cancel
Showing results for 
Search instead for 
Did you mean: 
Christophe
Contributor
Status: Accepted

Despite using best security practices to protect passwords, we consider the single form authentication to the Authorize.net portal to be a critical security concern.

 

The concern is especially high with regard to CIM. When CIM is enabled, anybody breaking into the Authorize.net account can do a lot of damage (like creating transactions).

 

We are in 2015 and two form factor authentication is widespread and easy to implement. It does not have to be a full blown 2-factor with MFA devices. A simple solution - for example using a mobile phone access code - would already be a huge improvement over the current system.

 

 

12 Comments
Christophe
Contributor
Another motivation is to protect our clients data (name, address, last 4 digits of CC) which is accessible in CIM. We owe our clients to do the best in protecting this data, and currently this data for hundreds of clients, is only protected by a single password...
Status changed to: Under Review
RichardH
Administrator Administrator
Administrator
 
merpro
Member

I second and third this. It is embarrassing that banks, credit cards, email accounts and even my kids school has 2 factor authentication and a payment gateway proccesing millions of dollars does not.

 

After implementing 2FA, please revisit whether forcing users to change their password every 90 days is truly adding security. It was a nice concept but the reality is that most customers are writing down the new password becuase they can't remember the changes so often.  

pat1498
Member

Not only is this embarassing, but it's a requirement for PCI compliance by Jan. 2018.  When will this be implemented?

Status changed to: Accepted
RichardH
Administrator Administrator
Administrator
 
Christophe
Contributor

Two factor is becoming widespread. How can Authorize.net be so far behind on this one ? Isn't security a primary concern ? Any update appreciated.

blackwood821
Contributor

Any update on this since it's now a requirement for PCI compliance?

Christophe
Contributor

2019 and this request is still pending. No updates. It is confounding that a company involved in managing payments online does not have an option for the users to authenticate more securely than with a single password.

 

I like Authorize.net in many respects, but security is paramount and I am considering switching to a more secure solution.

 

natesutherland2
Contributor
and now it's 2020. Any update on this Authorize.net?
Yetzederixx
Member

How has this been going on for 5... years. Your one-time email pin system is provably inadequate in the advent of a breached physical computer.