Currently for MFA, Alpaca only offers an SMS option.
SMS was never designed for secure communication. Also SMS can open an account to hijacking via a SIM (phone port) attack.
The use of SMS has been questioned going back to 2016:
SIM port attacks have been on the rise, with the recent Twitter hack being a high-profile example. A successful SIM port attack could result in a hacker having a clone of your phone, and can be escalated to access into an email account.
Please offer more secure options such as Time-based One Time Passwords (TOTP).
Is it really MFA? Or jsut 2FA? Can you clarifiy in the UI that it is 2FA and MFA is on its way? I’d rather use Authy or Google Authenticator. I personally know a few people who had their crypto drained from sim swapping. Let’s mitigate the risk. I know it’s an IAM thing and not sure if setting up for users in the dashboard could have an effect on API usage. IAM wrapped around APIs is a different way of authenticating (more based on the credentials, device, and localtion of request rather than the users identity).
Is there any update on this getting done? SMS, especially with certain providers, is relatively trivial to MITM. TOTP support at the very least so authy/google authenticator could be supported would be a nice start.
I’d particularly like support for FIDO U2F since it provides additional protection against certain types of phishing attempts.
Hey,
Thanks for raising this topic and sharing your opinions!
We began to improve a toolset to secure a user’s accounts, so we just added TOTP MFA to security settings and started with the support of Google Authenticator.
Please, visit your Alpaca account > Settings > Security to enable it.
I see no such thing as Alpaca account > Settings. I only see Alpaca account > Configuration but it doesn’t have a Security tab or option, neither in the new or the old UI. I’m desperately trying to use Google Authenticator with Alpaca, so far no luck. Please advise.