How can I require 2FA (or MFA) on every login to Quicken/Web/Mobile (edit)

rlake

I am a long time Quicken Windows desktop user that finally decided to utilize Quicken Online for managing my accounts when traveling. While my Quicken account has 2FA (SMS) enabled, there doesn't seem to be any such requirement when I login to Quicken Online. I contacted Quicken Online support and was told that there is no option for 2FA (or any MFA) on login for Quicken Online.

Given how Quicken touts their approach to account security, I have a difficult time believing that this could be true. Any financial institution that I've dealt with offers the expected layer of 2FA (or MFA) security. While 2FA isn't the best layer (as opposed to tokens or authenticators), at least it's a layer beyond a secure password.

Can someone please let me know if this is, in fact, not an option for Quicken Online? Or if it is, how can I enable it? (again, SMS is enabled for my Quicken account… and truth be told I thought that they were one in the same with my Quicken Online account).

Thanks!

rlake

I did find this article https://www.quicken.com/support/secure-login-mfa-information, which has the following Q&A:

"Do I have to use Secure Login each time I update my Accounts?

No. You will be asked once after Secure Login is first turned on. After that, you will only need to complete Secure Login if reauthentication is necessary."

So, perhaps Quicken Online support was correct in that it can't be enabled to require 2FA (or MFA) on every login. However, I just downloaded the mobile app to my iPhone, and was able to successfully login to my Quicken Online account without a 2FA (SMS) requirement. I have never logged into a Quicken Online account on my phone before, so not really sure how to explain why, when "security codes" (SMS) are setup in my account, they're not required for Quicken Online… which has a lot more sensitive information than my Quicken subscription account.

Ps56k2

@rlake - I think you need to stick with discussing the "Quicken On The Web" - if that is what you are calling Quicken Online -
and not drag the Quicken Mobile App into the discussion -

Of course both are Sync'd from your Quicken desktop data -

rlake

Got it. Okay, sorry, Quicken on the Web is what I'm referring to and not calling Quicken Online. However, Quicken Mobile App does relate to this though. At least I think it does, as there wasn't a requirement for 2FA (or MFA) when I signed in via the mobile app either.

Chris_QPW

The answer you got is correct, there isn't an option for 2FA, neither for Quicken Web/Mobile or even for logging into your account on Quicken.com.

rlake

Okay, thank you. Clearly some online security concerns, but it is what it is. Hopefully Quicken will up their level of online security sooner than later.

rlake

Wow… just discovered that this isn't a new idea, and was been submitted as an "idea" (request) back in 2020, and then declined in August 2023.

https://community.quicken.com/discussion/7874918/will-two-factor-authentication-be-provided-soon#latest

Their reasoning for declining the request is that "Quicken users [sic] other methods of verifying user identity that are less intrusive than MFA, and we use that in this instance.".

No idea what "other methods of verifying user identity that are less intrusive" might be, but I can't understand how MFA is deemed intrusive. And, to be fair to those less concerned with online security, it should be able to be disabled.

Really stumped on why Quicken, a company that handles sensitive financial information for its customers, would be ignoring basic online security protocol.

Sadly, the next step is for me to delete my Quicken on the Web data and stick with the desktop version. While I hadn't spent enough time with the web version, I was optimistic that it would come in handy for when I'm away from my local datafile.

Holding out hope that Quicken will come around on this one!

Chris_QPW

Given all the problems people have reported while using Sync to Mobile/Web, this might be a blessing in disguise. Corrupted data files, blown away budgets, …

As for the "other methods of verifying user identity that are less intrusive" Is believe they are talking about the "Secure Login" that is mentioned in the article you found. In other words, do it once and then store something saying that machine/local login is OK, and not ask again.