I work for an IT management company and 2FA is essential for us securing our clients. It's absolutely mind blowing that a cloud based financial company has not implemented any sort of 2FA.
I don't understand how this thread has been going for over a year, and everyone from the company keeps saying they have no ETA on this. It's 2020, and hacks are a daily event. I cannot in good conscience continue to allow my banking data as well as my customer's credit cards and other data to be accessible to any 14 yr old with some spare time.
All these comments from the company saying they have no ETA? Pick up the phone, and call whoever it is that is in charge of that department, and get an answer. If they're not working in it, say so. If they are working on it, they have an ETA, what is it? I'd rather know you were working in it, and you don't make the ETA, instead of having to make the obvious assumption that you are putting no effort into this at all. I don't think I need to list all the far less important websites that already offer 2FA as an option.
What is the problem here? Resources? Capital? Leadership? Decision making?! What??!
Hi everyone. We do think MFA is important which is why we've begun discussion around how this can be added to the software. With this being said, I don't have any sort of ETA on the feature, but this is something that the team will continue to discuss so that we can work on when and how to add it.
Sorry Alex, but nowadays all replies from your team are "We don't have any ETA" or "We do not currently plan to support X feature". I feel I haven't seen a single change in Wave Apps since "The 2018 rebrand". Basic features are still missing, no matter how much people complain here.
2FA? We don't have an ETA.
Being able to reorder or add lines between existing lines in an estimate? Not a priority.
Translating basic column headers in invoices? Keep the feedback coming, we love your ideas!
Set your own text as default payment reminders? Thank you for bringing that to our attention.
I'm not sure if your business model is preventing you from putting development efforts where users desperately need them, or if you are just out of touch with your users... Right now, I cannot in good conscience keep using your solution. It's unsecure, I'm losing precious time manually editing payment reminders every time I have to send one, it takes me 5 minutes to add a simple line at the top of an existing estimate, and I cannot get my invoices to comply with my country's language laws. So... after years of frustration, it's time for me to say goodbye and leave what I believe is a sinking ship. I've subscribed to InvoiceNinja which natively supports most of the things your users are requesting in these forums...
Hey @Florian , I understand exactly where you're coming from. I can shed a little bit more light on this process as a whole.
With different business types come different software needs from different users. We're constantly expanding and iterating on our software so that we can grow it while continuing to offer new features and functions. Being a company that specializes in a number of different products (accounting, invoicing, payment processing, payroll) it can sometimes be difficult to give users exactly what they need especially when they use Wave for a very specific product/reason.
With this being said, we understand that you need to do what's best for your business and that Wave may not meet your needs at the moment. We definitely don't want to be the reason that your business isn't able to grow and flourish the way it should and we encourage you to make the decisions that you think are right for you. I do apologize however if the updates you've been looking for haven't yet happened, but my hope is that we can continue to grow the platform in the future and offer all of our users all of the features that they're looking for.
Please continue to check back in the future to see if these vital features have yet been implemented into the software
I do appreciate you taking the time to address these comments and I'm not blaming anyone at the company individually, but I think I have to agree more with Florian above, you have been saying the exact same thing for 2 years with no progress. Either move forward with something, or just say you're not doing it. There's zero reason ANY company needs to take 2 years before even testing 2FA in some kind of beta mode. It has nothing to do with any of your products, only the login. This is not rocket science, it's a 1 month job (at most!) for a single reasonably competent programmer, not 2 years with a team, and zero progress. Come on.
After 2 years, I think it's time to update your canned response to the question. Either you haven't been working on it at all in the last 2 years, or you need to fire your incompetent programming department. There are turnkey solutions for this if you lack the programming expertise.
I would be (am) annoyed if you just haven't felt like you need to get this done, but I would leave your platform in a heartbeat if I found out you've actually been working on this for 2 years and were unable to make it work, that's just incompetent. I don't think that's the case here, but, your current reply seems geared towards proving me wrong.
What's the problem/hold up here?! How many data breaches of financial information have to hit the news before you think this should be some kind of priority?
You get 1 point for at least reading the forums and responding to your customers, but, the regurgitation of the answer from 2 years ago, forces me to take that point back again.
Exactly what form of data loss do we have to suffer to persuade you that we want, that we NEED 2FA? I struggle to believe that after two years you guys DONT see this as a priority. Let me tell you the lack of robust security will be sufficient for me to bite the bullet and leave Wave this year.
Hi @MartinGfisher , thanks for your comment. To clarify, two years ago we used a different banking partner, and so any progress which was made toward enabling 2FA on the provider is now moot. On our new partner, which we switched to in January 2020, we have once again begun this journey. Overall this new partner provides more secure & reliable connections long term. Thanks for your patience as we continually re-evaluate how best to approach bank connections in Wave.
If you have concerns about security as well, we have a public-facing outline of everything Wave employs to keep your data safe when using Wave, which you can find here: https://my.waveapps.com/security/
Lastly, I removed the naming of a competing company in your comment as it doesn't comply with our Community posting guidelines.
So we're 6 months down the line from you switching providers. I find it hard to believe that your new provider doesn't already have the makings of a 2FA solution already in place for their other, more security-conscious corporate customers. I agree with other correspondents that this is a 1-2 month implementation. 4 months max if you want a really robust live trial on a small number of live clients.
Seriously, take it to the Leadership team, you're hurting your business by dragging your feet in this way. Don't believe me? Just do a survey to see if people want it then give Ideshini Naidoo 3 months to implement. My guess is she will nail it in rather less.
I don't mind that you removed the competitor's name though I find it curious that you didn't do so on other peoples posts. It is with regret that I will now be having to look elsewhere.
I am shocking to learn that WAVE does not yet support 2FA. With the reality that cyber security incident continues raising and events happened more and more frequently, 2FA really should be a requirement. This makes me wonder if I should start looking into other alternatives.
@AlexL said:
With different business types come different software needs from different users.
2FA is one of those things that benefits every business type and every different user, including WAVE!
I constantly find myself wanting to recommend Wave to people, but my business is IT consulting and managed services. I cannot in good conscience recommend cloud services (especially an accounting service) that don't have 2FA. It is literally costing you customers.
I too appreciate feedback from Wave in this community, but actual action on a critical piece of security would be better.
@CallieP said:
Hi @MartinGfisher , thanks for your comment. To clarify, two years ago we used a different banking partner, and so any progress which was made toward enabling 2FA on the provider is now moot. On our new partner, which we switched to in January 2020, we have once again begun this journey. Overall this new partner provides more secure & reliable connections long term. Thanks for your patience as we continually re-evaluate how best to approach bank connections in Wave.
If you have concerns about security as well, we have a public-facing outline of everything Wave employs to keep your data safe when using Wave, which you can find here: https://my.waveapps.com/security/
@CallieP - It isn't just about when we're using Wave, or the connections to our bank accounts, though those are significant reasons to have TFA/MFA by themselves. Wave has sensitive information ranging from our personally identifying details, to our financial records. Leaving your customers exposed to a simple username and password combination for this long with the ongoing drastic increase in security breaches is negligent.
As mentioned by others above, I cannot in good conscience recommend Wave as a platform without this baseline feature.
Can someone from Wave explain how offering 2FA requires integration points with your banking partner? Couldn't just the primary login for Wave simply have 2FA to start? Does Wave control its own application's authentication flow?
The way this has languished, I see this as a company culture problem. If you look at the About Us there is not a single individual with the word security in their title. What's odd is that one of the bullet points on Wave's CTO's Linkedin work history is literally "Led the upgrade of security from single factor to two factor using 1-time pins," and that was over a decade ago.
A suggestion - what about starting small and having 2FA on just the login page for now? You can do the bank intergration thing when you have figured it out with third parties.
Lets face it... This company is reactive not proactive. This thread has been going on since 2018. Clearly we will not get any sort of 2fa until it is too late. Time to jump ship. Goodbye Wave
Hi wave support, I'm a new waver and it's disappointing that after 2 years there has not been any progress in implementing multi-factor or two factor authentication just promises which have been ignored. It's standard industry practice for any Level 1 PCI-DSS compliant company to enforce multi-factor authentication for secure access control, a lot of companies do this. You're probably aware that companies are being breached at a higher rate than before and you leave users vulnerable to brute force attacks because you only support password authentication as the only type of account security. It's now not a question of if the password will be breached but when. This a huge concern and draws a big question mark on your management as it seems they are not really concerned as to how user financial data and payments are handled. At this point, I'm considering moving to quickbooks or another invoicing platform just cause of the security.
I will echo the sentiment other users have. In Q3 2020 2fa is no longer best practice, but crucial for any financial organization that wants to be a contender. We have 2fa on everything in our main organization as a requirement for any software we use. This is a main reason why Quickbooks has our business FWIW.
It doesn't feel like a good sign at all when your silence says soooo much more than your extremely limited and information-free posts regarding this issue.
@marco123 It does look like they are hiding or removing your comments. I could see them appear on the search results page when searching for 2FA though. You said you had an issue due to lack of 2FA and Wave is hiding this from us? Seems... interesting.
I still find it completely irresponsible that this feature request has not been addressed. We absolutely need a feature to protect our accounts outside of usernames and passwords.
I have just registered for an account and was exited to discover this software, but seeing that the most basic of security features is missing worries me about how the rest is handled. I'm unfortunately going to delete my account and have to find another provider because this is unacceptable.
I'll echo what everyone else says, and point out that this is not about your bank integration (that's up to the banks) but about logging into Wave itself on your website. I can log into my account and view all kinds of personal data about my customers and vendors and thats the data I want protected with 2FA.
I find it mind blowing that I can access my Wave account without it, given the type of data my account has in it.
As others have also pointed out, implementing 2FA on your login screen is not rocket science. I'm a programmer, I've done it on my own sites, and it's literally a day or two of work for a single programmer to add support for TOTP auth (in a hacky but functional way). It shouldn't take over a month to do it and make it look pretty and get it tested properly.
I would be happy if this is an optional feature that I have to enable in my own preferences, rather than making it mandatory for all users. I would like to be able to make it mandatory for all users I invite to access my account though.
Comments
I work for an IT management company and 2FA is essential for us securing our clients. It's absolutely mind blowing that a cloud based financial company has not implemented any sort of 2FA.
Yea, reading through this thread worries me. Does Wave see a future for their product? At least offer 2FA as a paid option.
I don't understand how this thread has been going for over a year, and everyone from the company keeps saying they have no ETA on this. It's 2020, and hacks are a daily event. I cannot in good conscience continue to allow my banking data as well as my customer's credit cards and other data to be accessible to any 14 yr old with some spare time.
All these comments from the company saying they have no ETA? Pick up the phone, and call whoever it is that is in charge of that department, and get an answer. If they're not working in it, say so. If they are working on it, they have an ETA, what is it? I'd rather know you were working in it, and you don't make the ETA, instead of having to make the obvious assumption that you are putting no effort into this at all. I don't think I need to list all the far less important websites that already offer 2FA as an option.
What is the problem here? Resources? Capital? Leadership? Decision making?! What??!
Hi everyone. We do think MFA is important which is why we've begun discussion around how this can be added to the software. With this being said, I don't have any sort of ETA on the feature, but this is something that the team will continue to discuss so that we can work on when and how to add it.
Sorry Alex, but nowadays all replies from your team are "We don't have any ETA" or "We do not currently plan to support X feature". I feel I haven't seen a single change in Wave Apps since "The 2018 rebrand". Basic features are still missing, no matter how much people complain here.
I'm not sure if your business model is preventing you from putting development efforts where users desperately need them, or if you are just out of touch with your users... Right now, I cannot in good conscience keep using your solution. It's unsecure, I'm losing precious time manually editing payment reminders every time I have to send one, it takes me 5 minutes to add a simple line at the top of an existing estimate, and I cannot get my invoices to comply with my country's language laws. So... after years of frustration, it's time for me to say goodbye and leave what I believe is a sinking ship. I've subscribed to InvoiceNinja which natively supports most of the things your users are requesting in these forums...
Any updates on 2FA? It's been a while since this last post?
Hey @Florian , I understand exactly where you're coming from. I can shed a little bit more light on this process as a whole.
With different business types come different software needs from different users. We're constantly expanding and iterating on our software so that we can grow it while continuing to offer new features and functions. Being a company that specializes in a number of different products (accounting, invoicing, payment processing, payroll) it can sometimes be difficult to give users exactly what they need especially when they use Wave for a very specific product/reason.
With this being said, we understand that you need to do what's best for your business and that Wave may not meet your needs at the moment. We definitely don't want to be the reason that your business isn't able to grow and flourish the way it should and we encourage you to make the decisions that you think are right for you. I do apologize however if the updates you've been looking for haven't yet happened, but my hope is that we can continue to grow the platform in the future and offer all of our users all of the features that they're looking for.
Please continue to check back in the future to see if these vital features have yet been implemented into the software
Thank you as always for your support!
I do appreciate you taking the time to address these comments and I'm not blaming anyone at the company individually, but I think I have to agree more with Florian above, you have been saying the exact same thing for 2 years with no progress. Either move forward with something, or just say you're not doing it. There's zero reason ANY company needs to take 2 years before even testing 2FA in some kind of beta mode. It has nothing to do with any of your products, only the login. This is not rocket science, it's a 1 month job (at most!) for a single reasonably competent programmer, not 2 years with a team, and zero progress. Come on.
After 2 years, I think it's time to update your canned response to the question. Either you haven't been working on it at all in the last 2 years, or you need to fire your incompetent programming department. There are turnkey solutions for this if you lack the programming expertise.
I would be (am) annoyed if you just haven't felt like you need to get this done, but I would leave your platform in a heartbeat if I found out you've actually been working on this for 2 years and were unable to make it work, that's just incompetent. I don't think that's the case here, but, your current reply seems geared towards proving me wrong.
What's the problem/hold up here?! How many data breaches of financial information have to hit the news before you think this should be some kind of priority?
You get 1 point for at least reading the forums and responding to your customers, but, the regurgitation of the answer from 2 years ago, forces me to take that point back again.
Very frustrating...
Exactly what form of data loss do we have to suffer to persuade you that we want, that we NEED 2FA? I struggle to believe that after two years you guys DONT see this as a priority. Let me tell you the lack of robust security will be sufficient for me to bite the bullet and leave Wave this year.
Hi @MartinGfisher , thanks for your comment. To clarify, two years ago we used a different banking partner, and so any progress which was made toward enabling 2FA on the provider is now moot. On our new partner, which we switched to in January 2020, we have once again begun this journey. Overall this new partner provides more secure & reliable connections long term. Thanks for your patience as we continually re-evaluate how best to approach bank connections in Wave.
If you have concerns about security as well, we have a public-facing outline of everything Wave employs to keep your data safe when using Wave, which you can find here: https://my.waveapps.com/security/
Lastly, I removed the naming of a competing company in your comment as it doesn't comply with our Community posting guidelines.
So we're 6 months down the line from you switching providers. I find it hard to believe that your new provider doesn't already have the makings of a 2FA solution already in place for their other, more security-conscious corporate customers. I agree with other correspondents that this is a 1-2 month implementation. 4 months max if you want a really robust live trial on a small number of live clients.
Seriously, take it to the Leadership team, you're hurting your business by dragging your feet in this way. Don't believe me? Just do a survey to see if people want it then give Ideshini Naidoo 3 months to implement. My guess is she will nail it in rather less.
I don't mind that you removed the competitor's name though I find it curious that you didn't do so on other peoples posts. It is with regret that I will now be having to look elsewhere.
I am shocking to learn that WAVE does not yet support 2FA. With the reality that cyber security incident continues raising and events happened more and more frequently, 2FA really should be a requirement. This makes me wonder if I should start looking into other alternatives.
2FA is one of those things that benefits every business type and every different user, including WAVE!
I constantly find myself wanting to recommend Wave to people, but my business is IT consulting and managed services. I cannot in good conscience recommend cloud services (especially an accounting service) that don't have 2FA. It is literally costing you customers.
I too appreciate feedback from Wave in this community, but actual action on a critical piece of security would be better.
One more vote for 2FA/MFA
@CallieP - It isn't just about when we're using Wave, or the connections to our bank accounts, though those are significant reasons to have TFA/MFA by themselves. Wave has sensitive information ranging from our personally identifying details, to our financial records. Leaving your customers exposed to a simple username and password combination for this long with the ongoing drastic increase in security breaches is negligent.
As mentioned by others above, I cannot in good conscience recommend Wave as a platform without this baseline feature.
Can someone from Wave explain how offering 2FA requires integration points with your banking partner? Couldn't just the primary login for Wave simply have 2FA to start? Does Wave control its own application's authentication flow?
The way this has languished, I see this as a company culture problem. If you look at the About Us there is not a single individual with the word security in their title. What's odd is that one of the bullet points on Wave's CTO's Linkedin work history is literally "Led the upgrade of security from single factor to two factor using 1-time pins," and that was over a decade ago.
ATTENTION WAVE DEVS
A suggestion - what about starting small and having 2FA on just the login page for now? You can do the bank intergration thing when you have figured it out with third parties.
Lets face it... This company is reactive not proactive. This thread has been going on since 2018. Clearly we will not get any sort of 2fa until it is too late. Time to jump ship. Goodbye Wave
Hi wave support, I'm a new waver and it's disappointing that after 2 years there has not been any progress in implementing multi-factor or two factor authentication just promises which have been ignored. It's standard industry practice for any Level 1 PCI-DSS compliant company to enforce multi-factor authentication for secure access control, a lot of companies do this. You're probably aware that companies are being breached at a higher rate than before and you leave users vulnerable to brute force attacks because you only support password authentication as the only type of account security. It's now not a question of if the password will be breached but when. This a huge concern and draws a big question mark on your management as it seems they are not really concerned as to how user financial data and payments are handled. At this point, I'm considering moving to quickbooks or another invoicing platform just cause of the security.
I will echo the sentiment other users have. In Q3 2020 2fa is no longer best practice, but crucial for any financial organization that wants to be a contender. We have 2fa on everything in our main organization as a requirement for any software we use. This is a main reason why Quickbooks has our business FWIW.
It doesn't feel like a good sign at all when your silence says soooo much more than your extremely limited and information-free posts regarding this issue.
@marco123 It does look like they are hiding or removing your comments. I could see them appear on the search results page when searching for 2FA though. You said you had an issue due to lack of 2FA and Wave is hiding this from us? Seems... interesting.
I still find it completely irresponsible that this feature request has not been addressed. We absolutely need a feature to protect our accounts outside of usernames and passwords.
I have just registered for an account and was exited to discover this software, but seeing that the most basic of security features is missing worries me about how the rest is handled. I'm unfortunately going to delete my account and have to find another provider because this is unacceptable.
I'll echo what everyone else says, and point out that this is not about your bank integration (that's up to the banks) but about logging into Wave itself on your website. I can log into my account and view all kinds of personal data about my customers and vendors and thats the data I want protected with 2FA.
I find it mind blowing that I can access my Wave account without it, given the type of data my account has in it.
As others have also pointed out, implementing 2FA on your login screen is not rocket science. I'm a programmer, I've done it on my own sites, and it's literally a day or two of work for a single programmer to add support for TOTP auth (in a hacky but functional way). It shouldn't take over a month to do it and make it look pretty and get it tested properly.
I would be happy if this is an optional feature that I have to enable in my own preferences, rather than making it mandatory for all users. I would like to be able to make it mandatory for all users I invite to access my account though.