Quicken on the Web and MFA

terry.franklin

It would appear that the new Quicken for the Web experience does not support the Multifactor Authentication on my Quicken Account? I've tried signing in from different browsers and Incognito Mode and still am never challenged with an authentication code via SMS. Can you confirm if that is the case?

Quicken Kathryn

Hi terry.franklin,
The Quicken ID does have MFA, but it typically will only prompt if you're attempting to sign in from a different IP address.  Because you're already signed in to your Quicken program, and passed through the MFA there, we recognize that token as a 'safe' person who's authorized to access Quicken on the Web without an MFA prompt.  

It's similar to the way a bank's website might have you 'remember' a computer so you aren't prompted repeatedly for a token, but you would be prompted if you tried to access from a different IP or MAC address.

Hope this helps,
Quicken Kathryn

terry.franklin

Hi,

That is not the behavior I am seeing. I have tried multiple browsers, on multiple IPs, and have not been challenged. I also went to my phone, disabled WiFi so I was on cellular, and used Safari (which I never use) to log in, and I was able to log in without the SMS challenge.

Unknown

terry.franklin said:

Hi,

That is not the behavior I am seeing. I have tried multiple browsers, on multiple IPs, and have not been challenged. I also went to my phone, disabled WiFi so I was on cellular, and used Safari (which I never use) to log in, and I was able to log in without the SMS challenge.

I see the same.

I got a new phone recently which has never been used for Quicken, and I logged into my Quicken account and it didn't send any code, just logged in.  I also tried it with a Quicken Id I created long ago for testing, but haven't used for a very long time.  Again it just logged in.

Unknown

terry.franklin said:

Hi,

That is not the behavior I am seeing. I have tried multiple browsers, on multiple IPs, and have not been challenged. I also went to my phone, disabled WiFi so I was on cellular, and used Safari (which I never use) to log in, and I was able to log in without the SMS challenge.

P.S. Note I was just checking logging into my Quicken account, not Quicken web (even though I think that is just a redirect once logged in).  So this difference isn't even about "Quicken Web".  For some reason logging into your account at Quicken.com isn't doing MFA any more.

Quicken Kathryn

terry.franklin said:

Hi,

That is not the behavior I am seeing. I have tried multiple browsers, on multiple IPs, and have not been challenged. I also went to my phone, disabled WiFi so I was on cellular, and used Safari (which I never use) to log in, and I was able to log in without the SMS challenge.

Hi terry.franklin,
It's not clear why you're not being prompted--let me check with our development team and see if they can clarify this--

Thanks,
Quicken Kathryn

Quicken Kathryn

Hi terry.franklin,
I just talked to one of our developers, so I need to correct myself--we've actually put a system in place that collects information from your internet session, and based on a lot of criteria (their proprietary algorithm), they determine how 'risky' they think a particular web session is.   Based on that risk assessment, we then determine whether or not an MFA prompt is necessary.

A new IP may trigger it, but not always.  If a user continues to use the same computer and login, they should never be asked for one (even in incognito mode).  Sometimes when a user switches computers they are asked, but not always. 

So, it seems the system has deemed you safe to access!  Apologies for the confusion--

Quicken Kathryn

terry.franklin

With all due respect, I am sorry, I just cannot believe this is true right now. And when you are talking about a new and highly demanded feature as sensitive as having users financial information easily available on the web, I hope you understand my concern.

I just walked over to a friend's house and used a computer I've never used, via Microsoft Edge, a browser I've never used. I connected via VPN to a Private Internet Access endpoint in the Czech Republic. I even pasted my username and password rather than type it to potentially rule out any kind of behavior based authentication checks. I was able to login with no MFA challenge.

"it seems the system has deemed you safe to access!" is an extremely dubious assessment in my opinion.  

Ps56k2

Quicken Kathryn said:

Hi terry.franklin,
I just talked to one of our developers, so I need to correct myself--we've actually put a system in place that collects information from your internet session, and based on a lot of criteria (their proprietary algorithm), they determine how 'risky' they think a particular web session is.   Based on that risk assessment, we then determine whether or not an MFA prompt is necessary.

A new IP may trigger it, but not always.  If a user continues to use the same computer and login, they should never be asked for one (even in incognito mode).  Sometimes when a user switches computers they are asked, but not always. 

So, it seems the system has deemed you safe to access!  Apologies for the confusion--

Quicken Kathryn

just to be clear... no Auth of any kind would ever rely on the IP address...
random changes.

Ps56k2

terry.franklin said:

Hi,

That is not the behavior I am seeing. I have tried multiple browsers, on multiple IPs, and have not been challenged. I also went to my phone, disabled WiFi so I was on cellular, and used Safari (which I never use) to log in, and I was able to log in without the SMS challenge.

Where do you actually setup the 2-factor Auth....
I'll have to look around my Quicken ID Profile

Ps56k2

Its interesting, that nowhere in the Quicken ID Profile do you actually enable or turn on 2-factor Auth...  Yes, you supply an email or SMS phone number, which may imply you want 2-factor, but it is still up to Quicken as to when they send the code..... unlike other 2-factor configs, which imply a yes/no for each and every time, or at least every newly encountered device or software app....  
Yeah - different -

Unknown

terry.franklin said:

With all due respect, I am sorry, I just cannot believe this is true right now. And when you are talking about a new and highly demanded feature as sensitive as having users financial information easily available on the web, I hope you understand my concern.

I just walked over to a friend's house and used a computer I've never used, via Microsoft Edge, a browser I've never used. I connected via VPN to a Private Internet Access endpoint in the Czech Republic. I even pasted my username and password rather than type it to potentially rule out any kind of behavior based authentication checks. I was able to login with no MFA challenge.

"it seems the system has deemed you safe to access!" is an extremely dubious assessment in my opinion.  

Frankly I suspect that they got so many complaints about being prompted all the time, they changed it, but then didn't realize they changed it in a way that it never prompts.

terry.franklin

I hope this isn't being ignored. My testing really leads me to conclude MFA challenges are not happening, which decreases my confidence in using this.

EricO

Is it possible to disable Quicken for Web (Mac)? Quicken didn't ask me if I wanted my information posted to the web. They just did it. I will very rarely, if ever, use it and I ABSOLUTELY DO NOT want my financial information available from Quicken on the web without a 2FA/One Time PW challenge any time any one attempts to access it. 

It appears that Quicken on the Web and Quicken Mobile are tied together - no way to use one without the other. Absent a solution, I'll be forced to kill Mobile sync in order to kill web access.

smayer97

EricO said:

Is it possible to disable Quicken for Web (Mac)? Quicken didn't ask me if I wanted my information posted to the web. They just did it. I will very rarely, if ever, use it and I ABSOLUTELY DO NOT want my financial information available from Quicken on the web without a 2FA/One Time PW challenge any time any one attempts to access it. 

It appears that Quicken on the Web and Quicken Mobile are tied together - no way to use one without the other. Absent a solution, I'll be forced to kill Mobile sync in order to kill web access.

Quicken mobile has de facto always made your data available on the web (actually, so does using Express Web Connect BTW)... Before there was simply only one interface to it... the app... now there is the web page... because the source is the same...Quicken Cloud servers.

(If you find this reply helpful, please be sure to click "Like", so others will know, thanks.)

Ps56k2

EricO said:

Is it possible to disable Quicken for Web (Mac)? Quicken didn't ask me if I wanted my information posted to the web. They just did it. I will very rarely, if ever, use it and I ABSOLUTELY DO NOT want my financial information available from Quicken on the web without a 2FA/One Time PW challenge any time any one attempts to access it. 

It appears that Quicken on the Web and Quicken Mobile are tied together - no way to use one without the other. Absent a solution, I'll be forced to kill Mobile sync in order to kill web access.

BUT - wouldn't the Express Web Connect only have the current transactions as a transfer conduit - and only for that specific account....
If you enable the Mobile SYNC - then a little bit of everything would get uploaded.

EricO

EricO said:

Is it possible to disable Quicken for Web (Mac)? Quicken didn't ask me if I wanted my information posted to the web. They just did it. I will very rarely, if ever, use it and I ABSOLUTELY DO NOT want my financial information available from Quicken on the web without a 2FA/One Time PW challenge any time any one attempts to access it. 

It appears that Quicken on the Web and Quicken Mobile are tied together - no way to use one without the other. Absent a solution, I'll be forced to kill Mobile sync in order to kill web access.

True. General web access just feels more exposed than access via the app since the perpetrator would have to get and use the app vs just phishing/scanning the web.

Ultimately though, most large scale data breaches are a result of hacking the underlying corporate system security rather than someone phishing out specific login credentials. 

In the end, I don't use the mobile app all that much either and sync as many of my accounts as possible to the desktop app with Direct Connect vs Quicken Connect, so perhaps it's time to rethink the overall sync scenario.

smayer97

EricO said:

Is it possible to disable Quicken for Web (Mac)? Quicken didn't ask me if I wanted my information posted to the web. They just did it. I will very rarely, if ever, use it and I ABSOLUTELY DO NOT want my financial information available from Quicken on the web without a 2FA/One Time PW challenge any time any one attempts to access it. 

It appears that Quicken on the Web and Quicken Mobile are tied together - no way to use one without the other. Absent a solution, I'll be forced to kill Mobile sync in order to kill web access.

In both EWC/QC and Mobile, you control what data passes through Quicken Cloud servers. What we do not know for EWC/QC is how long that data resides there. So whatever is there, is there and subject to the same vulnerability. It may well be that with Mobile, users are more likely to sync more data but not necessarily.

(If you find this reply helpful, please be sure to click "Like", so others will know, thanks.)

terry.franklin

EricO said:

Is it possible to disable Quicken for Web (Mac)? Quicken didn't ask me if I wanted my information posted to the web. They just did it. I will very rarely, if ever, use it and I ABSOLUTELY DO NOT want my financial information available from Quicken on the web without a 2FA/One Time PW challenge any time any one attempts to access it. 

It appears that Quicken on the Web and Quicken Mobile are tied together - no way to use one without the other. Absent a solution, I'll be forced to kill Mobile sync in order to kill web access.

I could be wrong here, but I would swear that prior to this release, even logging into Quicken Mobile would prompt for that second factor, and it doesn't now. Even occasionally having to log into the quicken desktop app prompted for it.

Unknown

EricO said:

Is it possible to disable Quicken for Web (Mac)? Quicken didn't ask me if I wanted my information posted to the web. They just did it. I will very rarely, if ever, use it and I ABSOLUTELY DO NOT want my financial information available from Quicken on the web without a 2FA/One Time PW challenge any time any one attempts to access it. 

It appears that Quicken on the Web and Quicken Mobile are tied together - no way to use one without the other. Absent a solution, I'll be forced to kill Mobile sync in order to kill web access.

terry.franklin yes you are correct in fact I believe that is at the heart of the problem.

As in the old system was prompting people a lot and so they complained.  For some people it was every time they used Quicken.

So they changed the system to be "smarter", but I think they made it so "smart" it doesn't prompt at all.

EricO

EricO said:

Is it possible to disable Quicken for Web (Mac)? Quicken didn't ask me if I wanted my information posted to the web. They just did it. I will very rarely, if ever, use it and I ABSOLUTELY DO NOT want my financial information available from Quicken on the web without a 2FA/One Time PW challenge any time any one attempts to access it. 

It appears that Quicken on the Web and Quicken Mobile are tied together - no way to use one without the other. Absent a solution, I'll be forced to kill Mobile sync in order to kill web access.

I agree. That is what was causing me to believe 2FA isn't required for web access - and it appears that if they don't tighten it up a bit, then for all practical purposes 2FA isn't required for anything any more...

terry.franklin

So, I guess no other input on this from Quicken?

terry.franklin

As a reminder from your own support site https://www.quicken.com/support/secure-login-mfa-information :

"Do I have to use Secure Login each time I update my Accounts?
No. You will be asked once after Secure Login is first turned on. After that, you will only need to complete Secure Login about every two weeks or if you start using Quicken on a different computer."