@laguiar. Would you allow someone to open the phone app and access the hardwarde in the challenge? 
I need to call my software engineer friend to give him the instrunctions set and the memory for him to run a dissaembly on it.
1 Like
Hi mate, thanks for explaining this. @Tony.V look forward to hearing back. Regardless - I think 2FA is a good feature to implement as an extra security precaution. You can never be too careful with online security these days!
1 Like
That is reassuring but only to a certain extent. They could still do some damage and wipe out your account in some stocks. 2FA is the norm and as @Cartoonheart said, should be prioritised.
The issue that I always see with 2FA is that without your phone you cannot do anything.
Even simpler, if you run out of data or are on holiday abroad you cannot monitor and Buy/Sell/Withdraw anything. If you lose your phone or it gets stolen you cannot even buy some shares on the browser version, you would have to wait until you get a new sim card with the same mobile number.
The main issue I see with the current system is if someone accesses your account using your password and decides to waste the money on something, for example on CFDs (I only invest in Equity, which has less risk and I find more logical). That would be a risk.
Here is what you may consider using in the meantime, guys. 
We don’t underestimate the importance of 2FA, though. It will be added soon.
The only loophole I found in this approach, Web Browser. As it doesn’t require any of the mentioned.
Would be beneficial if we could disable web app access, also I have not tested if we have 2 android devices and use them to access the account.
On one we setup passcode on other we don’t.
does primary app install enforce account based passcode/biometrics. Or it is per app, meaning it can be voided if app installed on 2nd phone.
It looks like the passcode / biometrics applies only to the device it has been set on, which offers some additional protection e.g. if someone steals your phone. But I don’t think it protects against someone hacking or guessing your password and being able to access from another device.
I also think 2FA would go a long way to protecting against this, but it can be setup in such a way that you don’t need to use it at every login, but perhaps only when being accessed by a new device.
I also think 2FA would go a long way to protecting against this, but it can be setup in such a way that you don’t need to use it at every login, but perhaps only when being accessed by a new device.
Actually, this would be quite good. Especially if it then gives you the option to remove an “Authorised device” if it stolen. Eg. If your laptop/phone is stolen if you could remove it as an Authorised Device to avoid the robber accessing your account.
Using trust device can put you at certain risk, someone can mimic the device. Thus bypassing the 2fa.
It would have to be proper risk auth, based on multiple factors, like geo location, device fingerprint, source IP/network, usual pattern of usage, Etc…
Simple push notification would make it rather user friendly with minimum burden for extra authentication.
To me, the only time I would really need tfa is when I (or someone else) tries to withdraw money from the account. The other times I’m less fussy.