
Any chance of two factor authentication coming soon?
I know its been asked for a few times, but two factor authentication (2FA) is the only thing stopping me from even trialing YNAB (which I really want to, from all the reviews I've read about it). At this point, anything that touches my finances or other PII has to have 2FA enabled. If it doesn't, I basically shut it down / stop using it. All my credit cards, banks, email, social media, health, etc have some form of 2FA enabled at this point.
2FA isn't a guarantee of absolute security, but its definitely been shown to slow attackers down. I realize that it's probably not a "simple" feature request and probably has far reaching implications on how your site functions. However, if this isn't on your roadmap I'd really strongly encourage it. I'd be willing to be there is a non-trivial number of like-minded folks out there who are being held from trying YNAB due to this requirement. I also think it isn't a bad idea to inject a little security best practices in with the financial best practices you're already imparting to people.
Thanks!
-
Hi Orange Packet !
Thanks for taking the type to share how important this feature is to you! :)
I'm happy to report Two Factor Authentication is on our road map! It has been for a while and we had to figure out the details of what kind of authentication step we wanted to enable. The current plan is to bring a passcode feature to the mobile app, however, I can't currently offer a time frame for when that will be available.
Stay tuned to the Release Notes and you can also sign up for the Weekly Roundup. We will be announcing its arrival loud and clear in both spots! :)
-
A passcode for the "mobile app" is good, and I assume we're talking iOS/Android, but that is access which already requires access to a physical device and a credential to unlock it. What is more urgent in my opinion is 2FA for the web based service which can be accessed from anywhere with a simple credential.
-
The two-factor authentication is yet to come because of the application needs to manage all the parameters of the two-factor authentication. Quickbooks support is still not having the two-factor authentication.
-
2FA is negligible at best given that the mobile app doesn't even support a pin code, much less Touch/Face ID Or Android fingerprint. I found out that wasn't an option after starting my trial, and honestly I might not renew it given that my choices are 1. Have all my financial information easily accessed via my phone or 2. Not have my budget information easily accessible on my phone, which should not be an option in 2018.
-
Thank you for your consideration of implementing 2 factor authentication in YNAB. I think, it really is a key feature for internet security for all users. Let's not forget, that in YNAB we have not only very detailed financial private data, but also references to the bank accounts we all are using and maybe also some indication to the identities we use there.
Still, I do have a problem with the idea, that YNAB 2FA might (only?) rely on a push notification to the app on the mobile device. On one hand, this would by definition leave the mobile app to be unprotected by 2FA (okay, one might argue, that the web application might be more under attack), it is also a less convenient way for those users, who already do use 2FA seriously with many services. For people like me, who use TOTP standardized 2FA with a hardware token like the Yubikey, a solution, that would only allow 2FA be used via its own app, is certainly an inconvenience. Not only this, but also those, who want to use a TOTP based setup with a good password manager, could not use 2FA to their full potential.
Also, no 2FA is as easy, as using a U2F token such as the Yubikey for 2FA!
Also, as it might not be important for many users, but in some cases I like to be not to be dependend on my mobile device, to be able to do some stuff regarding my finances. While it is not often, there are cases, that I have network access with my laptop, but not with my smartphone. Especially when travelling abroad and not having wifi but only cable internet. This is often also a problem, when having a text message sent to your mobile is the only possibility for 2FA with a service. Yes, this might be a rare occasion, but there are ways around this, when using TOTP standardized 2FA.
So, please, sure, use your mobile app for easy 2FA for those, who want an easy solution, but please also provide a TOTP based QR code option for us, who have already established 2FA with many other services. U2F would also be a great addition! -
I also am very leery of Ynab security. That is why I don't want to link my accounts. I have fingerprint identification for many of my apps on my phone and they don't have my bank information in them. I second the idea of 2FA and I will also put in feature request for that. Many applications will let you opt in or out depending on personal preference.
Let us know, as soon as the security is beefed up, I bet you will get many more customers.
-
I've done a huge amount of work importing my information and took it for granted that this site had the same level of security as almost every other financial product. They now have all my accounts and anyone who hacks my email now has all my information. This is very bad. More importantly, how do we know this product and it's developers are around for the long haul? This topic has gone on for a very long time and it is almost 2019...
-
Hey everyone!
I wanted to leave a quick link to our What’s Up Next page. If you take a look, you'll see that passcode authentication is now on the roster and coming soon! :)
-
Other YNAB-like products consider web app 2FA and/or MFA essential. "Safety/security first" is a motto found in all kinds of industries. The following is a link to Mint's web page regarding this topic. Their approach represents what I would consider the bare minimum but would be leaps-and-bounds better than what YNAB today offers in terms of user login security. https://help.mint.com/Login-and-Multi-Factor-Authentication/888972681/What-is-multi-factor-authentication-in-Mint.htm
-
I too am eagerly awaiting true 2FA or MFA. I submitted a feature request back when I began my trial with YNAB. A passcode on the mobile app is a helpful feature, but I will never link financial account information without 2FA established. While any additional security on the mobile app is helpful, today's age of data breaches demands a higher level of security, particularly when the user base is craving it.
-
Hi, just wanted to chime in as well. I'm currently trialing YNAB, and considering switching away from Mint. Part of my reason for looking for an alternative to Mint is that they still don't support 2FA. I'm astounded to discover that YNAB doesn't either, especially considering it's a paid service (and rather expensive), unlike Mint.
Take security seriously and implement 2FA! Preferably TOTP, so that it provides the flexibility to use it with whatever authentication app the user prefers.
-
Real two factor along the lines of a customer owned code generator really should be priority number one. There are plenty of apps that already support the code generation part (Google Authenticator, Microsoft Authenticator, Yubico Authenticator) so there's really no excuse. Just like several of the people above mentioned, I'm on a trial and imported all my stuff assuming that there was no way you could not use 2FA.
Being that this is apparently now a web based service (as opposed to an client side application, you are too big of a target to not support 2FA
-
Just an FYI, but you really don't need to provide any PII to make YNAB work. If someone hacked my YNAB account, they may be able to see the email address I use as my login ID, but that's it. None of my accounts are linked and I import all of my data manually via QFX files. None of my accounts inside of YNAB have my name, address, account number, login or password. They are all generically titled (i.e., "checking", "savings", 401(K)", etc.) and you probably couldn't even get to the actual name of my bank. Everything works as expected this way with the exception of automatically importing transactions, which I prefer to not have anyway. If you are good about consistently entering transactions on your phone as they occur, there is almost no reason to automatically import transactions that I can see.
-
Want to put my 2 cents in there...
I would also love to see 2FA.
Yes, it is possible to use YNAB without providing PII
Yes, it's also possible to link a Google Account to YNAB and authenticate through my Google account.
But it's also possible that I don't want workarounds...I want to securely use a service the way I want (by importing from my bank account, and without having to tie to Google account).
-
My 2cents as starting user and a web applications consultant. You need to rethink your road map ASAP and put security priority one. These are financial accounts. As a consultant I see companies like this get caught with their pants down on a regular basis. Real 2-factor athentication stops 80% of the attacks on accounts according to a study done by Navigant. A google study showed that 2-factor stopped 100% of automated bot hack attempts. Just jaunt on over to Security Now podcast by the Gibson Research Center and search for two factor authentication if you want all the "in the weeds" of why it's so powerful. PII has nothing to do with 2FA, logging in using oAuth from say a google account is not the same security. You want TOTP (time based ontime password) where your customers are downloading the free Authy or Google Authenticator apps to gain the code they will use. SMS one-time passwords are still vulnerable to man-in-the-middle attacks. That being said... SMS 2FA is still better than nothing.
Your roadmap doesn't even show 2FA and you have things like zapier infront of security. My opinion, probably should rethink that. I see where you have "passcode" authentication for the mobile app. While this is all and good it really doesn't help the fact that your account can be compromised without your device. Hackers are going to go for the online login not your phone. If someone has their phone locked properly with a 6 digit pin and it's a modern phone it's going to be almost impossible to decrypt that phone short of being a state actor or a well equiped police department depending on the phone. Here is where iphones shine. Secure enclave!
Get the open google authentication API integrated with your main platform. Your framework seems to be PHP with a wordpress CMS so nothing that can't be easily dropped into your front and backends. The implemention is really trivial. I have several firms that can help and are very fast with this type of thing and it's realtively inexpensive to implement. Just trying to help out and keep everyone safe. This stuff should be STANDARD now for anyone developing an app. Cheers!
-
Hi everyone! I just wanted to circle back to this post and let you all know that Two-Factor Authentication has been released to all users as of yesterday!