[SUGGESTION] Implement real two-factor authentication as security measure

New-Burgundy-Cougar-2970591824

Hi,

first of all, I am very grateful that bunq seems to take security more seriously after the recent reports published by NOS and others. However, I don't think that the announced new ‘security features‘ will really get to the root cause of the problems regarding phishing. While they are certainly beneficial for making accounts more secure, I think that a implementing real two-factor authentication could enhance security even further.

With ‘real two-factor authentication’, I mostly refer to FIDO2/Webauthn. Webauthn is certainly the most promising standard for authenticating on the web more securely and it has the most potential of gaining widespread adoption with having big backers like Microsoft and Google. It provides a greatly increased security compared to only using passwords, while remaining user-friendly.

I personally do not consider the current authentication using the face scan/video technology very secure. As has been seen in various phishing attempts, this can be easily circumvented by letting the account holder create a video on behalf of the adversary, who can then authenticate with this video to the face recognition service.

Webauthn passkeys/security tokens on the other side do automatically disallow authentication if the domain of the website does not match the original domain which was used to register that token. Thus, phishing attacks become very hard since the user cannot be fooled to enter their credentials on a fake website.

Please do at least consider making authentication using FIDO/Webauthn a possibility for users which desire to increase the level of security on their account. Moreover, reducing other measures like delaying payments could be considered if the user authenticates using FIDO/Webauthn. Optimally, this could be at the user's choice, and disabling increased protection would incur a delay of some time, e.g. a day or maybe even a week. However, said protection should then only be disabled if the user has authenticated themselves using FIDO/Webauthn.

I really hope that bunq continues to take security more seriously, even after the current incidents have fallen out of media coverage again, and implements sensible and serious measures to increase the security of accounts.

Thanks for reading.

Nancy-

Hello Joshua 👋 Thanks for being a part of our community and sharing your ideas 💡

I've forwarded this feedback to our relevant team so it can be reviewed. Let's see what other users think about this 🚀

New-Jade-Peccary-995169179

Joshua how do I get face scan? Or any type of security locking access to my app??

I don't seem to have access to any such features.

thijsoost

Nicola Tesla I already answered your question here: https://together.bunq.com/d/60009

New-Orange-Lovebird-3144207656

I keep on filling small amounts of money in bunq. But can never put actual big amounts.
Not having FIDO2 is a joke (maybe a crime) for any serious business dealing with money.
The app and UX are good, but unfortunately it's a no go for any amount more than your monthly spending lol.