Authorize.net portal 2 factor authentication

Status: Accepted
by on ‎04-30-2015 07:47 AM

Despite using best security practices to protect passwords, we consider the single form authentication to the Authorize.net portal to be a critical security concern.

 

The concern is especially high with regard to CIM. When CIM is enabled, anybody breaking into the Authorize.net account can do a lot of damage (like creating transactions).

 

We are in 2015 and two form factor authentication is widespread and easy to implement. It does not have to be a full blown 2-factor with MFA devices. A simple solution - for example using a mobile phone access code - would already be a huge improvement over the current system.

 

 

Status: Accepted
Comments
by
on ‎04-30-2015 03:25 PM
Another motivation is to protect our clients data (name, address, last 4 digits of CC) which is accessible in CIM. We owe our clients to do the best in protecting this data, and currently this data for hundreds of clients, is only protected by a single password...
by Administrator Administrator
on ‎08-13-2015 03:31 PM
Status changed to: Under Review
 
by
‎12-02-2015 10:21 AM - edited ‎12-02-2015 10:21 AM

I second and third this. It is embarrassing that banks, credit cards, email accounts and even my kids school has 2 factor authentication and a payment gateway proccesing millions of dollars does not.

 

After implementing 2FA, please revisit whether forcing users to change their password every 90 days is truly adding security. It was a nice concept but the reality is that most customers are writing down the new password becuase they can't remember the changes so often.  

by
on ‎10-20-2016 09:07 AM

Not only is this embarassing, but it's a requirement for PCI compliance by Jan. 2018.  When will this be implemented?

by Administrator Administrator
on ‎07-19-2017 09:01 AM
Status changed to: Accepted
 
by
on ‎12-22-2017 06:14 AM

Two factor is becoming widespread. How can Authorize.net be so far behind on this one ? Isn't security a primary concern ? Any update appreciated.

by
on ‎06-22-2018 07:56 AM

Any update on this since it's now a requirement for PCI compliance?

by
on ‎01-10-2019 09:39 AM

2019 and this request is still pending. No updates. It is confounding that a company involved in managing payments online does not have an option for the users to authenticate more securely than with a single password.

 

I like Authorize.net in many respects, but security is paramount and I am considering switching to a more secure solution.

 

by
on ‎02-28-2020 09:08 AM
and now it's 2020. Any update on this Authorize.net?
by
on ‎05-08-2020 11:48 AM

How has this been going on for 5... years. Your one-time email pin system is provably inadequate in the advent of a breached physical computer.