locutus
Member of DD Central
Posts: 1,059 
Likes: 1,622
|
Post by locutus on Jul 10, 2018 7:24:51 GMT
A backwards step for sure. Lloyds tried this (2FA for every transfer etc) and they quietly relented in the end for the sake of usability and to use a bit more common sense around which actions were actually security sensitive.
BTW, there are plugins to keep your session alive. Depending on the implementation of 2FA, you may only need to use it once a week unless forcibly kicked out. I use mSession Keeper for Firefox.
|
|
SteveT
Member of DD Central
Posts: 6,875
Likes: 7,924
|
Post by SteveT on Jul 10, 2018 7:27:29 GMT
PS. I'm struck by the irony that AC felt it must further protect me from the theoretical risk of someone breaking into my home, guessing my security details and trying to check the balance on my Assetz Capital account, yet is happy to decide (after a Survey Monkey vote swung by obviously unthinking lenders I've never met) that a substantial chunk of my remaining Assetz holdings should continue at risk INTEREST FREE for 6 months (#227). Beyond laughable.
|
|
lobster
Member of DD Central
Posts: 636
Likes: 467
|
Post by lobster on Jul 10, 2018 7:28:06 GMT
chris please provide an opt-out for 2FA. Feel free to put as many warnings on there as you want and fully explain the risks, but please do not force it upon us. My wife and I log in several times a day (always from desktops) , and for us this will be total overkill. I totally understand that some lenders will want the added protection provided by 2FA and that's fine as an option but please allow lenders to decide for themselves. We are not children. We are heavily invested in AC, but we're not going to put up with this and will be moving funds elsewhere if AC try and force 2FA upon us.
|
|
Monetus
Member of DD Central
Posts: 1,179
Likes: 2,961
|
Post by Monetus on Jul 10, 2018 7:30:38 GMT
Please allow users to opt-out af their own risk - this is a terrible decision.
|
|
ianj
Member of DD Central
Posts: 656
Likes: 520
|
Post by ianj on Jul 10, 2018 7:31:42 GMT
You seemed to have changed your tune since yesterday when you promised to look into alternatives to 2fa for every log in. Now you are telling us how little it is going to inconvenience us, which is more than a little patronising. I am sorry. and wider exec and we do not plan to make any changes in that regard. There are security and data protection reasons for wishing to use 2FA on every log in. Perhaps you might like to share precisely what it is that you're compying with.
Are you suggesting that all P2P platforms will have to adopt similar?
|
|
benaj
Member of DD Central
N/A
Posts: 5,591
Likes: 1,735
|
Post by benaj on Jul 10, 2018 8:00:51 GMT
The e-mail is full of generic/corporate sentences, but doesn't explain why AC has to take such measures. Did investors experience money stolen from their accounts? I had this with TSB, Santander and Tesco in the past, but that was probably to do with my OS being out of date? I didn't mind this because I didn't need to login and make transactions very often - AC login is my daily routine. "Next choose how you want to receive your code, click SMS to receive your number by 'text', 'call' or select ‘Authy’ to receive your code via the app." - I don't want to download any apps or receive texts/calls. Why inserting my e-mail address, password and my grandad's name is not enough? "Once your code has been accepted, you will be asked to update your password to ensure it meets our updated password security." - I don't want to change my password. Apple asked me to do it many times and atm I don't know what my apple password is (I've lost the track of them). "You will also need to enter a memorable word and a pin number, from which individual characters may be used by our customer service team to identify you if this is ever necessary." to summarise: 1. memorable word 2. PIN number 3. password 4. name of school/pet/mother 5. compulsory use of mobile phone Is this really needed? I've just setup the 2FA. This is my personal feedback: 1.The setup procedure seems to a pain if someone has never used Authy. Personally, I use Authy for many things. It sounds complicated to setup for someone who has never done it before, I do like using Authy. 2. The memorable word and PIN number are not directly related to Authy setup, but I see this helps AC staff of identify someone speaking on the phone 3. The 8 digits PIN is long and unusal. Most phone uses 4 digits PIN, and other online services use 6 digits. Nowadays we have too many things to remember and is it necessary to have an 8 digits while other banks use less? 4. It is not necessarily to use a mobile phone to login, all I need is the Authy app. One great thing about authy is that it can be installed on multiple devices and allow Muliti-device access. It means if you lost your phone, you could access Auhty on your tablet. Authy can be setup with TouchID to unlock access.
|
|
|
|
Post by chris on Jul 10, 2018 8:10:32 GMT
I've checked with our compliance officer and wider exec and we do not plan to make any changes in that regard. There are security and data protection reasons for wishing to use 2FA on every log in. Perhaps you might like to share precisely what it is that you're compying with.
Are you suggesting that all P2P platforms will have to adopt similar? Our compliance officer is also responsible for data protection. There's no specific regulations around 2FA or login security but we are obligated to run our business with due skill, care and diligence and part of the "care" bit in the context of our business would be taking reasonable steps to keep lenders secure. Our interpretation of this is enforcing 2FA. I cannot comment on how other platforms interpret this.
|
|
dave2
Member of DD Central
Posts: 177
Likes: 163
|
Post by dave2 on Jul 10, 2018 8:12:14 GMT
Will I need to go through this rigmarole every time I am "automatically logged out" by the system whilst taking a break to check news, football, or make a cup of tea?
btw the Video link in the e-mail is not working, I have tried several times over the past few hours, but it always times out.
Currently on holiday in Bali, if that makes any difference.
The connection has timed out
The server at vimeo.com is taking too long to respond.
The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer's network connection.
If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.
|
|
|
|
Post by chris on Jul 10, 2018 8:16:56 GMT
Will I need to go through this rigmarole every time I am "automatically logged out" by the system whilst taking a break to check news, football, or make a cup of tea?
btw the Video link in the e-mail is not working, I have tried several times over the past few hours, but it always times out.
Currently on holiday in Bali, if that makes any difference.
The connection has timed out
The server at vimeo.com is taking too long to respond.
The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer's network connection.
If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web. I think the video may be being blocked at your end. There is a grace period with Authy whereby you can re-login without going through 2FA, so it will depend on how long you step away from the computer.
|
|
|
|
Post by dan1 on Jul 10, 2018 8:21:44 GMT
I remain open to the idea that the benefits of 2FA outweigh the inconvenience but I'll reserve judgement until it's introduced on sites requiring daily monitoring/access. Two things jump out at me viewing this thread from afar... 1. If sentiment is anything to go by then this will undoubtedly hit the AC bottom line, i.e. profits. Looking at this from a purely business perspective where in the recent past AC have raised rates on their access accounts and thereby bucking the recent trend in P2P (think reductions on FC, RS, Unbolted, GS, BM, with the one exception being LW who are currently in a more aggressive growth phase than AC), they are in need of additional lender funds. What will the introduction of 2FA require? A combination of maintaining the recent rate rise for longer than anticipated, increase in MLA rates (reduction in AC margin), increased use of underwriters, all will lead to increased costs and reduced profit. 2. Is AC capable of rolling back? Does the business currently possess the flexibility to listen and pivot or has the drive to grow the business gone beyond being able to make reversals of policy such as this. To me it's an acid test as to whether they've gone all corporate (generally hated by P2P investors, we're here for higher rates and because we think "alternative" finance), or are still the touchy-feely AC we've come to love (and hate at times  ). Interesting to see how this pans out. |
|
|
|
Post by westcountryfunder on Jul 10, 2018 8:24:02 GMT
chris please provide an opt-out for 2FA. Feel free to put as many warnings on there as you want and fully explain the risks, but please do not force it upon us. My wife and I log in several times a day (always from desktops) , and for us this will be total overkill. I totally understand that some lenders will want the added protection provided by 2FA and that's fine as an option but please allow lenders to decide for themselves. We are not children. We are heavily invested in AC, but we're not going to put up with this and will be moving funds elsewhere if AC try and force 2FA upon us. Entirely agree with you. I could reluctantly agree to the new system for withdrawals, but nothing else.
|
|
lobster
Member of DD Central
Posts: 636
Likes: 467
|
Post by lobster on Jul 10, 2018 8:28:21 GMT
Perhaps you might like to share precisely what it is that you're compying with.
Are you suggesting that all P2P platforms will have to adopt similar? Our compliance officer is also responsible for data protection. There's no specific regulations around 2FA or login security but we are obligated to run our business with due skill, care and diligence and part of the "care" bit in the context of our business would be taking reasonable steps to keep lenders secure. Our interpretation of this is enforcing 2FA. I cannot comment on how other platforms interpret this. What a strange interpretation. By all means have it as an option , but why can't lenders decide for themselves ?
|
|
lara
Posts: 345
Likes: 300
|
Post by lara on Jul 10, 2018 8:30:58 GMT
2. Is AC capable of rolling back? Does the business currently possess the flexibility to listen and pivot or has the drive to grow the business gone beyond being able to make reversals of policy such as this. To me it's an acid test as to whether they've gone all corporate (generally hated by P2P investors, we're here for higher rates and because we think "alternative" finance), or are still the touchy-feely AC we've come to love (and hate at times ). Interesting to see how this pans out. This! I literally joined AC yesterday having left RS because of their ridiculous new policy on re-investment in the rolling market and their unwillingness to listen to the fact that we are not happy with it. Please don't make me have to look for yet another new home for my money!
|
|
kmac
Member of DD Central
Posts: 73
Likes: 73
|
Post by kmac on Jul 10, 2018 8:35:10 GMT
Our compliance officer is also responsible for data protection. There's no specific regulations around 2FA or login security but we are obligated to run our business with due skill, care and diligence and part of the "care" bit in the context of our business would be taking reasonable steps to keep lenders secure. Our interpretation of this is enforcing 2FA. I cannot comment on how other platforms interpret this. What a strange interpretation. By all means have it as an option , but why can't lenders decide for themselves ?
|
|
tarq
Member of DD Central
Posts: 126
Likes: 28
|
Post by tarq on Jul 10, 2018 8:52:33 GMT
I would think before going OTT on new logins, Assetz would concentrate on getting the current system working properly. I've had a 'withdraw on repayment' on an account for the last few months, but it still keeps reinvesting the interest! Also why when I ask for £200 of a loan, do I get 202.25 or 200.17?  |
|
).
