Add in option for two-factor Authentication (2FA)

124»

Comments

  • generalinqgeneralinq Member Posts: 14

    ....approaching 3 years into this thread..still no 2FA. Makes me question my level of trust with this product. With all due respect, what other security exposures exist with this platform.

    WAVE - You have such a great product but you are tarnishing your brand by not listening to your customers. It's mind boggling to say the least. I'm surprised that a large company like H&R Block doesn't mark this as an audit exposure with immediate attention.

    My only guess is that there is some confusion with what direction this SAAS platform is headed and until that is sorted out, no money is being allocated to any changes/improvements.

    I smell LBO acquisition written all over this. Prove me wrong please WAVE.

  • jrmacleodjrmacleod Member Posts: 2

    2FA needs to be implemented. A few points:

    • 2FA for Wave logins does NOT require any integration with your banking partner.
    • It can be implemented and be "off" by default thus not affecting your user experience at all for users that do not wish to use it.
    • As others have pointed out (repeatedly for 2+ years) this is an industry standard and an expectation of many users nowadays.
    • It should not be a difficult programming task to implement, thus requiring a small amount of investment on the part of Wave to do. Considering the benefit it could provide, it is surprising it is not rolled out already

    Thanks

  • JulianPJulianP Member Posts: 1,002 ✭✭✭

    Hey everyone!

    Unfortunately, 2FA/MA authorization is not possible in Wave at this time. This is being discussed by our Product teams and I will pass your feedback onto them as well.

    When we plan out the features we're building next, a significant factor we pay attention to is customer feedback. But there's actually a lot more that goes into our product planning, too, and we wanted to give you a better understanding of the decision making that happens at Wave HQ:

    Our product managers and customer success heroes are constantly in touch with customers, accountants and bookkeepers, gathering insights into how they use Wave and what they want to see next. We capture it all.

    Naturally, a feature that has the potential to revolutionize the way you run your business, or that affects many customers, will get more attention. Also, some features are easier to build than others. If a feature request will take a lot of time to build, we need to make sure it drives extra value for our customers.

    Sometimes a feature looks easy, but it has underlying requirements that are difficult, or an infrastructure that doesn't exist. Wave's system handles billions of data packages every week, and we want everything to flow smoothly. Sometimes, it's the architecture that supports a feature, and not the feature itself, that requires the most engineering. We look at whether the work that goes into a feature can be bundled up with other work. Sometimes a feature with fewer requests will get worked on early because we're already making changes to a related part of the machinery, and it makes sense to address several issues while we're in there.

    There are more factors, too, like competitive considerations, advances in technology, changes to regulatory constraints and so on.

    All of this goes into the decision-making process for new features. At the end of it all, our goal is nothing less than delivering the very best tools for running your business.

    We appreciate you reaching out and sharing your feedback! :smile:

    edited December 4, 2020
  • WisecompanyWisecompany Member Posts: 9

    @JulianP said:
    Hey everyone!

    Unfortunately, 2FA/MA authorization is not possible in Wave at this time. This is being discussed by our Product teams and I will pass your feedback onto them as well.

    When we plan out the features we're building next, a significant factor we pay attention to is customer feedback. But there's actually a lot more that goes into our product planning, too, and we wanted to give you a better understanding of the decision making that happens at Wave HQ:

    Our product managers and customer success heroes are constantly in touch with customers, accountants and bookkeepers, gathering insights into how they use Wave and what they want to see next. We capture it all.

    Naturally, a feature that has the potential to revolutionize the way you run your business, or that affects many customers, will get more attention. Also, some features are easier to build than others. If a feature request will take a lot of time to build, we need to make sure it drives extra value for our customers.

    Sometimes a feature looks easy, but it has underlying requirements that are difficult, or an infrastructure that doesn't exist. Wave's system handles billions of data packages every week, and we want everything to flow smoothly. Sometimes, it's the architecture that supports a feature, and not the feature itself, that requires the most engineering. We look at whether the work that goes into a feature can be bundled up with other work. Sometimes a feature with fewer requests will get worked on early because we're already making changes to a related part of the machinery, and it makes sense to address several issues while we're in there.

    There are more factors, too, like competitive considerations, advances in technology, changes to regulatory constraints and so on.

    All of this goes into the decision-making process for new features. At the end of it all, our goal is nothing less than delivering the very best tools for running your business.

    We appreciate you reaching out and sharing your feedback! :smile:

    This reply highlights the problem the people in this thread have with Wave. Not once in this lengthy reply is the word "security" mentioned, making it clear that it isn't a priority for Wave. Security should be the #1 priority for any company dealing with banking information.

    Particularly interesting is this line from your reply:

    There are more factors, too, like competitive considerations, advances in technology, changes to regulatory constraints and so on.

    Guess what? Your competitors use MFA, threat actors take advantage of "advances in technology" to compromise accounts, and your regulators STRONGLY encourage the use of MFA. I mean, you just need to practice what you're preaching. Here's a snippet from an article on Okta that is relevant, with a link to the PCI-DSS MFA guide:

    The finance industry has long used 2FA technology. In fact, each time you use an ATM, you are using 2FA—you need both your PIN (something you know) and your ATM card (something you have) to access your bank account. As more financial services move online, financial organizations need this added layer of security to protect customers and their assets.

    Any organization that processes and stores card payment information also has to comply with PCI-DSS. This means they may have to go a step further, providing more than two authentication factors to ensure their security. Since PCI-DSS version 3.2, these organizations have also had to change vendor-supplied default credentials and named accounts for every user who has access to cardholder information.

  • Dave_DDave_D Member Posts: 4

    @JulianP said:
    Hey everyone!

    Unfortunately, 2FA/MA authorization is not possible in Wave at this time.

    Now you're just lying?! Of course 2FA can be added to the Wave login. Does ANYONE there understand programming or security?? Did the people that created this software all leave 3 years ago? The suggestion that you can't spawn an additional process/subroutine, or even create a new front end for the current login process, that adds 2FA to an account if turned on, isn't possible, is laughable. There are companies that can provide you with solutions you can literally drop in place, and they will even help with the conversion. It was pretty terrible to find out you have no interest in fixing this obvious problem, but lying to us about it just makes it so much worse...

    Apparently, you think we don't know how to use Google either, here ya go, took all of 5 seconds to find a massive amount of companies that can add secure logins via 2FA that work with existing applications. If I wanna be lied to, I'll listen to a White House Press briefing.

    https://duo.com/solutions/industry-solutions/financial
    https://www.telesign.com/use-cases/add-two-factor-authentication
    https://www.securemetric.com/two-factor-authentication
    https://www.secsign.com/business

    I could go on, (and on and on, there's hundreds of companies apparently that do this!), but I think you get the point. Your post was ill-advised at best.

    Now, if you wanna argue that somehow these things are cost-prohibitive or something, that's one thing, but to just show up and tell us it's not possible. No, that's just a lie. Corporate choices to not do this are not the same as "not possible", one is a choice, one is not.

  • PeterMPeterM Member Posts: 3

    Guys.. This is really embarrassing for a company that is dealing with financial / sensitive data. I'm sure your developers (like most) are overworked but security needs to come first!

  • ekamiekami Member Posts: 3

    I can't believe it's not implemented yet :(

  • 2FABandit2FABandit Member Posts: 1

    @JulianP said:
    Hey everyone!

    Unfortunately, 2FA/MA authorization is not possible in Wave at this time. This is being discussed by our Product teams and I will pass your feedback onto them as well.

    When we plan out the features we're building next, a significant factor we pay attention to is customer feedback. But there's actually a lot more that goes into our product planning, too, and we wanted to give you a better understanding of the decision making that happens at Wave HQ:

    Our product managers and customer success heroes are constantly in touch with customers, accountants and bookkeepers, gathering insights into how they use Wave and what they want to see next. We capture it all.

    Naturally, a feature that has the potential to revolutionize the way you run your business, or that affects many customers, will get more attention. Also, some features are easier to build than others. If a feature request will take a lot of time to build, we need to make sure it drives extra value for our customers.

    Sometimes a feature looks easy, but it has underlying requirements that are difficult, or an infrastructure that doesn't exist. Wave's system handles billions of data packages every week, and we want everything to flow smoothly. Sometimes, it's the architecture that supports a feature, and not the feature itself, that requires the most engineering. We look at whether the work that goes into a feature can be bundled up with other work. Sometimes a feature with fewer requests will get worked on early because we're already making changes to a related part of the machinery, and it makes sense to address several issues while we're in there.

    There are more factors, too, like competitive considerations, advances in technology, changes to regulatory constraints and so on.

    All of this goes into the decision-making process for new features. At the end of it all, our goal is nothing less than delivering the very best tools for running your business.

    We appreciate you reaching out and sharing your feedback! :smile:

    It shows poor judgment on your part to treat your users like they are naive. I feel confident as a software engineer that everything in your comment regarding technical infeasibility is a straight up lie. I have personally added 2FA to existing applications on numerous occasions and it is not very difficult even for a beginner.

    What's more incredible is the fact that a website which deals with finances even exists in 2021 without 2FA. I interact with 11 finance-related websites on a weekly basis and every single one requires 2FA. I never would have imagined it to be any other way because passwords are nearly useless in today's world. It is truly astounding that an application with bank account access has such a weak authentication mechanism. I'm somewhere between laughing and rolling my eyes; regardless, I am definitely deleting the account I just created for my businesses. I was thinking about paying for upgraded features, but wow. I'd rather do my accounting and invoicing in Excel than an web application that lacks 2FA. No, I'm not kidding.

    The most unbelievable part of your comment is this:

    we need to make sure it drives extra value for our customers.

    Security isn't one of your values by your own admission. It's breathtakingly stupid to have said such a thing or, really, to have even thought it. I am not being unfair by saying that given the severity of a breach in any part of your system.

  • tmacrrtmacrr Member Posts: 5

    @JulianP said:
    Hey everyone!

    Unfortunately, 2FA/MA authorization is not possible in Wave at this time. This is being discussed by our Product teams and I will pass your feedback onto them as well.

    When we plan out the features we're building next, a significant factor we pay attention to is customer feedback. But there's actually a lot more that goes into our product planning, too, and we wanted to give you a better understanding of the decision making that happens at Wave HQ:

    Our product managers and customer success heroes are constantly in touch with customers, accountants and bookkeepers, gathering insights into how they use Wave and what they want to see next. We capture it all.

    Naturally, a feature that has the potential to revolutionize the way you run your business, or that affects many customers, will get more attention. Also, some features are easier to build than others. If a feature request will take a lot of time to build, we need to make sure it drives extra value for our customers.

    Sometimes a feature looks easy, but it has underlying requirements that are difficult, or an infrastructure that doesn't exist. Wave's system handles billions of data packages every week, and we want everything to flow smoothly. Sometimes, it's the architecture that supports a feature, and not the feature itself, that requires the most engineering. We look at whether the work that goes into a feature can be bundled up with other work. Sometimes a feature with fewer requests will get worked on early because we're already making changes to a related part of the machinery, and it makes sense to address several issues while we're in there.

    There are more factors, too, like competitive considerations, advances in technology, changes to regulatory constraints and so on.

    All of this goes into the decision-making process for new features. At the end of it all, our goal is nothing less than delivering the very best tools for running your business.

    We appreciate you reaching out and sharing your feedback! :smile:

    This is simply not an acceptable explanation. Security is THE most important factor when it comes to handling any sensitive data, that includes your customer's financial datasets. How we've made it to 2021 and Wave has not even added this to communicable roadmap is beyond reproach.

  • AlexLAlexL Member Posts: 2,869 ✭✭✭

    Hi @2FABandit & @tmacrr , thank you both for voicing your thoughts about adding additional security measures in Wave, this is definitely important and I completely understand your concerns. Recently, we started some implementation of additional security measures to increase the safety of our user's money and finance information. The first of this process has started with alert emails that are sent to business owners when a change of payout or Instant Payout account has occurred on their Wave Payments account. We've done this to prevent account takeover and to ensure that our business owners are aware when something fishy is going on.

    Although I can't give you an exact ETA on 2FA specifically, we will be continuing to implement additional measures as we work on ramping up security so that it aligns with the needs of all of our users.

  • CrispyBaconCrispyBacon Member Posts: 2
    Wave. You just lost a customer. I'm in the midst of free trials with your competitors. Xero and QuickBooks both have two-step logins.

    Look up my account. It'll give you an idea of the revenue you're losing. If you ever decide 2FA is worth adding, let me know. I might come back. I do like the features.
  • HoneyBadgerHoneyBadger Member Posts: 2

    I just recently moved to Wave and was impressed until I went to turn on 2FA and their was no option. This is very sad, more so since it's really a very easy and trivial thing to do these days. There are even zero cost methods of 2FA could be implemented. When the wave administrators say it can't be done or is very difficult that is straight up in your face lie. It could probably be done in a few hours by one of their developers, if they have any.

    It's disappointing I didn't catch this before transitioning since that would have been the nail in the coffin. I just expected it to be there. I would really suggest Freshbooks or Xero as alternatives, there is a monthly charge but at least your account can not be brute force hacked with ease. I'm currently testing both to see which one I prefer.

    If you own or run a business it's in you and your clients best interest to move off of Wave until they provide 2FA. You can find other posts on this same issue that go back even further than a year. This is something they have no interest to fix otherwise it already would have been done.

    The real question is why have they not fixed it? What other shady business practices are they doing since security is not in their interest? Something to ponder on......... The more you think about it the worse it seems.

  • mcbsysmcbsys Member Posts: 1

    Well this is concerning. I just signed up for Wave a few minutes ago. The first thing I did was go to Profile and look for the "Enable 2FA" setting. What? It's not there? How can that be?

    I expect a financial app to offer "real" 2FA through Google Authenticator et. al. But this app didn't even do any of the basic account verification stuff at setup:

    • No email verifying that I own the email address I put in (unless it's stuck in quarantine).
    • No security questions.
    • No basic SMS verification.

    Then I found this thread:

    • December 20, 2018 - original post requesting 2FA feature
    • May 2, 2018 - first admin comment, on a different subject. How can the admin comment seven months before the original post?
    • November 12, 2018 - first admin comment addressing 2FA, also before the original post. "2FA is something that we are currently working on building out in the very near future."

    Please, 2FA is a requirement.

    Thanks,

    Mark

  • aaronhaaronh Member Posts: 3

    @AlexL It's August 2021. Implementing 2FA for authentication should only take your dev team a day or two. IT'S NOT HARD.

    Give us an update when this will be available.

  • BrettBrett Member Posts: 4

    @AlexL Until these extra security measures are in place, could you just let me know that our business data from years of a pleasurable experience and recommending to others is safe with a roll back in time with a phone call or something?

    This platform is amazing, and I don't want to see all our data go up in smoke because of some criminal with too much time.

  • kesslinkkesslink Member Posts: 1

    I'm shocked that Wave doesn't have 2FA yet. Given all the security issues that currently exist with any Fintech data, it's unbelievable that Wave is still arguing that they "can't" implement it and that "it's not high value to our users." I hope someone takes action on this soon. I can imagine large liability issues if/when Wave data is hacked and it results in a customer suffering a significant financial loss. I find it hard to imagine that any other of H&R Blocks computer systems are as poorly protected. It would be very helpful if you could at least provide a roadmap/estimated timeline for implementation of 2FA and any other improved security features. Thanks.

  • TacheTache Member Posts: 1

    Seriously, any competent development team could implement TFA as part of their authorization scheme in a week. There are examples and how-tos in every modern development framework.

  • mardinmardin Member Posts: 3

    pardon my language but this his total horse shXt. it is federal law that TFA is mandated for banking and banking apps. you are in violation of federal law and reading the notes you have had over two years to add even a pin...anyone can do that on any software...what is the matter with this operation.

  • mardinmardin Member Posts: 3

    Is two-factor authentication required by law?
    To date, the use of 2FA to protect systems is not mandatory for every industry. However, 2FA is a needed measure to comply with particular password restrictions in sectors such as finance, healthcare, defense, law enforcement, and government, among others.

    Which Industries Require Two-Factor Authentication? | Okta

  • mardinmardin Member Posts: 3

    what incredible legal exposure you are opening yourselves to by not providing TFA or MFA. That alone should motivate the company to cover their asses and provide additional security in a financial sector business. other than being bankrupt, i doubt any judge would rule in your behalf if any or all wave users get hacked because of this two plus year lollygagging. so so unprofessional. and a paper trail of ignored requests/demands as evidence.

    edited September 23, 2021
  • VGFC_2016VGFC_2016 Member Posts: 4

    I'd also like TFA or MFA ASAP. Thanks!

  • bfalerbfaler Member Posts: 1

    I wanted to chime in as a new user. The lack of 2FA is the only thing giving me any hesitation about using Wave. I love everything else about the product. I would absolutely use it to accept payments if 2FA were implemented, but I honestly don't feel comfortable linking my bank account without this feature. Please make this a priority.

    edited October 15, 2021
  • ocxuallyocxually Member Posts: 7

    @AlexL said:
    Although I can't give you an exact ETA on 2FA specifically, we will be continuing to implement additional measures as we work on ramping up security so that it aligns with the needs of all of our users.

    Alex it has been over 7 months since this post. Why have we not gotten any indication that 2FA/MFA is on any roadmap for Wave? You are continually allowing your customers to have exposure. All it takes is a password to be compromised and sensitive details could be accessed.

    2FA/MFA is a baseline for account security these days. Simple username and password is not sufficient for a platform like this.

  • BdunBdun Member Posts: 1

    I'm glad I found this thread before I'd spent any more time setting up my Wave account. I'd just gone through a long process looking for the right platform for managing my small business and Wave came out on top based on recommendations. Now I see that all of those reviews missed the one most important feature - SECURITY. How can we have made it to 2021 and there is no 2fa on login for Wave? I've read the thread - 3 years of veiled promises but not delivery. Oh well... guess I'll be going with my backup selection. My money will be spent elsewhere and with a platform I feel confident that the developers at least share a modicum of concern about security. 2fa isn't the be-all-end-all but it's at least a start and as pointed out elsewhere, it's not that hard to do.

    Buh-bye Wave! It was nice knowing you for that brief moment in time....

  • Andy53Andy53 Member Posts: 3

    I would also like 2FA for wave..........ETA for 2FA Please!

  • tmacrrtmacrr Member Posts: 5

    @AlexL said:
    Hi @2FABandit & @tmacrr , thank you both for voicing your thoughts about adding additional security measures in Wave, this is definitely important and I completely understand your concerns. Recently, we started some implementation of additional security measures to increase the safety of our user's money and finance information. The first of this process has started with alert emails that are sent to business owners when a change of payout or Instant Payout account has occurred on their Wave Payments account. We've done this to prevent account takeover and to ensure that our business owners are aware when something fishy is going on.

    Although I can't give you an exact ETA on 2FA specifically, we will be continuing to implement additional measures as we work on ramping up security so that it aligns with the needs of all of our users.

    Alex - This was over 8 months ago, and we still don't have any update regarding TFA. We're closing in on another calendar year over with Wave being an easy target in an increasing insecure world.

    edited November 19, 2021
  • jade2021jade2021 Member Posts: 1

    I was just about to sign up for Wave and move over from QBO and then I noticed that I'm not prompted for 2FA as I am for all other financial sites. I've quickly gotten cold feet about moving from QBO. Yes, Wave is free, but if my financial information is not adequately safeguarded then what good is free?

  • SuemacSuemac Member Posts: 1
    Please do something about this. It is unacceptable. Last year Mint was hacked and community members had been complaining for years about this. They have since fixed the problem. The same thing will happen here-no doubt. Please be responsible and forward thinking. We are in an age of data insecurity. It is your duty and responsibilities as stewards and service providers to protect those who have invested trust in your company.
  • WisecompanyWisecompany Member Posts: 9
    @AlexL I think we are overdue for an official update on this from Wave. Could you just come out and say "We have no intention of implementing MFA" so those of us holding our breath can migrate away?
Sign In or Register to comment.