![]() ![]() I'm all for the most secure login and access that provides real security. That is, unless the fingerprint login can be compromised remotely, which is an operating system behavior out of control of Fidelity. It's like hiding the key to the front door of a house under a rock on the front porch. So requiring the 2FA every time seems to be a case of security by obscurity which is not a great security tactic. I'm still waiting for a reasoned response from Fidelity either explaining why OP's logic is wrong or that they'll submit OP's suggestion to development. I’d like to know what the back shop team thinks and where my logic is off.Įdit: Maybe require 2FA for sensitive activities on the app such as making a transaction and changing user profile information after a device is recognized as a Trusted Device. That logic is sound, especially the requirement to have the user call Fidelity to set up VIP Access.Īs aforementioned, I do this for a living. I agree with only allowing one Symantec VIP Access Credential ID at a time. Fidelity should give users the ability to choose if that new public IP address should be stored by Fidelity as part of the user’s Trusted Device information. The public IP would change if a user log-ins to different Wi-Fis, when using VPNs, and when connecting to their cellular provider. one would have to prove with something they know (UN & PW), something they have (2FA), and who they are (biometrics) to be able to be trusted again. If those cache and cookies aren’t there, and if the public IP and device MAC address changes, then require UN/PW/2FA/biometrics…i.e. Also use cache and cookies to store on the device app after a successful initial logon. To make a phone a Trusted Device, Fidelity needs to capture a device’s MAC address and public IP address. it has yet to be recognized as as a Trusted Device. If someone tried to login to the app from another device for the first time, Fidelity should be able to tell that it is a first time login attempt from that device i.e. Maybe require 2FA for sensitive activities on the app such as making a transaction and changing user profile information after a device is recognized as a Trusted Device. Just for initial app login and logging into USAA via a browser. It only frustrates customers.ĮDIT: I use the USAA app (for insurance and backing) and they use Norton’s Symantec VIP Access as well, but it isn’t required for each logon on their app. I work in cybersecurity (over 10 years now) and trust me, the current policy doesn’t enhance security. At that point, the only way they’d get access to my Fidelity account is if I were there for the biometrics. Think about it, what security threat is the current policy trying to mitigate? If someone where to break into my phone (either physically or remotely), requiring 2FA on top of biometric authentication makes no sense since they already have access to the VIP Access app in my phone. I don’t mind if I’m asked to re-authenticate with UN/PW/2FA every 90 days or so, but every login is ridiculous. After going through initial authentication, my phone should be tracked as a Trusted Device. Once I’ve completed the initial username/password/2FA, I shouldn’t need to switch apps to copy/paste the 2FA code for every login…again, from the same phone. The Fidelity app and Symantec VIP Access app are both on the same phone. Reasoning: Having users access the Fidelity app via biometrics and 2FA each time makes no sense. ![]() Question: If I’ve already initially logged into the Fidelity app on my phone using my username, password, and 2FA via Symantec VIP Access, and then enabled biometric authentication, why do I need to provide the VIP Access code EACH time I need to access the app?
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |