What's the deal with the Multi-Factor Authentication?
I do Identity and Access Management for a living. I've recently been getting prompted to verify I'm attempting to sign in. This isn't a *bad* thing to enable but I have identified a few problems:
1) I signed in (no MFA), and then was logged out for inactivity. I was then prompted for MFA. This shouldn't happen, unless I was inactive for hours - not 10 minutes. This is improperly implemented - I'm accessing from the same browser (verify via cookie), from the same computer (fingerprinting my browser), and the same IP Address (that doesn't change in 10 minutes).
2) Clicking the "verify another way" button does not offer a way to verify another way. This is improperly implemented - that link needs to do something otherwise it's just bad MFA
3) Having gone through step one (prompt to verify account), then two (no verification performed, because broken process), I went back to mint.com home page and was able to sign in without providing MFA. This is improperly implemented - MFA must be performed once triggered, or MFA is totally broken
4) (related to 2) There is no other way to set up MFA besides email verification. There should be additional ways to verify an identity besides receiving an email, such as SMS, third-party MFA application, automated phone call, and (hopefully not) identity verification questions.
5) There is no way to set up MFA if I want to enable it explicitly, and always-on.
6) Communicating the new functionality and the reasons behind it (i.e. important to protect CC transaction details, account history, etc because ID theft can rely on small details like this) is important while rolling out a few feature like this. I didn't get any communication.