Thanks for the details!
Thatās great news! The Google Authenticator follows the same design as the Microsoft Authenticator and the Ubico Authenticator. So people should be able to pick between all 3 just fine.
Also the ubico Auth has itās own support to replace OTP codes with Ubikeys.
Will 2fa be optional? It doesnāt add much for me other than extra annoyance as a mobile only user.
Yes, 2FA will be optional.
Great. 2FA is the most annoying thing in the world.
Samsung forced the use of 2FA to access their āfind my mobileā feature. I recently lost my phone, logged into find my mobile on the laptop and got a pop-up āWe have sent a 2FA sms code to your mobile. Please type it in here to activate find my mobileā. WHAT?
Will it be restricted to Google Authenticator or will we have an SMS option? Maybe even another app like Authy?
Authy should be just fine, I think Google Authenticator is probably just the best known app for generating the OTPs, but the protocol is standard and implemented by various apps. Wherever I see a site offering Google Authenticator, I scan the QR code with Authy and it works just fine.
I confirm this will be possible.
Tbf itās already known to be optional and it will be by an app not SMS.
Mobile users will typically be fine but you can access T212 through a web browser. Itās quite possible to lose creds or web browser profiles on a PC, even with my 50+ character randomly generated password I understand why 2FA is vital.
We are in August now and I am considering withdrawing my funds form the platform (which I otherwise love) due to lack of support for this essential security feature.
I would like to hear this story, how will someone with access to your credentials steal your money? I presume this is your concern and thus asking for 2fa.
Iām not at the point of withdrawing funds over it but my concern would be that with a single password / phone pin code someone could login sell all of my positions and Yolo me on cineworld which wouldnāt normally be part of my risk appetite.
They might not be able to withdraw cash to their own accounts but they could do some serious damage to my account balance.
Not that other brokers should have an influence on good security practice, but where are you going to go? Pretty sure most brokers donāt have 2fa because they are all dinosaurs. So yeah, you are currently on the best platform. If you want to leave it for a worse one, go right ahead I guess.
@Mirlo Itās not that likely they would be able to do much damage. All they can do is start closing positions, at which point you would get notifications. If you can get control of the account again, just rebuy what they sold. You would lose fractions of a percent, maybe even gain if the price drops further. Thatās all hypothetical anyway because there hasnāt been a known breach yet, and Iām sure the T212 team would rectify things for you so that the number of shares of each stock was as it was again.
Degiro has 2fa and I wouldnāt qualify it as dinosaur. I moved from them to 212 Trading, due to transaction fees charged by Degiro, but from a security standpoint they are doing a better job.
Fair enough. I agree 2fa should be a higher priority for T212. But I donāt really think itās that big of a deal. I added some extra reasoning in my previous post as to why.
Yes, loosing money is my primary concern. TBH my understanding of cyber security is still relatively limited, therefore I donāt have a good explanation for how a malicious actor can exploit this vulnerability (opening a bank account in my name with stolen credentials, connecting that bank account to my 212 Trading account and cashing out, using my compromised machine comes to mind). However, me not having a good explanation doesnāt change the fact that this is a vulnerability nevertheless. Mirlo mentions seeing notifications as soon as a malicious actor starts selling position, but what if I am not a day trader and only log in once a month/quarter to set my buy orders and have disabled the notifications to have peace of mind.
this is why I was suggesting a trade confirmation option, I donāt care so much if someone gets into my account, what I care about is someone trading on my behalf and the pain of rolling this backā¦
If they were to make a bank account in your name, they would still not be able to withdraw the fund to the account. Anti-money laundering laws prevent the return of funds to anything other than the original source. You also recieve contract note emails the next day to notify you of activity.
@trader787 I understand fully, it would not be nice to go through. And Iām not saying that 2fa is not important or shouldnāt be done. All Iām trying to say is, if you have a strong unique password you should be pretty secure. Iām just trying to explain why itās not as scary as it sounds to have no 2fa. Bigger brokers with much bigger average account sizes donāt use 2fa. And their clients are also very unsavvy boomers that can barely use the internet(no offence boomers).
@nickspacemonkey I totally agree and wouldnāt personally use 2fa when or if it is implemented
I am sure that it is possible to circumvent this by depositing some funds from the new account and changing settings on your T212 account to make it your primary bank account, before making the withdrawal. However, this might be a silly example that I managed to come up within 5 mins having a very limited understanding of the internal mechanics and I am sure that people with a more sophisticated understanding of the system could come up with a more elaborate con. The fact that it hasnāt been done on T212 doesnāt prove that is not possible or wouldnāt be done in the future.
I understand that the implementation of new security features takes time and the Pandemic probably messed up their timeline. However, keeping your customers who are concerned with this informed on the progress would be appreciated.