Add Google Autenticator or send a code to the phone number to login please
8 Likes
Yes! I would love this plus some 2 step verification or something for both website and app.
1 Like
Absolutly, this is a must ! I can’t believe such option is not available when so much is at stake…
5 Likes
or may be add push based 2fa . I dont trust SMS codes or OTP, you will notice most major banks have moved away from sms & OTP codes.
With push based 2fa one needs to just press allow or accept in the authentication app like lastpass authenticator or Duo. This keeps it very secure and hassle free for user.
1 Like
I believe people are overplaying 2fa.
2fa was security in age where you had 1 device access resource and 2nd device used for authentication.
In days when everyone uses 1 device for both access and auth, it loses majority of the security benefits.
In some circumstances makes it even less secure, if people don’t lock their phones with strong passphrase.
I would say majority use face ID or fingerprint. Which is much lower security then passphrase.
But I guess it has become trend where folks are used to 2fa, even tho underlying security is compromised substantially…
Peace 
I am coming to this completely neutral but i have to disagree with you.
Do you know that the most used tactic for financial theft or for that matter any breach is credential theft. 2FA is just another additional security control for Authentication to ensure it is the real account owner logging in. It gives me the peace of mind that even if Trading212 's website has login/authentication flaws, it cant bypass the 2fa. Because someone needs to have access to my phone or back in the day a code generator. Since its on the phone now, yes it should be locked with pin/thumbprint or face ID otherwise it becomes pointless. I stated no to SMS codes as it has its own flaws due to number take over attacks with the telco.
But you mention using 1 device for auth is point less . I dont get it. Its not about how many devices you have, its about how many authentication vectors you have. If you are desktop user then in an ideal world you would enter your Uname & Pword which acts as your first vector and then if we had 2FA enabled the push notification or sms code is the second vector. On mobile devices its the same logic the app login with your Uname & Pword is the first vector but then for second phase authentication a different vector like the push notification or sms code can be used. Attackers would have to invest a huge amount of time and effort to compromise both vectors. Again its not about how many devices you have. because Even if its one device, the vector for authentication is completely different. It is still one more additional thidparty step to access the account.
Nothing is going to be 100% secure but that 2FA is just one more additional step to slow hackers down.
Name me one major breach where was it was successful , even when 2FA was turned on. Unless the type of 2FA vector was it self flawed.
Not harping on trend here. I see this day in, day out - I work in this field.
3 Likes
Shame so much text used, without getting point on where I was going with my comment.
Anyway good that everyone has their opinion, I been working with enterprise clients for 10yrs so I always like counter arguments.
Cheers
No problem, at least text dont cost money, its quality vs quantity and devils in the detail.
I don’t think i will ever make it to 246 posts.
Join the club - 20yrs. Currently @Cisco.
1 Like
This is one important feature missing from trading212 that I find very crucial for an investment or banking platform. Although possible actions for an intruder is limited, it still feels very insecure without 2fa. Some people may be okay with using only a password but it should definitely be an optional security step.
I started using trading212 a while back but absence of 2fa makes me think before depositing more.
With only password protection, I should at least be able to see active sessions from different devices and be able to remove them. Under current circumstances, it is impossible to be aware of unwanted successful logins or get notified about logins from new devices as far as I know.
I was under impression that you get logged out of existing session once you log in from new device.
So basically there is no option to have multiple sessions , atleast not in android/windows chrome/ff/app environment…
There was trick to have separate session for CFD and Invest account but it was available via iOS afaik…
I am with you on this but in the absence of 2FA; your best best at the moment is to have highly complex and long password and store it in a password manager.
usually my passwords look like this and i dont remember any of my passwords.
oq6qpnw7sbc k02ttfkaÂŁc93m!nbcyrtv3fp65osh2976gftvb!kew9w*7po14hz)ms6;dbJ7jdydk
Caveat: if trading212 's password database or for that matter credential database is stolen and cracked. We have got no chance. It has happened before with many companies out there . The most recent and large scale hack in the fintech industry was gatehub.
https://cointelegraph.com/news/gatehub-crypto-wallet-data-breach-compromises-passwords-of-14m-users
2FA was planned a lot earlier. But then came an avalanche of new clients and we had to temporarily switch our priorities to scaling.
We’ll update you with a new deadline for the 2FA release.
9 Likes
Hi Alex, any update on this? Its getting harder and harder depositing funds as the amount increases, without 2fa, especially nowadays when it is the norm. Thank you
2FA is an absolute must from an information security perspective. Anyone who suggests otherwise is wrong and misinformed.
It is the de fecto standard for account security and reducing the threat vector on authentication.
Trading212 really should kick this up their priority list. Not doing so is seriously harming credibility.
7 Likes
I agree need to get security sorted. 2FA / MFA is the standard and has been for many years…
At least add security question if not code/text Etc.
Do your clients ask for 2FA feature be included in their platform or prefer to avoid it? How do you secure your user login/credentials/session/transactions?
Professional advice welcome, please share how it’s done in production these days.
2 Likes
I hope to see Google Authenticator soon on Trading 212.
It’s a priority for users
It always boils down to financials.
If it was free of charge everyone would wanted. But when there is license aka price tag, than only very few insist and even than it is very limited subset of consumers.
I personally think that education and awareness is much stronger protection of personal belongings and business data…
Educating people on best practices and what to pay attention/avoid. Goes alot farther then 2fa with uneducated consumer.
I would say average consumer is not very educated security wise, uses weak passwords, saves password in browser, uses same password for all web apps/apps… but then again you will have requests for 2fa from that same consumer.
Anyway t212 is working on it, it will be priority probably after next major release with auto invest.
Till then be smart, use passphrase, rotate on monthly base, dont share password with email and similar…
Peace