I would like to see non-SMS two factor authentication (2FA), i.e. Google Authenticator, Symantec VIP, etc. I travel a lot and often swap out SIM cards, so the current system is very user unfriendly. Also, text message 2FA is less secure. Why does Revolut not offer leading edge security and convenience?
Hey @aricaustin
Iād say itās for the sake of convenience.
If people are having issues realising they need to keep their number + SIM if they want to login, imagine making them realize they have to keep another app installed 24/7 that can not be as easily switched as a SIM.
Why not offer both options?
I travel a LOT & cannot keep track of the different sim cards I use.
So although I thought Revolut would be awesome at first while traveling, this silly 2FA via SMS is making me think the opposite.
Revolut, please provide the option to do the 2FA via Google Authenticator & make the world travellersā life much easier.
Hi Julio,
Some people travel a LOT & cannot always keep the same phone number (sim card). Making this authentication mechanism really inconvenient.
Plus, there are known hacking methods for 2FA via SMS.
Whatās most disappointing is the fact that my old-school bank here in Germany has a nice app that I can use to verify transactions. Totally SIM-agnostic and super secure. No need to swap SIMs and much more difficult to hack. In the meantime, you have Revolut, which bills itself as high tech, modern, cutting edge, etc., go old-school and make life difficult for travelers.
Donāt get me wrong, I would appreciate an app based 2FA. But it is a myth that it would be āsuper secureā, like German IT security researchers from the University Erlangen-NĆ¼rnberg showed.
Donāt quite agree. It looks like this is a one-time flaw which can be fixed (āUrsache ist eine Schwachstelle bei einem externen Dienstleisterā).
More importantly, I believe itās generally accepted that itās more secure than SMS. So just because 2FA isnāt perfect, itās still the only alternative (that I know of).
I stand by āsuper secureā if 2FA is done correctlyā¦
This is not the first security flaw they found, it is actually the 3rd one, after looking into photo TAN a while ago (if I remember correctly) and then N26. All three of them app TAN systems. The major concept flaw is, as the main researcher pointed out at the chaos computer congress in winter, using both the app for online banking and the TAN app on the same device. And isnāt it ironic that a piece of software that was meant to make the system more secure actually created the back door?
If you want to talk āsuper secureā, you need setups like TAN generators that use chip cards for example.
Donāt get me wrong, I am not against app TAN. I just donāt think it qualifies for the label āsuper secureā.
Iām quite concerned that my Revolut business account is using email verification which is incredibly insecure. A malicious employee could easily wait until an employee with admin access to email could easily hijack multiple users accounts and transfer all my savings away. Alternatively if someone is AFK for a few minutes someone could quickly login to their computer and make themselves payments and verify using their open email account.
Would be much more secure if it used phone instead of email.
I would also like to see that option. Of course it doesnāt have to be mandatory.
Whatās so hard about keeping an app installed ā24/7ā? Does it need food?
The typical user has 80+ apps installed ā24/7ā. Many users already have Google Authenticator installed, because serious financial (and other) services support it: Coinbase, Kraken, GitHub etc. Anyway, Google Authenticator 2FA would be optional, to preserve the convenience of SMS 2FA.
@klusek: please ask the dev team to prioritize implementing 2FA via Google Authenticator, over ādark mode for the fansā.
Revolut users have already been victims of SIM attacks
Another, large-scale, SIM swapping attack documented by Europol:
A total of 8 criminals have been arrested [ā¦] as a result of an international investigation into a series of sim swapping attacks [ā¦] targeted thousands of victims throughout 2020 [ā¦] The criminals are believed to have stolen from them over USD 100 million in cryptocurrencies after illegally gaining access to their phones.
- Try to use two-factor authentication for your online services, rather than having an authentication code sent over SMS
- When possible, do not associate your phone number with sensitive online accounts
For the WebApp, I would like to see 2fa done via the phone app as with Starling.
When you try and log in on the web you get a message in the phone app.
You login to the phone app via biometric, then allow the login on the web by clicking āacceptā or something similar in the phone app UI - additionally the user is presented with a QR on the web app, which you then scan with your phone.
I believe this is very secure and convenient.
I also think having the WebApp not able to save login details via the browser, just pushes people into having simple insecure passwords - which is a bad move.
Having 2fa via the phone app would allow enough security.
Hi there.
Isnāt that already implemented? Here is the request I get on my phone when logging in on the web.
thatās good news,
but I am not seeing that on the Business apps in the UK
Should be similar for business. Hereās how it looks for me. Might be worth to ask support.
(Also, I donā have problems using password managers with Revolut. Works well for me.)
Well this is very confusing.
I donāt get the choice of using the app for auth and I donāt get the chrome password manager saving my details. I do in the community forum, just not on the https://business.revolut.com/ web app.
I donāt have any settings for any of these things either.
Iāll contact support.
Thank you @Frank, you have been very helpful
I have chatted with support and you canāt do this in the Business app
you can log in via the e-mail process where you can basically receive the verification mail to your phone, or you can use a text message option which will send a sms to your phone number, but we do not have an option where you can verify that from the mobile Business app.
Well, that means thereās no feature parity between UK and EU apps then.
A very important benefit of time based tokens is hardware solutions exist so the secret can be stored away from the device where revolut is used. Even using a second/old phone would be an option as you donāt require a second phone number but just an app.
And this ignores all basic flaws with using SMS 2FA like notifications with tokens on locked screens, social engineering attacks on getting access to peoples phone numbers, ability to scrape them with even the most simple phone malwareā¦
For desktop Webauthn would also be a nice option.