Security of the new AJ Bell log in
Options
hoc
Posts: 557 Forumite
The "new and improved" log in feature in the Android app uses the phone's browser and the user enters the same full password each time. This all seems very 2010 when apps were just a WAP shortcut and a security concern when the device recognition can be verified with insecure SMS. Is it the same on iphone? Previously the app was self contained without using the browser and varying characters from the password were requested. Has anyone been able to tighten their log in security by asking AJ Bell?
0
Comments
-
I think the app now directs you to the browser because they haven’t yet incorporated the 2FA into the app.
I actually can’t login via the app on my Android phone at the moment (when I switch to my authentication app from the browser opened by the YouInvest app and back to the YI app to enter the code I have to start again, creating a never-ending circle), so I’m just sticking to browser on my iPad/computer and hope they fix it in the future."If you aren’t willing to own a stock for ten years, don’t even think about owning it for ten minutes” Warren Buffett
Save £12k in 2021 - #027 £15,268 (76%)1 -
hoc said:The "new and improved" log in feature in the Android app uses the phone's browser and the user enters the same full password each time. This all seems very 2010 when apps were just a WAP shortcut and a security concern when the device recognition can be verified with insecure SMS. Is it the same on iphone? Previously the app was self contained without using the browser and varying characters from the password were requested. Has anyone been able to tighten their log in security by asking AJ Bell?If you log in again using a web browser, then you can set up 2FA via authenticator app (again if you had it previously, you'll need to set up with a new QR code). You can then require this every time you log in and you can disable SMS and email verification. It will bounce you to the website for authentication. Enabling biometrics will bypass the web-based login entirely.Overall seems like a good balance of options available. I was concerned they'd be forcibly downgrading us from authenticator app to SMS, and am certainly pleased SMS can be turned off as an option.1
-
Various characters from the password was poor security. Much better with the full password,2
-
I'd always assumed that the random characters foiled keyloggers, whereas the full password could more easily be recorded. Could be a wrong assumption.
4.7kWp (12 * Hyundai S395VG) facing more or less S + 3.6kW Growatt inverter + 6.5kWh Growatt battery. SE London/Kent. Fitted 03/22 £1,025/kW + battery £24950 -
Officer_Dibble said:I'd always assumed that the random characters foiled keyloggers, whereas the full password could more easily be recorded. Could be a wrong assumption.What is needed for this is something that varies each time you log in. The one time code fulfils this role without weakening the password security. A compromised system can be wholly taken over by fraudsters after the user logs in. The only defences against this are to prevent it happening in the first place through good device security, and requiring confirmation involving an external communication channel for sensitive tasks.Full password entry also makes the login process more password-manager friendly, enabling the password to be provided securely via API, thereby avoiding it being entered via keyboard or clipboard, and defeating keyloggers and screen capture software.
2 -
One additional problem with the random character method is that AJ Bell are likely to have the original password stored somewhere in their system so they can do the character checking at logon. This means that if they were to be compromised, everyone's password could be leaked.
When using a full password there is no need for AJ Bell to store it anywhere. They would typically only need a hash of it. The password itself would never leave your device.
besides, passwords in general are pretty weak nowadays unless you use a password manager along with multi-factor authentication2 -
Except AJ Bell are not enforcing one time codes. So nothing varies each time you log in. There is a one time device registration which can be done by SMS then the same full password is enough. It's not even an OTP SMS each time.masonic said:Officer_Dibble said:I'd always assumed that the random characters foiled keyloggers, whereas the full password could more easily be recorded. Could be a wrong assumption.What is needed for this is something that varies each time you log in. The one time code fulfils this role without weakening the password security....
0 -
hoc said:
Except AJ Bell are not enforcing one time codes. So nothing varies each time you log in. There is a one time device registration which can be done by SMS then the same full password is enough. It's not even an OTP SMS each time.masonic said:Officer_Dibble said:I'd always assumed that the random characters foiled keyloggers, whereas the full password could more easily be recorded. Could be a wrong assumption.What is needed for this is something that varies each time you log in. The one time code fulfils this role without weakening the password security....A one time code is absolutely enforced the first time you log in on any device. After which, the device becomes your second factor (a fraudster would need to steal and unlock your previously authorised device to access your account without OTP, they cannot observe you logging in to one device and use that to log in elsewhere), and you can choose by modifying your login settings to enforce one time codes every time you log in on all devices. OTP SMS can be completely disabled in favour of the other OTP options. You can even choose to log in using biometrics only if you wish, meaning no password is needed at all. Wherever you sit on the convenience-security spectrum, these changes should make you happy.As Prism quite rightly points out, there's no more risk of your password being exposed in an AJ Bell data breach due to the need to store the actual password in their database. Use of random characters is worse than that, because the practice encourages the use of less complex passwords in the majority of people.I don't think any other investment platform gives this degree of control over your security. It does, however, put the onus on you to choose wisely if you want to benefit from the enhanced security, taking into consideration your behaviour and exposure to risks.2 -
As a lifelong member of the unique 15+ character random password club, the "enter character 18, 12 and 17" prompt was the very worst thing about ajbell.
4 -
masonic said:A one time code is absolutely enforced the first time you log in on any device. After which, the device becomes your second factor (a fraudster would need to steal and unlock your previously authorised device to access your account without OTP, they cannot observe you logging in to one device and use that to log in elsewhere), and you can choose by modifying your login settings to enforce one time codes every time you log in on all devices. OTP SMS can be completely disabled in favour of the other OTP options. You can even choose to log in using biometrics only if you wish, meaning no password is needed at all. Wherever you sit on the convenience-security spectrum, these changes should make you happy.As Prism quite rightly points out, there's no more risk of your password being exposed in an AJ Bell data breach due to the need to store the actual password in their database. Use of random characters is worse than that, because the practice encourages the use of less complex passwords in the majority of people.I don't think any other investment platform gives this degree of control over your security. It does, however, put the onus on you to choose wisely if you want to benefit from the enhanced security, taking into consideration your behaviour and exposure to risks.AJ Bell's previous method did not necessarily mean passwords could not be hashed. Nor does the current method necessarily mean they are now. Unfortunately I haven't got the energy to get into this or the other academic points to debate on password security.As I said AJ Bell are not enforcing one time codes. They allow the user to optionally set up 2FA. It's not quite the same thing. You are correct I can disable SMS as a verification option by selecting another method like email but this activates 2FA on all devices. I don't want SMS as a verification option especially on a new untrusted device so this is good. But I don't want 2FA on a trusted device either. Many banks automatically disable SMS as an option when the customer has the mobile app and this was my expectation from AJ Bell. The additional 2FA control is great but I don't 2FA.0
Categories
- All Categories
- 343.3K Banking & Borrowing
- 250.1K Reduce Debt & Boost Income
- 449.7K Spending & Discounts
- 235.3K Work, Benefits & Business
- 608.1K Mortgages, Homes & Bills
- 173.1K Life & Family
- 248K Travel & Transport
- 1.5M Hobbies & Leisure
- 15.9K Discuss & Feedback
- 15.1K Coronavirus Support Boards