What's the deal with the Multi-Factor Authentication?

I do Identity and Access Management for a living. I've recently been getting prompted to verify I'm attempting to sign in. This isn't a *bad* thing to enable but I have identified a few problems:

1) I signed in (no MFA), and then was logged out for inactivity. I was then prompted for MFA. This shouldn't happen, unless I was inactive for hours - not 10 minutes. This is improperly implemented - I'm accessing from the same browser (verify via cookie), from the same computer (fingerprinting my browser), and the same IP Address (that doesn't change in 10 minutes).

2) Clicking the "verify another way" button does not offer a way to verify another way. This is improperly implemented - that link needs to do something otherwise it's just bad MFA

3) Having gone through step one (prompt to verify account), then two (no verification performed, because broken process), I went back to mint.com home page and was able to sign in without providing MFA. This is improperly implemented - MFA must be performed once triggered, or MFA is totally broken

4) (related to 2) There is no other way to set up MFA besides email verification. There should be additional ways to verify an identity besides receiving an email, such as SMS, third-party MFA application, automated phone call, and (hopefully not) identity verification questions.

5) There is no way to set up MFA if I want to enable it explicitly, and always-on.

6) Communicating the new functionality and the reasons behind it (i.e. important to protect CC transaction details, account history, etc because ID theft can rely on small details like this) is important while rolling out a few feature like this. I didn't get any communication.

No answers have been posted

More Actions

People come to Mint for help and answers—we want to let them know that we're here to listen and share our knowledge. We do that with the style and format of our responses. Here are five guidelines:

  1. Keep it conversational. When answering questions, write like you speak. Imagine you're explaining something to a trusted friend, using simple, everyday language. Avoid jargon and technical terms when possible. When no other word will do, explain technical terms in plain English.
  2. Be clear and state the answer right up front. Ask yourself what specific information the person really needs and then provide it. Stick to the topic and avoid unnecessary details. Break information down into a numbered or bulleted list and highlight the most important details in bold.
  3. Be concise. Aim for no more than two short sentences in a paragraph, and try to keep paragraphs to two lines. A wall of text can look intimidating and many won't read it, so break it up. It's okay to link to other resources for more details, but avoid giving answers that contain little more than a link.
  4. Be a good listener. When people post very general questions, take a second to try to understand what they're really looking for. Then, provide a response that guides them to the best possible outcome.
  5. Be encouraging and positive. Look for ways to eliminate uncertainty by anticipating people's concerns. Make it apparent that we really like helping them achieve positive outcomes.

Select a file to attach: