Why is Ally Bank abandoning email 2FA?
"We need you to add a phone number to your security preferences. As part of our continual efforts to keep your account safe and secure, we’re making changes to the security code delivery settings for your Ally account. In short, we’ll need you to update your preferences.
In order to log in moving forward, you’ll only be able to receive an authenticated security code through a text message or phone call, not email."
This seems astonishing. Everyone here knows how insecure 2FA is when done over SMS. On the other hand a well-protected email account that has hardware 2FA is about as secure as it gets. I appreciate not all Ally's customers are technically capable of setting up their email in this way, but even so, Ally might give a choice.
Does anyone care to guess at the reasoning behind this crazy decision? Ally doesn't use email as username, so it's not that. I'm minded to close my Ally account today, or at least use them for checking only.
4 comments
[ 4.8 ms ] story [ 21.8 ms ] threadSMS is not the only choice, a phone call is offered. For several of my online accounts, I get a security code through a voice call to the VOIP phone on my desk, which is the only place where I choose to log in to financial accounts.