Home Quicken on the Web Using Quicken on the Web
Quicken Community is moving to Single Sign On! Starting 1/22/21, you'll sign in to the community with your Quicken ID. For more information: http://bit.ly/CommunitySSO

Quicken on the Web and MFA

terry.franklinterry.franklin Member ✭✭
edited December 2018 in Using Quicken on the Web
It would appear that the new Quicken for the Web experience does not support the Multifactor Authentication on my Quicken Account? I've tried signing in from different browsers and Incognito Mode and still am never challenged with an authentication code via SMS. Can you confirm if that is the case?

Comments

  • Quicken KathrynQuicken Kathryn Mac Beta admin
    edited October 2018
    Hi terry.franklin,
    The Quicken ID does have MFA, but it typically will only prompt if you're attempting to sign in from a different IP address.  Because you're already signed in to your Quicken program, and passed through the MFA there, we recognize that token as a 'safe' person who's authorized to access Quicken on the Web without an MFA prompt.  

    It's similar to the way a bank's website might have you 'remember' a computer so you aren't prompted repeatedly for a token, but you would be prompted if you tried to access from a different IP or MAC address.

    Hope this helps,
    Quicken Kathryn
    Quicken Kathryn
    Community Administrator
  • terry.franklinterry.franklin Member ✭✭
    edited October 2018
    Hi,

    That is not the behavior I am seeing. I have tried multiple browsers, on multiple IPs, and have not been challenged. I also went to my phone, disabled WiFi so I was on cellular, and used Safari (which I never use) to log in, and I was able to log in without the SMS challenge.
  • UnknownUnknown Member
    edited October 2018

    Hi,

    That is not the behavior I am seeing. I have tried multiple browsers, on multiple IPs, and have not been challenged. I also went to my phone, disabled WiFi so I was on cellular, and used Safari (which I never use) to log in, and I was able to log in without the SMS challenge.

    I see the same.

    I got a new phone recently which has never been used for Quicken, and I logged into my Quicken account and it didn't send any code, just logged in.  I also tried it with a Quicken Id I created long ago for testing, but haven't used for a very long time.  Again it just logged in.
  • UnknownUnknown Member
    edited October 2018

    Hi,

    That is not the behavior I am seeing. I have tried multiple browsers, on multiple IPs, and have not been challenged. I also went to my phone, disabled WiFi so I was on cellular, and used Safari (which I never use) to log in, and I was able to log in without the SMS challenge.

    P.S. Note I was just checking logging into my Quicken account, not Quicken web (even though I think that is just a redirect once logged in).  So this difference isn't even about "Quicken Web".  For some reason logging into your account at Quicken.com isn't doing MFA any more.
  • Quicken KathrynQuicken Kathryn Mac Beta admin
    edited October 2018

    Hi,

    That is not the behavior I am seeing. I have tried multiple browsers, on multiple IPs, and have not been challenged. I also went to my phone, disabled WiFi so I was on cellular, and used Safari (which I never use) to log in, and I was able to log in without the SMS challenge.

    Hi terry.franklin,
    It's not clear why you're not being prompted--let me check with our development team and see if they can clarify this--

    Thanks,
    Quicken Kathryn
    Quicken Kathryn
    Community Administrator
  • Quicken KathrynQuicken Kathryn Mac Beta admin
    edited October 2018
    Hi terry.franklin,
    I just talked to one of our developers, so I need to correct myself--we've actually put a system in place that collects information from your internet session, and based on a lot of criteria (their proprietary algorithm), they determine how 'risky' they think a particular web session is.   Based on that risk assessment, we then determine whether or not an MFA prompt is necessary.

    A new IP may trigger it, but not always.  If a user continues to use the same computer and login, they should never be asked for one (even in incognito mode).  Sometimes when a user switches computers they are asked, but not always. 

    So, it seems the system has deemed you safe to access!  Apologies for the confusion--

    Quicken Kathryn
    Quicken Kathryn
    Community Administrator
  • terry.franklinterry.franklin Member ✭✭
    edited October 2018
    With all due respect, I am sorry, I just cannot believe this is true right now. And when you are talking about a new and highly demanded feature as sensitive as having users financial information easily available on the web, I hope you understand my concern.

    I just walked over to a friend's house and used a computer I've never used, via Microsoft Edge, a browser I've never used. I connected via VPN to a Private Internet Access endpoint in the Czech Republic. I even pasted my username and password rather than type it to potentially rule out any kind of behavior based authentication checks. I was able to login with no MFA challenge.

    "it seems the system has deemed you safe to access!" is an extremely dubious assessment in my opinion.  
  • Ps56k2Ps56k2 SuperUser ✭✭✭✭✭
    edited October 2018

    Hi terry.franklin,
    I just talked to one of our developers, so I need to correct myself--we've actually put a system in place that collects information from your internet session, and based on a lot of criteria (their proprietary algorithm), they determine how 'risky' they think a particular web session is.   Based on that risk assessment, we then determine whether or not an MFA prompt is necessary.

    A new IP may trigger it, but not always.  If a user continues to use the same computer and login, they should never be asked for one (even in incognito mode).  Sometimes when a user switches computers they are asked, but not always. 

    So, it seems the system has deemed you safe to access!  Apologies for the confusion--

    Quicken Kathryn

    just to be clear... no Auth of any kind would ever rely on the IP address...
    random changes.
    Quicken 2020 Deluxe - Subscription - Windows 10
  • Ps56k2Ps56k2 SuperUser ✭✭✭✭✭
    edited October 2018

    Hi,

    That is not the behavior I am seeing. I have tried multiple browsers, on multiple IPs, and have not been challenged. I also went to my phone, disabled WiFi so I was on cellular, and used Safari (which I never use) to log in, and I was able to log in without the SMS challenge.

    Where do you actually setup the 2-factor Auth....
    I'll have to look around my Quicken ID Profile
    Quicken 2020 Deluxe - Subscription - Windows 10
  • Ps56k2Ps56k2 SuperUser ✭✭✭✭✭
    edited October 2018
    Its interesting, that nowhere in the Quicken ID Profile do you actually enable or turn on 2-factor Auth...  Yes, you supply an email or SMS phone number, which may imply you want 2-factor, but it is still up to Quicken as to when they send the code..... unlike other 2-factor configs, which imply a yes/no for each and every time, or at least every newly encountered device or software app....  
    Yeah - different -


    Quicken 2020 Deluxe - Subscription - Windows 10
  • UnknownUnknown Member
    edited October 2018

    With all due respect, I am sorry, I just cannot believe this is true right now. And when you are talking about a new and highly demanded feature as sensitive as having users financial information easily available on the web, I hope you understand my concern.

    I just walked over to a friend's house and used a computer I've never used, via Microsoft Edge, a browser I've never used. I connected via VPN to a Private Internet Access endpoint in the Czech Republic. I even pasted my username and password rather than type it to potentially rule out any kind of behavior based authentication checks. I was able to login with no MFA challenge.

    "it seems the system has deemed you safe to access!" is an extremely dubious assessment in my opinion.  

    Frankly I suspect that they got so many complaints about being prompted all the time, they changed it, but then didn't realize they changed it in a way that it never prompts.
  • terry.franklinterry.franklin Member ✭✭
    edited October 2018
    I hope this isn't being ignored. My testing really leads me to conclude MFA challenges are not happening, which decreases my confidence in using this.
  • EricOEricO Member ✭✭
    edited October 2018
    Is it possible to disable Quicken for Web (Mac)? Quicken didn't ask me if I wanted my information posted to the web. They just did it. I will very rarely, if ever, use it and I ABSOLUTELY DO NOT want my financial information available from Quicken on the web without a 2FA/One Time PW challenge any time any one attempts to access it. 

    It appears that Quicken on the Web and Quicken Mobile are tied together - no way to use one without the other. Absent a solution, I'll be forced to kill Mobile sync in order to kill web access.
  • smayer97smayer97 SuperUser, Mac Beta, Canada Beta ✭✭✭✭✭
    edited October 2018
    EricO said:

    Is it possible to disable Quicken for Web (Mac)? Quicken didn't ask me if I wanted my information posted to the web. They just did it. I will very rarely, if ever, use it and I ABSOLUTELY DO NOT want my financial information available from Quicken on the web without a 2FA/One Time PW challenge any time any one attempts to access it. 

    It appears that Quicken on the Web and Quicken Mobile are tied together - no way to use one without the other. Absent a solution, I'll be forced to kill Mobile sync in order to kill web access.

    Quicken mobile has de facto always made your data available on the web (actually, so does using Express Web Connect BTW)... Before there was simply only one interface to it... the app... now there is the web page... because the source is the same...Quicken Cloud servers.

    (If you find this reply helpful, please be sure to click "Like", so others will know, thanks.)
    Have Questions? Check out these FAQs:COMPLETE list of Product Ideas - Quicken for Mac to VOTE on

    Object to Quicken's business model, using up 25% of your screen
    ? Add your vote here:
    Quicken should eliminate the LARGE Ad space when a subscription expires


    (
    Canadian user since '92, STILL using QM2007)


  • Ps56k2Ps56k2 SuperUser ✭✭✭✭✭
    edited October 2018
    EricO said:

    Is it possible to disable Quicken for Web (Mac)? Quicken didn't ask me if I wanted my information posted to the web. They just did it. I will very rarely, if ever, use it and I ABSOLUTELY DO NOT want my financial information available from Quicken on the web without a 2FA/One Time PW challenge any time any one attempts to access it. 

    It appears that Quicken on the Web and Quicken Mobile are tied together - no way to use one without the other. Absent a solution, I'll be forced to kill Mobile sync in order to kill web access.

    BUT - wouldn't the Express Web Connect only have the current transactions as a transfer conduit - and only for that specific account....
    If you enable the Mobile SYNC - then a little bit of everything would get uploaded.
    Quicken 2020 Deluxe - Subscription - Windows 10
  • EricOEricO Member ✭✭
    edited October 2018
    EricO said:

    Is it possible to disable Quicken for Web (Mac)? Quicken didn't ask me if I wanted my information posted to the web. They just did it. I will very rarely, if ever, use it and I ABSOLUTELY DO NOT want my financial information available from Quicken on the web without a 2FA/One Time PW challenge any time any one attempts to access it. 

    It appears that Quicken on the Web and Quicken Mobile are tied together - no way to use one without the other. Absent a solution, I'll be forced to kill Mobile sync in order to kill web access.

    True. General web access just feels more exposed than access via the app since the perpetrator would have to get and use the app vs just phishing/scanning the web.

    Ultimately though, most large scale data breaches are a result of hacking the underlying corporate system security rather than someone phishing out specific login credentials. 

    In the end, I don't use the mobile app all that much either and sync as many of my accounts as possible to the desktop app with Direct Connect vs Quicken Connect, so perhaps it's time to rethink the overall sync scenario.
  • smayer97smayer97 SuperUser, Mac Beta, Canada Beta ✭✭✭✭✭
    edited October 2018
    EricO said:

    Is it possible to disable Quicken for Web (Mac)? Quicken didn't ask me if I wanted my information posted to the web. They just did it. I will very rarely, if ever, use it and I ABSOLUTELY DO NOT want my financial information available from Quicken on the web without a 2FA/One Time PW challenge any time any one attempts to access it. 

    It appears that Quicken on the Web and Quicken Mobile are tied together - no way to use one without the other. Absent a solution, I'll be forced to kill Mobile sync in order to kill web access.

    In both EWC/QC and Mobile, you control what data passes through Quicken Cloud servers. What we do not know for EWC/QC is how long that data resides there. So whatever is there, is there and subject to the same vulnerability. It may well be that with Mobile, users are more likely to sync more data but not necessarily.

    (If you find this reply helpful, please be sure to click "Like", so others will know, thanks.)
    Have Questions? Check out these FAQs:COMPLETE list of Product Ideas - Quicken for Mac to VOTE on

    Object to Quicken's business model, using up 25% of your screen
    ? Add your vote here:
    Quicken should eliminate the LARGE Ad space when a subscription expires


    (
    Canadian user since '92, STILL using QM2007)


  • terry.franklinterry.franklin Member ✭✭
    edited October 2018
    EricO said:

    Is it possible to disable Quicken for Web (Mac)? Quicken didn't ask me if I wanted my information posted to the web. They just did it. I will very rarely, if ever, use it and I ABSOLUTELY DO NOT want my financial information available from Quicken on the web without a 2FA/One Time PW challenge any time any one attempts to access it. 

    It appears that Quicken on the Web and Quicken Mobile are tied together - no way to use one without the other. Absent a solution, I'll be forced to kill Mobile sync in order to kill web access.

    I could be wrong here, but I would swear that prior to this release, even logging into Quicken Mobile would prompt for that second factor, and it doesn't now. Even occasionally having to log into the quicken desktop app prompted for it.
  • UnknownUnknown Member
    edited October 2018
    EricO said:

    Is it possible to disable Quicken for Web (Mac)? Quicken didn't ask me if I wanted my information posted to the web. They just did it. I will very rarely, if ever, use it and I ABSOLUTELY DO NOT want my financial information available from Quicken on the web without a 2FA/One Time PW challenge any time any one attempts to access it. 

    It appears that Quicken on the Web and Quicken Mobile are tied together - no way to use one without the other. Absent a solution, I'll be forced to kill Mobile sync in order to kill web access.

    terry.franklin yes you are correct in fact I believe that is at the heart of the problem.

    As in the old system was prompting people a lot and so they complained.  For some people it was every time they used Quicken.

    So they changed the system to be "smarter", but I think they made it so "smart" it doesn't prompt at all.
  • EricOEricO Member ✭✭
    edited October 2018
    EricO said:

    Is it possible to disable Quicken for Web (Mac)? Quicken didn't ask me if I wanted my information posted to the web. They just did it. I will very rarely, if ever, use it and I ABSOLUTELY DO NOT want my financial information available from Quicken on the web without a 2FA/One Time PW challenge any time any one attempts to access it. 

    It appears that Quicken on the Web and Quicken Mobile are tied together - no way to use one without the other. Absent a solution, I'll be forced to kill Mobile sync in order to kill web access.

    I agree. That is what was causing me to believe 2FA isn't required for web access - and it appears that if they don't tighten it up a bit, then for all practical purposes 2FA isn't required for anything any more...
  • terry.franklinterry.franklin Member ✭✭
    edited December 2018
    So, I guess no other input on this from Quicken?
  • terry.franklinterry.franklin Member ✭✭
    edited December 2018
    As a reminder from your own support site https://www.quicken.com/support/secure-login-mfa-information :

    "Do I have to use Secure Login each time I update my Accounts?
    No. You will be asked once after Secure Login is first turned on. After that, you will only need to complete Secure Login about every two weeks or if you start using Quicken on a different computer."

This discussion has been closed.