Multifactor Authentication Bug - Connects To Bank Before Confirming and Locks Out Account!!

My wife and I share our account. She has an RBC Mastercard that does sync direct with Simplifi which is great.

Now the problem - as you all know when you login to the app it automatically wants to connect with all your accounts with two-factor authentication. So my wife get a prompt on her phone EVERY time I login and BEFORE I even get the prompt to pick 'Phone' or 'Device' to authenticate. Hitting cancel on the pop-up does nothing because the app is starting this process in the background BEFORE you even hit 'Connect' on the pop-up.

To compound this when I do this too much it locks her account for multiple failed logins - even though I have not tried to authenticate.

So we are not forced to disable this account and then make it manual - defeats the entire purpose of the application.

Note- this is the web app only. Seems to not be on the iPhone app.

Quicken PLEASE do two things:

  • Fix the app so that you initiate contact with the bank API AFTER the user hits the 'Connect' button - NOT when we login.
  • Next make it optional to have auto account syncing - and have a 'manual' button. In these cases. Each card holder then can initiate this when they are ready for the text etc.

I tried over and over to explain this to 'Coach Elder' on the support channel. He was insisting this was a 'bank requirement' which I know it's not. You start the API call to the bank and this should only start once the user hits 'Connect' on the pop-up. FYI this is for the RBC Westjet Mastercard. I have two-factor on my Manulife VISA and I don't get this notification (I also don't have a Manulife VISA app like my wife does for her RBC Card).

Comments

  • RobWilk
    RobWilk Superuser ✭✭✭✭✭

    If the bank supported OAuth, and if Simplifi also supported OAuth with that bank, it would typically only do 2-factor to authenticate the account once and never again. I think, ideally, this may be what you want if they can support this.


    Rob Wilkens

  • It's a Simplifi issue - not the bank. The site is starting the authentication call to the bank when it throws that pop-up at you. If you hit cancel the bank still got the request (which times out). You do this enough times in a row and RBC locks her account.

  • RobWilk
    RobWilk Superuser ✭✭✭✭✭

    I just checked, RBC supports OAuth through plaid. I don't know if Simplifi uses plaid with RBC or not, they do use plaid with some accounts for some banks If Simplifi used Plaid to connect to your bank, it probably wouldn't ask for MFA/2FA each time.


    Rob Wilkens

  • If you read my post again it has to be Simplifi - the auth method doesn't matter. You login and the website automatically wants to authenticate. Hitting the X cancel button doesn't matter. They are sending an authentication ping to RBC in the background when you login.

  • RobWilk
    RobWilk Superuser ✭✭✭✭✭
    edited November 27

    I'm not saying it's not simplifi.

    I am saying simplifi uses third parties to connect to the banks.

    I am saying some banks support OAuth with simplifi, depending on whether the companies that implement the bank connections support them, and those banks don't repeatedly ask for 2FA/MFA.

    I'm saying RBC Supports this, but seemingly simplifi does not, but needs to.

    i'm not saying you can 'choose' OAuth, it's either supported or it is not.

    You would know it was supported because you'd be taken to the banks website to sign in and get prompted directly by the bank for 2FA with their website. If OAuth is not yet supported at your bank, you'll get a simplifi prompt, not your bank website.


    Rob Wilkens

  • Coach Natalie
    Coach Natalie Administrator, Moderator admin

    @Team Tappin, thanks for posting to the Community!

    Since MFA requests are controlled by the banks, these requests would be coming from them: https://support.simplifi.quicken.com/en/articles/4704254-why-do-i-need-to-re-authenticate-my-bank-with-every-refresh

    Quicken Simplifi is also designed to automatically perform a refresh each time you sign in, and the program also goes through nightly aggregation with financial institutions. If any MFA requests are unable to be completed, a user would typically see an FDP-185 error in Quicken Simplifi. Completing MFA will reconnect the account and clear the error.

    With that, I think we have a couple of existing requests that you'd be interested in voting for and following for updates:

    I hope this helps!

    -Coach Natalie