puddleduck
Member of DD Central
Posts: 537
Likes: 489
|
Post by puddleduck on Jul 9, 2018 16:14:51 GMT
Seems like Assetz have rolled out two factor authentication - in other words in now much more of a pain in the botbot to login now!
Two implementation issues already - the PIN and memeroble word need to be 8 characters - while I appreciate this is probably an attempt to make dictionary attacks harder, actually my memorable word doesn't have 8 characters! And I can't see any reason for needing an 8 digit PIN. I'm not keen on enforcing 8 characters or more broadbly a minimum word size length - for example, often you may see pet name or favorite film as a security question, now if your favorite film is ET or your dog is called Spot you've got a problem right there. Assetz just ask for a favourite word, but the principle applies - enforcing a limit here, means you may force folks into choosing something not very memorable at all, purely to fit the 8 character requirements! Dumb design, and may force people to write stuff down....
So the options now are SMS (luckily I spotted I gave Assetz my landline on signup) so I advise making sure you've not got a landline in there before changing to SMS. The other option is Authy, which sadly does now have a Linux client, so is unusable for me. I am not a fan of additional software, can often by an attack vector.
If you don't use Authy, it does mean for most folks they need to be tied to a phone to logon now, it would be nice to have an e-mail option too maybe?
I'll probably get used to it....!
|
|
jlend
Member of DD Central
Posts: 1,840
Likes: 1,465
|
Post by jlend on Jul 9, 2018 16:23:30 GMT
8 digit pin does sound long.
My banking app has 6 digits, my S&S ISA platform has 6 digits, credit card is 6.
I havent seen anything with 8 digits. At least it definitely wont match any other pins i have 😀
|
|
alibaba
Member of DD Central
Posts: 341 
Likes: 245
|
Post by alibaba on Jul 9, 2018 16:25:55 GMT
would like email option
|
|
dandy
Posts: 427
Likes: 341
|
Post by dandy on Jul 9, 2018 16:28:21 GMT
Wouldn't an email option defeat the purpose though? We can change password via email so don't think the 2FA would add anything in that case? If someone has our email hacked, hacker can then change password and pin and get the log in codes all via one 'hack'
|
|
|
|
Post by westcountryfunder on Jul 9, 2018 16:31:06 GMT
My husband and I, both of whom have long-standing AC accounts, do have ancient Nokia and Samsung mobiles which we rarely use. Neither is Apple or Android.
I have emailed AC to point out that (for example), even the much maligned TSB manages to offer the a landline alternative in order to authenticate certain transactions. There is a similar system with HMRC.
We get fed up with the assumption that everyone uses and is addicted to smartphones. Really we have only one use for such devices - in emergencies.
A very inconsiderate move from AC which is otherwise our favourite P2P site.
|
|
ceejay
Posts: 975
Likes: 1,149
|
Post by ceejay on Jul 9, 2018 16:32:38 GMT
But surely mobile phone numbers aren't exactly secure, either? I seem to remember reading something recently about mobile numbers being spoofed as part of a security bypass attack? Or did I dream that?
|
|
ianj
Member of DD Central
Posts: 656
Likes: 520
|
Post by ianj on Jul 9, 2018 16:34:11 GMT
It would be nice to have an 'I want to keep it like it is' option, but why keep it simple when you can really irritate someone?  |
|
dandy
Posts: 427
Likes: 341
|
Post by dandy on Jul 9, 2018 16:39:19 GMT
But surely mobile phone numbers aren't exactly secure, either? I seem to remember reading something recently about mobile numbers being spoofed as part of a security bypass attack? Or did I dream that? Mobile phones are probably not secure in themselves but neither is email that secure hence the 'dual' (both combined) adds a significant layer of protection, albeit nothing is 100% secure. Someone could be mugged at their desk with email and phone in hand for example 
|
|
|
|
Post by crabbyoldgit on Jul 9, 2018 16:46:14 GMT
Yes great , but being a rural straw sucking hill Billie type i have no reliable mobile phone coverage within a 10 minute drive, 20min 😰 round trip , so how am going to log in. been here before with Tesco banking had to shut the account in the end just could not drive fast enough before the stupid code time lapsed.
|
|
lara
Posts: 345
Likes: 300
|
Post by lara on Jul 9, 2018 16:53:23 GMT
I joined AC this afternoon, just in time for the fun and games!
I don't have a cell phone but I did manage to log on using my home phone, some sort of text to speech thing happened so that might be worth trying.
It's definitely an inconvenience though!
|
|
bigfoot12
Member of DD Central
Posts: 1,817
Likes: 816
|
Post by bigfoot12 on Jul 9, 2018 17:00:12 GMT
Yes great , but being a rural straw sucking hill Billie type i have no reliable mobile phone coverage within a 10 minute drive, 20min 😰 round trip , so how am going to log in. been here before with Tesco banking had to shut the account in the end just could not drive fast enough before the stupid code time lapsed. I liked O2's "TU Go", which I used to use a lot when I worked in a basement. If the message can't get through it diverts it over Wifi. (I really liked being able to send messages from a web browser so typed on a keyboard.) Three have something similar (three in touch?), but I didn't like it as much as incoming message went into the app's folder rather than the default sms message client so I had to look in two places every time I searched for an other message. I'm sure that the other operators have similar functions. Probably worth changing contract if they don't.
|
|
bigfoot12
Member of DD Central
Posts: 1,817
Likes: 816
|
Post by bigfoot12 on Jul 9, 2018 17:03:19 GMT
chris, instead of needing two factor authentication to log on, would it be possible to have to use it when withdrawing money or changing profile settings, but not for logging in?
|
|
james21
Member of DD Central
Posts: 651
Likes: 669
|
Post by james21 on Jul 9, 2018 17:07:04 GMT
I really dont want the bother, will probably invest less with them in future in favour of other more user friendly platforms. Their IT director needs a kick up the backside
|
|
bigfoot12
Member of DD Central
Posts: 1,817
Likes: 816
|
Post by bigfoot12 on Jul 9, 2018 17:11:04 GMT
chris , instead of needing two factor authentication to log on, would it be possible to have to use it when withdrawing money or changing profile settings, but not for logging in? I’ve not seen this on my account yet but for hmrc/government logins there’s an option to authorise the computer for 7 days. I.e. you don’t need to use 2FA until 7 days later. Gmail/google also does this but can authorise the computer for ever. Is there no option for that? I can't remember which account uses it - I think it might be National Savings - I can log in and read messages, but when I withdraw I have to use a phone 2FA in addition to the password. The banks are the same with the secure keyfob things, many things it is not needed, but to pay someone new it is needed.
|
|
|
|
Post by crabbyoldgit on Jul 9, 2018 17:23:13 GMT
Yes great , but being a rural straw sucking hill Billie type i have no reliable mobile phone coverage within a 10 minute drive, 20min 😰 round trip , so how am going to log in. been here before with Tesco banking had to shut the account in the end just could not drive fast enough before the stupid code time lapsed. Can’t you use “Authy” on your mobile via your home WiFi?
|
|
