Two Factor Authentication


#1

Two factor authentication is really important, especially with data breaches and hacks happening frequently to big companies.

Two factor authentication (for those who dont know) is a second step after your username and password to confirm that it is you who is logging in. For example, logging into Gmail, I am asked for my username and password then a code (which changes every 10 seconds or so) to login.

I think it would be a really good idea is Starling offered some kind of two factor auth. Maybe a text with a code when you login to a new device?


#2

I use two factor authentification for some things, but not for everything.

Not sure I see the need for it with Starling. You have to go through certain verification processes to activate the Staring app on your phone, for example a text, or scanning a QR code, anything more is just going to make it more complicated.

You can only use Staring on three devices, you would have to have verified all three before you could use Starling already.


#3

Personally I would hate to have 2FA. I can’t stand it.


#4

We already have MFA (multi factor authentication). It’s the combination of fingerprint/passcode/password and the fact the application requires the device to be registered.

The example given was a text if using a new device. That’s already an option (as opposed to the non functioning QR code method)

Texting codes (which is discouraged as it’s easily spoofed) or One Time Passcode wouldn’t add much as people usually have the Starling app on their phone - the same device where the text would be sent or probably the same device that had the authenticator app installed.


#5

While I’m all for for 2fa. As someone who has reinstalled the app a few times recently when you choose a new mobile device option to access the account you will need to know the mobile number, you get sent a text with a code and then you need to enter your bank password to access the account. So you already need mobile number access, the verification code and the password that has been setup on the account.

I suppose the only thing Staring could do extra is send you a “new sign in alert” email as a courtesy? There might be other options like a verify via email option?


#6

I personally think that multi factor authentication Starling already implement is adequate personally.

Although one thing I like with Metro Bank is that when you add a new payee it prompts for characters from one of the cards you hold with them


#7

@tim7 I see your point regarding the text when you reinstall or dont have your old phone, however I dont like the fact that it asks you for a mobile number. What if Starling used the phone number saved to your account instead of asking the user for a new number? Seems that if someone wanted to use my account from another device they would just need to provide their number and get the verification text allowing my account to be used by someone else. I do also like your idea of a new sign in alert, might be a good balance between the two.


#8

Would Starling send a code to a non-registered mobile number?

Also there is a bank password that needs to be entered in afterwards.


#9

I might br wrong, but I’d presumed that it asked for your mobile number upon reinstalling the app in order to both identify you and authenticate you (via SMS), so presumably you have to enter the mobile number you used to sign up to the account with.


#10

A Starling account is attached to a mobile number, so sending a code to another mobile won’t give you access to your own account.

You have to change the mobile in your app or contact support if you want to use your account on another number.


#11

Thanks @daedal and @jcwacky for the feedback on this.