In progress

:speech_balloon:

Enable Two-factor Authentication

Given the sensitivity of financial data, I think it would be great to see sign-in options with 2wo-factor authentication. It doesn’t have to be linked to a cellphone number. Google authenticator app seems to be a great solution. Having a robust account security system adds a great deal of security to the platform.

144 votes

Tagged as Suggestion

Suggested 28 May 2022 by user Ye Huang

Moved into In progress Monday

  • Sign in to comment and vote. Sign in by email
  • 28 May 2022 Ye Huang suggested this task

  • 29 May 2022 Kyle Nolan approved this task

  • avatar

    I’m thinking this isn’t important b/c PL has no private/personal info such as account numbers, nor any personal info about the users themselves. I don’t think it needs 2FA at this time.

    08 November 2022
  • avatar

    It does however have your email and how much money you have in the bank, investments & retirement funds.

    With this information they know who to attack, who is worth attacking and where to attack. This would be plenty to start a spear phishing campaign to go after their retirement funds or investments if they know they have 1m sitting there.

    08 November 2022
  • avatar

    The more info I add to PL the more I feel this is a necessary feature

    15 January 2023
  • avatar

    I second @Skyr’s perspective. As a simple projection planning tool with approximate details, I don’t really see a need for 2FA. However the more information I add to this for more accurate simulations & planning, the more I feel like 2FA is mandatory.

    03 March 2023
  • avatar

    TOTP/FIDO or U2F options are ones I’d like to see - they’re the better MFA options anyways, but also won’t trigger extra direct costs like SMS services would.

    02 May 2023
  • avatar

    Yep I would say TOTP - Best experience / security SMS - Good for newbies but less secure and insures a cost FIDO - Great but a nice have as it’s only really used by more technical people

    I also had a thought that might make this lower priority. If you use Google login then you do get MFA but it would be nice to not rely on social logins.

    02 May 2023
  • avatar

    I upvoted and strongly advocate for the use of TOTP authenticator apps rather than SMS

    29 June 2023
  • avatar

    As Lee mentioned, using a 2FA-enabled Google account for login should be pretty effective for now.

    29 June 2023
  • avatar

    Google account for 2fa is fine, however if we have already purchased lifetime with an “Email” account rather than a Google account, it seems like there is no workaround to “link” the accounts?

    30 June 2023
  • avatar

    If you shoot me an email or message on discord, I may be able to help with that manually.

    15 July 2023
  • avatar

    I also think this is a very important feature from a security perspective so I hope it will become the highest priority.

    14 September 2023
  • avatar

    using a 2FA-enabled Google account for login is already possible, if it’s a concern for you.

    14 September 2023
  • 14 September 2023
  • avatar

    Sorry to be a contrarian, but I specifically did NOT use, and won’t use, a google account for log in.

    1) Google/Gmail is already a juicy target and I want to minimize/slow the impact of a google account hack; it’s bad enough they can start using gmail for password recovery, I don’t need to provide instant access

    2) if I ever want to “fire” google it’s that much harder if I am using it to log into everything else. I use a password manager for a reason.

    So having an authentication based 2FA is my preferred solution.

    18 September 2023
  • avatar

    Kyle, have you considered supporting passkeys instead of/in addition to 2FA? Don’t know how easy it would be to implement at this fairly early stage of penetration as a general purpose authentication medium, but it’ll probably be table stakes for personal financial applications before too much longer.

    18 September 2023
  • avatar

    Fido2 and Passkeys support would be great

    10 October 2023
  • avatar

    @Yannick, definitely lots of momentum for passkeys as an authentication standard: https://blog.google/technology/safety-security/passkeys-default-google-accounts/

    I wish Changemap would support passkeys, too. ;)

    10 October 2023
  • avatar

    2FA should be table stakes at this point.

    06 July
  • avatar

    At this point, maybe this item should be updated to “provide / enable passkey support”?

    06 July
  • avatar

    I would like to second updating this feature request to be enable passkey support. That is definitely the direction the industry is trending.

    Also, I agree that while the need was initially lower because PL did not have direct access to brokerages, banks, etc., the amount of info in the app makes it important to better protect.

    Thank you for the consideration!

    07 July
  • Monday Kyle Nolan moved this task into In progress