Two Factor Authentication

I would like to see non-SMS two factor authentication (2FA), i.e. Google Authenticator, Symantec VIP, etc. I travel a lot and often swap out SIM cards, so the current system is very user unfriendly. Also, text message 2FA is less secure. Why does Revolut not offer leading edge security and convenience?

Hey @aricaustin

I’d say it’s for the sake of convenience.
If people are having issues realising they need to keep their number + SIM if they want to login, imagine making them realize they have to keep another app installed 24/7 that can not be as easily switched as a SIM.

Why not offer both options?

I travel a LOT & cannot keep track of the different sim cards I use.

So although I thought Revolut would be awesome at first while traveling, this silly 2FA via SMS is making me think the opposite.

Revolut, please provide the option to do the 2FA via Google Authenticator & make the world travellers’ life much easier.

Hi Julio,

Some people travel a LOT & cannot always keep the same phone number (sim card). Making this authentication mechanism really inconvenient.

Plus, there are known hacking methods for 2FA via SMS.

What’s most disappointing is the fact that my old-school bank here in Germany has a nice app that I can use to verify transactions. Totally SIM-agnostic and super secure. No need to swap SIMs and much more difficult to hack. In the meantime, you have Revolut, which bills itself as high tech, modern, cutting edge, etc., go old-school and make life difficult for travelers.

Don’t get me wrong, I would appreciate an app based 2FA. But it is a myth that it would be “super secure”, like German IT security researchers from the University Erlangen-Nürnberg showed.

Don’t quite agree. It looks like this is a one-time flaw which can be fixed (“Ursache ist eine Schwachstelle bei einem externen Dienstleister”).

More importantly, I believe it’s generally accepted that it’s more secure than SMS. So just because 2FA isn’t perfect, it’s still the only alternative (that I know of).

I stand by ‘super secure’ if 2FA is done correctly…

This is not the first security flaw they found, it is actually the 3rd one, after looking into photo TAN a while ago (if I remember correctly) and then N26. All three of them app TAN systems. The major concept flaw is, as the main researcher pointed out at the chaos computer congress in winter, using both the app for online banking and the TAN app on the same device. And isn’t it ironic that a piece of software that was meant to make the system more secure actually created the back door?

If you want to talk “super secure”, you need setups like TAN generators that use chip cards for example.

Don’t get me wrong, I am not against app TAN. I just don’t think it qualifies for the label “super secure”.

I’m quite concerned that my Revolut business account is using email verification which is incredibly insecure. A malicious employee could easily wait until an employee with admin access to email could easily hijack multiple users accounts and transfer all my savings away. Alternatively if someone is AFK for a few minutes someone could quickly login to their computer and make themselves payments and verify using their open email account.

Would be much more secure if it used phone instead of email.

I would also like to see that option. Of course it doesn’t have to be mandatory.

What’s so hard about keeping an app installed “24/7”? Does it need food?

The typical user has 80+ apps installed “24/7”. Many users already have Google Authenticator installed, because serious financial (and other) services support it: Coinbase, Kraken, GitHub etc. Anyway, Google Authenticator 2FA would be optional, to preserve the convenience of SMS 2FA.

@klusek: please ask the dev team to prioritize implementing 2FA via Google Authenticator, over “dark mode for the fans”.

Revolut users have already been victims of SIM attacks

Another, large-scale, SIM swapping attack documented by Europol:

A total of 8 criminals have been arrested […] as a result of an international investigation into a series of sim swapping attacks […] targeted thousands of victims throughout 2020 […] The criminals are believed to have stolen from them over USD 100 million in cryptocurrencies after illegally gaining access to their phones.

• Try to use two-factor authentication for your online services, rather than having an authentication code sent over SMS
• When possible, do not associate your phone number with sensitive online accounts

For the WebApp, I would like to see 2fa done via the phone app as with Starling.

When you try and log in on the web you get a message in the phone app.
You login to the phone app via biometric, then allow the login on the web by clicking ‘accept’ or something similar in the phone app UI - additionally the user is presented with a QR on the web app, which you then scan with your phone.

I believe this is very secure and convenient.

I also think having the WebApp not able to save login details via the browser, just pushes people into having simple insecure passwords - which is a bad move.

Having 2fa via the phone app would allow enough security.

Hi there.

Isn’t that already implemented? Here is the request I get on my phone when logging in on the web.

image1125×2436 131 KB

that’s good news,
but I am not seeing that on the Business apps in the UK

Should be similar for business. Here’s how it looks for me. Might be worth to ask support.

(Also, I don’ have problems using password managers with Revolut. Works well for me.)

image908×1374 86.7 KB

Well this is very confusing.

I don’t get the choice of using the app for auth and I don’t get the chrome password manager saving my details. I do in the community forum, just not on the https://business.revolut.com/ web app.

I don’t have any settings for any of these things either.

I’ll contact support.
Thank you @Frank, you have been very helpful

I have chatted with support and you can’t do this in the Business app

you can log in via the e-mail process where you can basically receive the verification mail to your phone, or you can use a text message option which will send a sms to your phone number, but we do not have an option where you can verify that from the mobile Business app.

Well, that means there’s no feature parity between UK and EU apps then.

A very important benefit of time based tokens is hardware solutions exist so the secret can be stored away from the device where revolut is used. Even using a second/old phone would be an option as you don’t require a second phone number but just an app.

And this ignores all basic flaws with using SMS 2FA like notifications with tokens on locked screens, social engineering attacks on getting access to peoples phone numbers, ability to scrape them with even the most simple phone malware…

For desktop Webauthn would also be a nice option.