyan Mainframe !

      Thank you for taking the time to share your thoughts on this issue! :)

      Personally Identifiable Information isn't stored in YNAB by default. Account or routing numbers, and other private information, won't be in your YNAB account unless you manually enter it in the Notes or Memo sections.

      Security is one of our top priorities. While there aren't currently any new security features outlined on our What’s Up Next page, our security policy outlines the steps we take to keep your information safe.

      If you have a moment, please submit a Feature Request to let our product team know you'd like to see more security features. :)

      Reply Like
    • Faness I've been waiting for this feature for years and requesting it - Nothing has changed - The replies are lip service. I am seriously considering cancelling because you don't take security seriously enough - Money talks. I don't get how this basic feature isn't being raised at the top level of your company.. And if the CEO knows and doesn't care, it clearly demonstrates your company doesn't take user security seriously at all and I shouldn't spend money with you - You don't deserve it... Tough words, but look at Sony.. They didn't want to spend the several million, and it cost them hundreds of millions.

      Reply Like 1
    • Slate Gray Transistor I've put in a request several times too, nothing has changed. I think the message is clear that this company doesn't understand the threat, or they just don't care.

      According to the support team for EveryDollar (one of YNAB's competitors), 2FA is under development right now. I will likely be switching when it rolls out.

      This continued "we dont store identifiable info" lip service is insulting to our intelligence. The info contained in our YNAB accounts is a gold mine for a motivated and targeted attacker. For me, 2FA isn't about stopping a dragnet style attack, its about stopping targeted attacks.

      Reply Like 1
      • Tobias
      • Toviathan
      • 3 mths ago
      • 2
      • Reported - view

      Slate Gray Transistor Forest Green Mainframe  2FA is literally on the up next page as a feature that is being actively developed that is set to be released in the near future...

      Reply Like 2
    • Tobias That's great news! Thanks for pointing it out to me. I guess I'm too used to all the lip service around this and assumed it was never happening. That's my bad!

      They did the same thing when we wanted bank import back in the day; told us for years that it wouldn't happen, the founder even made a post about how it "wasn't the ynab way" and then they did it anyway. Glad they can change their minds when the right solution is obvious :)

      Reply Like
  • Hi everyone! I just wanted to circle back to this post and let you all know that Two-Factor Authentication has been released to all users as of yesterday!  

    Reply Like 2
    • Chrissy Thank you, that's perfect now :-)

      Reply Like
    • Chrissy Thank you!

      Reply Like
      • JF
      • Powder_Blue_Transistor.6
      • 1 mth ago
      • Reported - view

      Chrissy Thank you. Also +10 points for not making it text message based.

      Reply Like
Like22 Follow
  • Status Answered
  • 22 Likes
  • 1 mth agoLast active
  • 52Replies
  • 3104Views
  • 37 Following