Add Secure Multi-Factor Authentication (MFA) Options

Currently for MFA, Alpaca only offers an SMS option.

SMS was never designed for secure communication. Also SMS can open an account to hijacking via a SIM (phone port) attack.

The use of SMS has been questioned going back to 2016:

SIM port attacks have been on the rise, with the recent Twitter hack being a high-profile example. A successful SIM port attack could result in a hacker having a clone of your phone, and can be escalated to access into an email account.

Please offer more secure options such as Time-based One Time Passwords (TOTP).

2 Likes

Any update on when Alpaca will offer a secure MFA option?

I’ll chime in as to wanting this as well. I have multiple U2F keys as well as using TOTP.

SMS is incredibly insecure and I would not feel safe having any sort of money in any account that only supported it.

1 Like

Is it really MFA? Or jsut 2FA? Can you clarifiy in the UI that it is 2FA and MFA is on its way? I’d rather use Authy or Google Authenticator. I personally know a few people who had their crypto drained from sim swapping. Let’s mitigate the risk. I know it’s an IAM thing and not sure if setting up for users in the dashboard could have an effect on API usage. IAM wrapped around APIs is a different way of authenticating (more based on the credentials, device, and localtion of request rather than the users identity).

Cheers

2 Likes

This please! either one.

1 Like