Add 2-Factor Authentication/Multi-Factor Authentication to App [edited] (2 Merged Votes)
Comments
-
This is related to the larger multi-factor authentication discussion, but is not a duplicate and shouldn't be merged. The first and most critical issue (in my view) is supporting TOTP as that will be available to everyone and benefits all of your users.
This is a separate request, which is to also support hardware security keys via U2F for MFA. Note that in order to avoid the same problem you have now with not being able to share an account this implementation will need to support multiple security keys. (It should anyway, for users like me that have one key they use at home, and another one with NFC support for authentication with mobile apps).
3 -
Yes, completely agree this app needs MFA. Would love to see this at the top of the priority list.2
-
Wanted to bump this feature request, Coaches @Coach Natalie, @Coach Paco please prioritize this.root said:Are there any plans to implement Time-based One-time Password (TOTP) support? It would help mitigate against SIM-jacking attacks that are very common and relatively easy to do these days.+1 for not supporting/deprioritizing sms-based TOTP, seconding what @root said, SMS tokens have been removed from NIST's list of recommended authentication factors for some time now. Additionally QR based enrollment for TOTP is supported on all major IDPs (Cognito, Auth0, Okta..).Shortest path for rollout for an MVP would be to leverage the mobile app's push notification service to send an "approve"/"deny" splash screen at login time for devices other than the enrolled mobile device.
Twilio has a good write-up on use cases, and benefits of push authentication here - https://www.twilio.com/blog/understanding-push-authenticationI'm happy to share more info with the team if it would help.Thanks!16 -
agreed agreed totp not SMS based 2FA. Priority number 1.2
-
online financial products need to include multiple security options for users that include TOTP and hardware keys. Give users options that will meet their security desires.
3 -
I would like to request this too. I'm honestly shocked that this wasn't there on day one given the day and age we're in.3
-
Considering the app cannot move money in your accounts and is only pulling transaction data I do not see this as a major need. Personally I am annoyed that I have to do MFA on some of my accounts just so Simplifi can even pull in my transactions. It is just one extra step that slows down my ability to quickly check where I am at in my budget.
That being said if someone can log into your Simplifi account and access any of your actual bank account information then that is a whole other security issue that falls on Simplifi and their back end, not the user facing side.-2 -
As others have said already, the ability to use an app (such as the Google Authenticator or Microsoft Authenticator apps) for multi-factor authentication would be a significant and welcome improvement in Simplifi security. Please push this to the top of the priority list for expanded capabilities.2
-
Another vote for MFA. If my financial institution requires it, why shouldn’t Simplify require it?5
-
Yes! Absolutely. Please support Security Keys too! And the ability to add more than one, in case your user loses their wallet.
4 -
Dear powers that be at Simplifi,
MFA (or even 2-factor authentication) is now standard practice and has been for years, especially in regard to anything that has a user's financial information. The smart consumer will not use your app until you have this. Add this and I, and numerous other consumers will be back. I'm even willing to pay a little more if you add MFA (say $40/year as opposed to the current fee of $36/year). How many of your users [see the many posts in this community here] calling for MFA does it take for you to heed them and make this change?
I really wanted to use this application. I was really excited about it. I read a thorough review of this app in Wirecutter/the NYT which recommended Simplifi and YNAB (I'm a ex-user of YNAB. They went against their word and raised the yearly fee more than they had told their long-time users they would, so I quit YNAB).
One reason Wirecutter (apparently mistakenly) recommended Simplifi was because the reviewer said it had MFA. The reviewer made it clear they could not recommend any budgeting app that did not have MFA, since that is a basic requirement to protect one's personal information. Since Simplifi does indeed not have MFA, I am ending my free trial.
I was really excited about this app. I am extremely disappointed you don't offer the basic, consumer-safety practice of MFA. A cheap fee is no deal if one is sacrificing the protection of one's personal information. Good day and good luck to all who remain using Simplifi! [removed - disruptive]4 -
I am referring to MFA as part of the log in process.2
-
These both of these sentiments echo that of my own.
Pleaseee add OTP support via an authenticator app and not one sent via email or SMS, which are much less secure. A security key option would be nice too, but I'm willing to settle on OTP as the bare minimum.
As a new user, I was kinda shocked that a company as large and well-known as Quicken didn't offer this. I'm leaving YNAB and am looking to switch to Simplifi or Monarch. This is probably the only thing holding me back from pulling the trigger on Simplifi.
Also, encrypting data at rest on your servers would be great.
5 -
Simplifi team,
What's the status on this? I just started using the app more seriously and I was terrified to find out there is no MFA for the app - and as everyone said, we prefer TOTP instead of just sending a text message.
1 -
Hello @samH,
Thanks for reaching out!
Sadly, there is no further update to provide on this request at this time. If you navigate to the very first post in this thread, you'll be able to see the status of the Idea, and a note stating that we are working on adding MFA to the Simplifi Mobile App. Once any new updates become available, we'll be sure to update the status accordingly, so please be sure to keep an eye out for any news.
We appreciate everyone's continued patience!
-Coach Natalie
-3 -
Been a while since this thread had any updates and it'd be nice if that's because the issue was resolved. I'm a new user and cannot find a way to do this.
1 -
@Mr. M If nothing else you bumping this post up caused it to get an extra vote (from me).. I've recently started using multifactor authentication more, typically with google authenticator, though in reality that's only as secure as my google password (authenticator is backed up to google's cloud).
—
Rob Wilkens1 -
[removed] It would also be great to at least require bio metrics (face Id, finger print) to access the app on mobile devices
1 -
I didn't want to create another request. Is there any plan to add at least a timed Face ID or fingerprint to access the mobile account? I don't like the fact that if anyone has access to my phone, if they click on the app, they have access to all my financial information.
2 -
Just signed up and set up Simplifi today (coming from Mint) and was shocked to discover that after the initial login on the app during setup, absolutely no authentication is required to open this app which contains all my financial information, nor is there any option in the settings to enable it. Am I missing something here or is this just how it is?
For reference, I had to login with 2FA just to browse these forums and leave this post, but not to use the app full of personal information?
2 -
In general, if someone is concerned about security, they probably have a lock on their phone screen. If the app is accessible at all, that implies the phone has been unlocked, which implies the person accessing the app should always be the person locking the phone. It's silly to require additional biometrics on top of what was used to unlock the phone.
—
Rob Wilkens-4 -
It is not silly to want your financial data protected. Every app with your financial information has some additional authentication factor to see your information. Your bank app, the majority of budget apps, has that simple basic security structure. If you don’t want to enable this option for your login, that’s fine, but don't belittle others who want that extra layer of protection.
5 -
You are correct! I just now see it. Honestly it wasn’t there before. That was very quick. Thank you. I enable it.
2 -
SMS and email OTP is not secure enough for a site like Simplifi. We need the ability to have 2FA / MFA through an authenticator app.
2 -
This exists with existing votes here.. the coments on the post talk about authenticator apps specifically. Please consider adding your vote.
[removed link to merged thread]
—
Rob Wilkens0 -
It seems insane to have a banking app that doesnt itself support 2fac authentication on login..
To clarify, talking about Simplifi itself, not bank connections. I'm very concerned that login for Simplifi on the web or in-app is user and pass only with no option MFA.
1 -
How is 2FA still not available? the antiquated level of security with email/text passcodes that are too easily compromsed. How is 2FA with a passcode still not a thing?
2
