Ally Never Uses 2FA --Should I worry?

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills.
Topic Author
goaties
Posts: 542
Joined: Fri Jan 29, 2010 3:15 pm

Ally Never Uses 2FA --Should I worry?

Post by goaties »

Although I have 2FA set up for Ally, they literally never use it. All my other financials frequently claim "we don't recognize the computer you are using" and make me go through the 2FA process. I've got something set so that it appears that I am logging in from a different computer all the time, when in fact I am not. (Can't remember how I did this, but I like it this way). In any case, Ally never makes me jumps through the 2FA hoop.

First, why? And second, should I care?
User avatar
jpsfranks
Posts: 1039
Joined: Sun Aug 26, 2007 11:45 pm

Re: Ally Never Uses 2FA --Should I worry?

Post by jpsfranks »

Are you using a different computer on the same network as a previous login?

I just did the following experiment:

Login from browser I had previously logged in from my normal network - No 2FA
Login from private window from my normal network - No 2FA
Login from browser I had previously logged in on a VPN - No 2FA
Login from private window on a VPN - 2FA requested

So my speculation is that Ally is using both a cookie and recording your IP address(es) and will bypass 2FA if it recognizes either one.
Topic Author
goaties
Posts: 542
Joined: Fri Jan 29, 2010 3:15 pm

Re: Ally Never Uses 2FA --Should I worry?

Post by goaties »

I am logging in from the same computer on the same IP address, I would suppose. (not sure) Maybe the mystery is that all my other financials don't recognize that fact and report that I am "not recognized". I admit my understanding of all this is really shaky. I use Firefox private browsing. I thought that cleared cookies after every session. (I always close my browser completely before going on to the next website.)
chw
Posts: 1315
Joined: Thu May 24, 2012 4:22 pm

Re: Ally Never Uses 2FA --Should I worry?

Post by chw »

You must have it set up wrong. I’ve been using 2FA with Ally for several years with no problem. I would call their their tech support to help you get it set properly.

Even if you allow the computer to be recognized, with the 2FA you should still be getting a code sent to you phone (I do).
Colorado14
Posts: 1792
Joined: Thu Apr 07, 2011 4:58 pm
Location: Colorado

Re: Ally Never Uses 2FA --Should I worry?

Post by Colorado14 »

Ally always uses 2 factor identification for me. I logged in earlier this week and that was the case.

I agree that a call to their Tech Support or customer support would be a good next step.
User avatar
BrandonBogle
Posts: 4467
Joined: Mon Jan 28, 2013 10:19 pm

Re: Ally Never Uses 2FA --Should I worry?

Post by BrandonBogle »

jpsfranks wrote: Fri Nov 19, 2021 4:47 am So my speculation is that Ally is using both a cookie and recording your IP address(es) and will bypass 2FA if it recognizes either one.
This speculation makes sense to me. Most users get their IP address changed regularly, so the user (and potentially the other posters) would never have “noticed” the IP address potentially bypassing 2FA. Meanwhile, while I don’t pay for a static IP, I’ve had the same IP for 3 years now.

Note: I am NOT speaking to the merits of bypassing 2FA based on IP address as we could have a whole conversation about that.
Thesaints
Posts: 5108
Joined: Tue Jun 20, 2017 12:25 am

Re: Ally Never Uses 2FA --Should I worry?

Post by Thesaints »

I would not worry. All the various authentication methods are there to protect the bank, not the customer.
Marseille07
Posts: 16054
Joined: Fri Nov 06, 2020 12:41 pm

Re: Ally Never Uses 2FA --Should I worry?

Post by Marseille07 »

Try the incognito mode or whatever equivalent in Firefox and try accessing Ally and see what happens. If they still don't prompt then something might be broken.
Hockey10
Posts: 1108
Joined: Wed Aug 24, 2016 12:20 pm
Location: Philadelphia suburbs

Re: Ally Never Uses 2FA --Should I worry?

Post by Hockey10 »

I seem to have the same issue. :confused

Earlier this week I cleared all of my browsing history and cookies in Safari. The next time I logged into Ally, there was no request for 2FA, even though I have it set up to ask for 2FA. Every other site that I use with 2FA did ask me to verify my account with the 2FA.
Marseille07
Posts: 16054
Joined: Fri Nov 06, 2020 12:41 pm

Re: Ally Never Uses 2FA --Should I worry?

Post by Marseille07 »

I just tried incognito myself and I wasn't prompted. Maybe they're looking at the IP address, not just cookies / session information.
Topic Author
goaties
Posts: 542
Joined: Fri Jan 29, 2010 3:15 pm

Re: Ally Never Uses 2FA --Should I worry?

Post by goaties »

Marseille07 wrote: Fri Nov 19, 2021 11:50 am I just tried incognito myself and I wasn't prompted. Maybe they're looking at the IP address, not just cookies / session information.
I use a site https://www.grc.com/shieldsup to check my public-facing IP address. It has not changed in over a year. But that can't be the problem because I can travel to other parts of the country, use a friend's wifi, and STILL Ally does not use 2FA.

And yes, I have checked and rechecked that I have set up 2FA with Ally in my account. I even cleared it and then reset it, in case maybe there's some bitrot in the system. Calling/messaging customer service is next, I guess.

Edit: just realized....since my IP address is not changing, I really can't test this until I travel again!
Marseille07
Posts: 16054
Joined: Fri Nov 06, 2020 12:41 pm

Re: Ally Never Uses 2FA --Should I worry?

Post by Marseille07 »

goaties wrote: Fri Nov 19, 2021 1:13 pm I use a site https://www.grc.com/shieldsup to check my public-facing IP address. It has not changed in over a year. But that can't be the problem because I can travel to other parts of the country, use a friend's wifi, and STILL Ally does not use 2FA.

And yes, I have checked and rechecked that I have set up 2FA with Ally in my account. I even cleared it and then reset it, in case maybe there's some bitrot in the system. Calling/messaging customer service is next, I guess.
Yeah, something might be *really* broken. With Ally, it doesn't surprise me. Come to think of it, my incognito attempt was from a different IP but no 2FA prompt for me either. Customer service is indeed the next step.
Topic Author
goaties
Posts: 542
Joined: Fri Jan 29, 2010 3:15 pm

Re: Ally Never Uses 2FA --Should I worry?

Post by goaties »

Hockey10 wrote: Fri Nov 19, 2021 11:46 am I seem to have the same issue. :confused

Earlier this week I cleared all of my browsing history and cookies in Safari. The next time I logged into Ally, there was no request for 2FA, even though I have it set up to ask for 2FA. Every other site that I use with 2FA did ask me to verify my account with the 2FA.
Called customer service. Interacted with two different reps. They both suggested, *with no prompting from me*, that a tech person could set my account so that 2FA was used at every login. It was such a prepared response that it makes me think we aren't the only souls out there having this problem. I was also treated to a lengthy explanation that "if the device, or your location, or your IP is the same, then we don't ask for 2FA". I countered with my example where I was traveling and all three of those factors were different and still no 2FA was done.

Upshot: my sense is that this is a known issue for some people. Who knows why. In any case, I asked to speak to the tech person, who submitted my request to force 2FA at every login. We'll see, I guess.
Marseille07
Posts: 16054
Joined: Fri Nov 06, 2020 12:41 pm

Re: Ally Never Uses 2FA --Should I worry?

Post by Marseille07 »

goaties wrote: Fri Nov 19, 2021 6:12 pm
Hockey10 wrote: Fri Nov 19, 2021 11:46 am I seem to have the same issue. :confused

Earlier this week I cleared all of my browsing history and cookies in Safari. The next time I logged into Ally, there was no request for 2FA, even though I have it set up to ask for 2FA. Every other site that I use with 2FA did ask me to verify my account with the 2FA.
Called customer service. Interacted with two different reps. They both suggested, *with no prompting from me*, that a tech person could set my account so that 2FA was used at every login. It was such a prepared response that it makes me think we aren't the only souls out there having this problem. I was also treated to a lengthy explanation that "if the device, or your location, or your IP is the same, then we don't ask for 2FA". I countered with my example where I was traveling and all three of those factors were different and still no 2FA was done.

Upshot: my sense is that this is a known issue for some people. Who knows why. In any case, I asked to speak to the tech person, who submitted my request to force 2FA at every login. We'll see, I guess.
Do we have any poster today who's successfully been prompted for 2FA? It might be broken for everyone...

Ally's known to hide issues, they informed the customers as late as possible & as few as possible when they realized they were sending our passwords in plaintext.
User avatar
jpsfranks
Posts: 1039
Joined: Sun Aug 26, 2007 11:45 pm

Re: Ally Never Uses 2FA --Should I worry?

Post by jpsfranks »

Marseille07 wrote: Fri Nov 19, 2021 6:32 pm Do we have any poster today who's successfully been prompted for 2FA? It might be broken for everyone...
As I described above, I am prompted for 2FA if I am using a private window AND using a VPN (i.e. a new IP).
jpsfranks wrote: Fri Nov 19, 2021 4:47 am I just did the following experiment:

Login from browser I had previously logged in from my normal network - No 2FA
Login from private window from my normal network - No 2FA
Login from browser I had previously logged in on a VPN - No 2FA
Login from private window on a VPN - 2FA requested

So my speculation is that Ally is using both a cookie and recording your IP address(es) and will bypass 2FA if it recognizes either one.
Marseille07
Posts: 16054
Joined: Fri Nov 06, 2020 12:41 pm

Re: Ally Never Uses 2FA --Should I worry?

Post by Marseille07 »

jpsfranks wrote: Fri Nov 19, 2021 6:40 pm
Marseille07 wrote: Fri Nov 19, 2021 6:32 pm Do we have any poster today who's successfully been prompted for 2FA? It might be broken for everyone...
As I described above, I am prompted for 2FA if I am using a private window AND using a VPN (i.e. a new IP).
jpsfranks wrote: Fri Nov 19, 2021 4:47 am I just did the following experiment:

Login from browser I had previously logged in from my normal network - No 2FA
Login from private window from my normal network - No 2FA
Login from browser I had previously logged in on a VPN - No 2FA
Login from private window on a VPN - 2FA requested

So my speculation is that Ally is using both a cookie and recording your IP address(es) and will bypass 2FA if it recognizes either one.
Thank you!

I just VPN'ed through a different country and I got prompted. I'm glad it's working for me as well :D
User avatar
CRC_Volunteer
Posts: 568
Joined: Fri Sep 10, 2021 10:57 am
Location: Southeast USA

Re: Ally Never Uses 2FA --Should I worry?

Post by CRC_Volunteer »

goaties wrote: Fri Nov 19, 2021 1:13 pm
Marseille07 wrote: Fri Nov 19, 2021 11:50 am I just tried incognito myself and I wasn't prompted. Maybe they're looking at the IP address, not just cookies / session information.
I use a site https://www.grc.com/shieldsup to check my public-facing IP address. It has not changed in over a year. But that can't be the problem because I can travel to other parts of the country, use a friend's wifi, and STILL Ally does not use 2FA.

And yes, I have checked and rechecked that I have set up 2FA with Ally in my account. I even cleared it and then reset it, in case maybe there's some bitrot in the system. Calling/messaging customer service is next, I guess.

Edit: just realized....since my IP address is not changing, I really can't test this until I travel again!
If possible, “hot spot” off your smartphone. Each time you initiate a “hot spot”, a new IP address is assigned.
"Let me explain. No, there is too much. Let me sum up." (Inigo Montoya) | | 65/30/05 | 53% VTSAX | 12% VTIAX | 30% VAIPX | 5% CASH
chw
Posts: 1315
Joined: Thu May 24, 2012 4:22 pm

Re: Ally Never Uses 2FA --Should I worry?

Post by chw »

Marseille07 wrote: Fri Nov 19, 2021 6:32 pm
goaties wrote: Fri Nov 19, 2021 6:12 pm
Hockey10 wrote: Fri Nov 19, 2021 11:46 am I seem to have the same issue. :confused

Earlier this week I cleared all of my browsing history and cookies in Safari. The next time I logged into Ally, there was no request for 2FA, even though I have it set up to ask for 2FA. Every other site that I use with 2FA did ask me to verify my account with the 2FA.
Called customer service. Interacted with two different reps. They both suggested, *with no prompting from me*, that a tech person could set my account so that 2FA was used at every login. It was such a prepared response that it makes me think we aren't the only souls out there having this problem. I was also treated to a lengthy explanation that "if the device, or your location, or your IP is the same, then we don't ask for 2FA". I countered with my example where I was traveling and all three of those factors were different and still no 2FA was done.

Upshot: my sense is that this is a known issue for some people. Who knows why. In any case, I asked to speak to the tech person, who submitted my request to force 2FA at every login. We'll see, I guess.
Do we have any poster today who's successfully been prompted for 2FA? It might be broken for everyone...

Ally's known to hide issues, they informed the customers as late as possible & as few as possible when they realized they were sending our passwords in plaintext.
I’ve successfully see 2FA for every login since setting it up several years ago. No issues at all. I don’t think this is a widespread issue (at least from where I sit).
lws
Posts: 831
Joined: Tue Apr 25, 2017 6:12 pm

Re: Ally Never Uses 2FA --Should I worry?

Post by lws »

They say you need to call them to have 2FA each time you log in.
Marseille07
Posts: 16054
Joined: Fri Nov 06, 2020 12:41 pm

Re: Ally Never Uses 2FA --Should I worry?

Post by Marseille07 »

lws wrote: Sat Nov 20, 2021 8:54 pm They say you need to call them to have 2FA each time you log in.
Yeah, but that's not a desirable state to be in. Ally should only prompt when the IP is foreign or they detected something unusual about the login.

I think they know my home IP and my VPN IP, neither prompted 2FA. But when I went to a completely different IP, they did.
FedGuy
Posts: 1677
Joined: Sun Jul 25, 2010 3:36 pm

Re: Ally Never Uses 2FA --Should I worry?

Post by FedGuy »

Marseille07 wrote: Sat Nov 20, 2021 9:06 pmAlly should only prompt when the IP is foreign or they detected something unusual about the login.
Unless you ask them otherwise. Maybe you have a roommate you don't fully trust, for example, and want an extra layer of security on your account.
evelynmanley
Posts: 1029
Joined: Tue Sep 21, 2010 9:13 am

Re: Ally Never Uses 2FA --Should I worry?

Post by evelynmanley »

goaties wrote: Fri Nov 19, 2021 6:12 pm
Hockey10 wrote: Fri Nov 19, 2021 11:46 am I seem to have the same issue. :confused

Earlier this week I cleared all of my browsing history and cookies in Safari. The next time I logged into Ally, there was no request for 2FA, even though I have it set up to ask for 2FA. Every other site that I use with 2FA did ask me to verify my account with the 2FA.
Called customer service. Interacted with two different reps. They both suggested, *with no prompting from me*, that a tech person could set my account so that 2FA was used at every login. It was such a prepared response that it makes me think we aren't the only souls out there having this problem. I was also treated to a lengthy explanation that "if the device, or your location, or your IP is the same, then we don't ask for 2FA". I countered with my example where I was traveling and all three of those factors were different and still no 2FA was done.

Upshot: my sense is that this is a known issue for some people. Who knows why. In any case, I asked to speak to the tech person, who submitted my request to force 2FA at every login. We'll see, I guess.
Goaties, I'm wondering if you or anyone else has had any success with Ally resetting their account for 2FA for each login. I have never been asked for 2FA on my Ally account, even when using a new device. I called Ally this morning, and the rep said that he'd try to reset it himself, and if that didn't work, he'd have to forward the issue to the IT department and they'd try to reset it. Why is this so difficult? Their system seems archaic. I was willing to let him try the reset, but then the phone reception from his end was impossible - moments of silence on my phone while he was talking, then lots of static, probably because he's working from home and has poor reception. I had to end the call and will have to try again. But before I do, I wondered if anyone else has successfully had Ally reset their account so that 2FA is required each time one logs in. Thanks -
athenslb57
Posts: 32
Joined: Mon Feb 20, 2017 6:49 pm

Re: Ally Never Uses 2FA --Should I worry?

Post by athenslb57 »

Their security is terrible. I have asked them numerous times about implementing a proper 2FA solution like hardware keys or authenticator apps. All I get is that we value your feedback and will pass it along.
evelynmanley
Posts: 1029
Joined: Tue Sep 21, 2010 9:13 am

Re: Ally Never Uses 2FA --Should I worry?

Post by evelynmanley »

athenslb57 wrote: Thu Jan 06, 2022 10:50 am Their security is terrible. I have asked them numerous times about implementing a proper 2FA solution like hardware keys or authenticator apps. All I get is that we value your feedback and will pass it along.
Thanks for replying. My daughter is a systems architect, and she said that if Ally doesn't offer 2FA, she would NEVER keep her money there. If I can't get this resolved with Ally, I think it's only responsible to move my money elsewhere, which would be very, very disappointing, not to mention a PITA. Are there any other banks anyone would recommend besides Ally for savings and CDs?

Another issue I have is that if anyone gets access to my account (especially with lack of 2FA), they could edit/delete my beneficiary list. I've spoke to Ally reps about this twice, and I got the same response you did: "We value your feedback and will pass it along."
rkhusky
Posts: 17764
Joined: Thu Aug 18, 2011 8:09 pm

Re: Ally Never Uses 2FA --Should I worry?

Post by rkhusky »

Is your account FDIC insured?

Does Ally promise to make you whole if your account is hacked? If so, are you complying with Ally’s security requirements for making you whole?
Lastrun
Posts: 1512
Joined: Wed May 03, 2017 6:46 pm

Re: Ally Never Uses 2FA --Should I worry?

Post by Lastrun »

evelynmanley wrote: Thu Jan 06, 2022 10:59 am Thanks for replying. My daughter is a systems architect, and she said that if Ally doesn't offer 2FA, she would NEVER keep her money there.
They do.

I know some banks that don't or ask basic questions like what street you lived on in high school, or favorite pet, which to me is not true 2FA.

In fact my accounts at Ally are set up to always have 2FA, and it is so, even when I prompt on login to remember the computer. I always have 2FA on.
Marseille07 wrote: Sat Nov 20, 2021 9:06 pm
lws wrote: Sat Nov 20, 2021 8:54 pm They say you need to call them to have 2FA each time you log in.
Yeah, but that's not a desirable state to be in. Ally should only prompt when the IP is foreign or they detected something unusual about the login.
This is a fair point. But you have to balance the new device detected warning with this below:
FedGuy wrote: Sun Nov 21, 2021 12:39 pm Maybe you have a roommate you don't fully trust, for example, and want an extra layer of security on your account.
I view this as a possibly greater threat vector to me. And remember with 2FA on, I will still get the code and realize I did not ask for it, so know something is up.
Marseille07
Posts: 16054
Joined: Fri Nov 06, 2020 12:41 pm

Re: Ally Never Uses 2FA --Should I worry?

Post by Marseille07 »

Lastrun wrote: Thu Jan 06, 2022 11:45 am
FedGuy wrote: Sun Nov 21, 2021 12:39 pm Maybe you have a roommate you don't fully trust, for example, and want an extra layer of security on your account.
I view this as a possibly greater threat vector to me. And remember with 2FA on, I will still get the code and realize I did not ask for it, so know something is up.
Your housemate can't really do anything unless they physically access your PC / laptop. And if someone living with you might try unauthorized access...well, you should consider different people (unless these are family members / relatives; then you might not have a solution).
Lastrun
Posts: 1512
Joined: Wed May 03, 2017 6:46 pm

Re: Ally Never Uses 2FA --Should I worry?

Post by Lastrun »

The housemate is really not my issue, but the cleaning person, maintenance person, child's friends, person who picks up my laptop or ipad when I lose it, those are the people I am worried about with my set up.

I do use a password manager as well, but the bottom line is Ally 2FA is basically the same as what most financial instructions are doing. A few are better and a few are worse.
Marseille07
Posts: 16054
Joined: Fri Nov 06, 2020 12:41 pm

Re: Ally Never Uses 2FA --Should I worry?

Post by Marseille07 »

Lastrun wrote: Thu Jan 06, 2022 12:46 pm The housemate is really not my issue, but the cleaning person, maintenance person, child's friends, person who picks up my laptop or ipad when I lose it, those are the people I am worried about with my set up.

I do use a password manager as well, but the bottom line is Ally 2FA is basically the same as what most financial instructions are doing. A few are better and a few are worse.
Oh I see. I think you have to call them to enable 2FA on every login (I don't get prompted for 2FA every time even though I have it on). If you want that and have called them, that's pretty secure.
lws
Posts: 831
Joined: Tue Apr 25, 2017 6:12 pm

Re: Ally Never Uses 2FA --Should I worry?

Post by lws »

Secure the home computer password and the bank account username/password.
Call Ally and ask them to require 2FA at all times.
evelynmanley
Posts: 1029
Joined: Tue Sep 21, 2010 9:13 am

Re: Ally Never Uses 2FA --Should I worry?

Post by evelynmanley »

I have now called Ally customer service twice today. I described my first call earlier in this thread, where the rep said (before his cell reception went out) he'd have to try to set the account to set up 2FA, and if that didn't work, he'd have to transfer me to IT. My second phone call was with a rep who told me in no uncertain terms that there is no way Ally will provide 2FA security code if our device is registered/verified. I asked if customers could call Ally to enable 2FA before every login. She said no. She was very grumpy and curt. So now I've had two different answers from two different Ally reps. If other Bogleheads have been able to successfully set up 2FA, then it seems to me that I should be able to with the help of a knowledgeable Ally rep. I'm going to keep trying. This is ludicrous.
Last edited by evelynmanley on Fri Jan 07, 2022 8:13 am, edited 1 time in total.
Lastrun
Posts: 1512
Joined: Wed May 03, 2017 6:46 pm

Re: Ally Never Uses 2FA --Should I worry?

Post by Lastrun »

The 2FA is really a counter to my password manager. If for some reason I left it open on an open machine, they would still need to 2FA to get into the bank account.

I have:
computers and ipad all password or biometric
Simcard locked down with code with phone provider
Password manager with single use pass phrase
Strong individual passwords for each financial institution
2FA always on wherever they will allow it
evelynmanley wrote: Thu Jan 06, 2022 1:11 pm OP here.
So now I've had two different answers from two different Ally reps. If other Bogleheads have been able to successfully set up 2FA, then it seems to me that I should be able to with the help of a knowledgeable Ally rep. I'm going to keep trying. This is ludicrous.
I would call again. I did this in roughly 2019, but it did take the rep having to bring a technical person on the call. The rep could not do it themselves.
evelynmanley
Posts: 1029
Joined: Tue Sep 21, 2010 9:13 am

Re: Ally Never Uses 2FA --Should I worry?

Post by evelynmanley »

Lastrun wrote: Thu Jan 06, 2022 1:16 pm The 2FA is really a counter to my password manager. If for some reason I left it open on an open machine, they would still need to 2FA to get into the bank account.

I have:
computers and ipad all password or biometric
Simcard locked down with code with phone provider
Password manager with single use pass phrase
Strong individual passwords for each financial institution
2FA always on wherever they will allow it
evelynmanley wrote: Thu Jan 06, 2022 1:11 pm OP here.
So now I've had two different answers from two different Ally reps. If other Bogleheads have been able to successfully set up 2FA, then it seems to me that I should be able to with the help of a knowledgeable Ally rep. I'm going to keep trying. This is ludicrous.
I would call again. I did this in roughly 2019, but it did take the rep having to bring a technical person on the call. The rep could not do it themselves.
I just called again. This third rep says that Ally does NOT send a 2FA security code if the device and location of the user are already registered. He said they have never offered 2FA. He said the only way to receive a 2FA is if Ally suspects fraudulent activity or unusual requests or unusual transfers or if the user is using a VPN. He said Ally does not recommend trying to access account with VPN because "VPN software interferes with Ally security because VPN randomizes user's location and Ally could see this as a potential problem and lock down the account." I asked him why Ally doesn't add the extra security of 2FA, and he said, "SFA is a great standard, but is not foolproof. There are many ways 2FA could be intercepted or spoofed. Each time you use a 2FA, you increase that chance of intercept. Phones can be cloned and texts can be intercepted before the user receives them." He said that in six months, Ally may change their mind about 2FA or perhaps choose a different and more secure method. He said the funds are FDIC insured, and if an account is hacked, they will investigate and make the customer whole if the customer is not at fault. He also mentioned that customers should not keep passwords and user names on online password managers.

So for those of you who are receiving a 2FA from Ally each time you log in, are you using a VPN?
Topic Author
goaties
Posts: 542
Joined: Fri Jan 29, 2010 3:15 pm

Re: Ally Never Uses 2FA --Should I worry?

Post by goaties »

So, I'm the one who started this thread. I did call Ally back in November and asked that they require I do 2FA at every login. They did not do this. However, the did fix something because, since that call, I *do* get asked to do 2FA whenever I switch devices, such as logging in from my phone instead of my laptop. That is a huge improvement over NEVER asking me to do 2FA! So, I decided to just live with that.

I would prefer 2FA every time too, but sometimes you just can't fight city hall.
User avatar
VictorStarr
Posts: 746
Joined: Sat Jan 04, 2020 9:13 pm
Location: Washington

Re: Ally Never Uses 2FA --Should I worry?

Post by VictorStarr »

I sent secure message to Ally and requested to enable 2FA on every login.
I received a respond in 10 minutes and it implies that it possible for Ally to enable 2FA on every login.
Here is the full message:

Dear Xxx,

Thank you for taking the time to contact Ally Bank. It is my pleasure to assist you with setting up Two Step Authentication.

The security code feature helps enhance our security program to safeguard your account. To assist us in protecting your funds, we may require additional verification in the form of a security code each time that you log in with a device that we do not recognize as belonging to you. Once you have the security code, you will need to enter that information when you log into your account on the unrecognized device.

Please keep in mind, your security code delivery preferences are separate from your contact information. To review your preferences online, please take the following steps:

-From the Snapshot screen on a desktop PC, click Profile and Settings.
-Click Profile and Settings again to expand the menu.
-Click Security Code Delivery.
-From here you can add new security code delivery options or delete old ones.

To request a security code be required for every log in attempt, please call our toll-free number below to be connected to a Tech Team associate.

If you have any additional questions, we are here for you 24 hours a day, seven days a week, by Phone, Live Chat, or Secure Messaging. Our toll-free number is 1-877-247-ALLY (2559), or you can visit us online at ally.com. We appreciate your business and want to thank you for choosing Ally Bank.

Sincerely,
Xxxx
Customer Service
Ally Bank
evelynmanley
Posts: 1029
Joined: Tue Sep 21, 2010 9:13 am

Re: Ally Never Uses 2FA --Should I worry?

Post by evelynmanley »

VictorStarr wrote: Thu Jan 06, 2022 2:25 pm I sent secure message to Ally and requested to enable 2FA on every login.
I received a respond in 10 minutes and it implies that it possible for Ally to enable 2FA on every login.
Here is the full message:

Dear Xxx,

Thank you for taking the time to contact Ally Bank. It is my pleasure to assist you with setting up Two Step Authentication.

The security code feature helps enhance our security program to safeguard your account. To assist us in protecting your funds, we may require additional verification in the form of a security code each time that you log in with a device that we do not recognize as belonging to you. Once you have the security code, you will need to enter that information when you log into your account on the unrecognized device.

Please keep in mind, your security code delivery preferences are separate from your contact information. To review your preferences online, please take the following steps:

-From the Snapshot screen on a desktop PC, click Profile and Settings.
-Click Profile and Settings again to expand the menu.
-Click Security Code Delivery.
-From here you can add new security code delivery options or delete old ones.

To request a security code be required for every log in attempt, please call our toll-free number below to be connected to a Tech Team associate.

If you have any additional questions, we are here for you 24 hours a day, seven days a week, by Phone, Live Chat, or Secure Messaging. Our toll-free number is 1-877-247-ALLY (2559), or you can visit us online at ally.com. We appreciate your business and want to thank you for choosing Ally Bank.

Sincerely,
Xxxx
Customer Service
Ally Bank

Thank you for this.

I had already put in my security code delivery preference in my profile setting a long time ago. This is the information from that profile setting:

>We'll ask for a security code when you log in from a computer we don't recognize. We may also send you a code to read back to us when you call us at 1-877-247-2559—this is the only time we’ll ask for a code over the phone.

We recommend receiving your security code by SMS text message instead of email for a more secure delivery. Be sure to remove your email if you have it listed as a delivery option.>

I will call Ally once again and ask to be transferred to a Tech Team associate.
Topic Author
goaties
Posts: 542
Joined: Fri Jan 29, 2010 3:15 pm

Re: Ally Never Uses 2FA --Should I worry?

Post by goaties »

evelynmanley wrote: Thu Jan 06, 2022 2:37 pm
I will call Ally once again and ask to be transferred to a Tech Team associate.
You are a more determined soul than I! Let us know how it goes.
User avatar
VictorStarr
Posts: 746
Joined: Sat Jan 04, 2020 9:13 pm
Location: Washington

Re: Ally Never Uses 2FA --Should I worry?

Post by VictorStarr »

VictorStarr wrote: Thu Jan 06, 2022 2:25 pm I sent secure message to Ally and requested to enable 2FA on every login.
I received a respond in 10 minutes and it implies that it possible for Ally to enable 2FA on every login.
Here is the full message:

Dear Xxx,

Thank you for taking the time to contact Ally Bank. It is my pleasure to assist you with setting up Two Step Authentication.

The security code feature helps enhance our security program to safeguard your account. To assist us in protecting your funds, we may require additional verification in the form of a security code each time that you log in with a device that we do not recognize as belonging to you. Once you have the security code, you will need to enter that information when you log into your account on the unrecognized device.

Please keep in mind, your security code delivery preferences are separate from your contact information. To review your preferences online, please take the following steps:

-From the Snapshot screen on a desktop PC, click Profile and Settings.
-Click Profile and Settings again to expand the menu.
-Click Security Code Delivery.
-From here you can add new security code delivery options or delete old ones.

To request a security code be required for every log in attempt, please call our toll-free number below to be connected to a Tech Team associate.

If you have any additional questions, we are here for you 24 hours a day, seven days a week, by Phone, Live Chat, or Secure Messaging. Our toll-free number is 1-877-247-ALLY (2559), or you can visit us online at ally.com. We appreciate your business and want to thank you for choosing Ally Bank.

Sincerely,
Xxxx
Customer Service
Ally Bank
I called Ally main number, asked to be connected to a tech team, after waiting for 2-3 minutes CS representative got back to me and said that tech team opened ticket to enable 2FA and expected completion is one next business day.
evelynmanley
Posts: 1029
Joined: Tue Sep 21, 2010 9:13 am

Re: Ally Never Uses 2FA --Should I worry?

Post by evelynmanley »

goaties wrote: Thu Jan 06, 2022 2:43 pm
evelynmanley wrote: Thu Jan 06, 2022 2:37 pm
I will call Ally once again and ask to be transferred to a Tech Team associate.
You are a more determined soul than I! Let us know how it goes.
Goatie, what an ordeal this is! I'm very determined because I'm appalled that I haven't been able to get 2FA each time I log in to my Ally accounts, and I really don't want to leave Ally. I think 2FA is very important, despite what Ally rep #3 said.

I called once again and asked to be transferred to a tech team associate. The rep said she had to try to help me first, could not just transfer me. I went through the entire spiel again. She said that YES, Ally does provide 2FA if the customer opts for "Do not trust this computer" when setting up again. So she reset my account. I logged in, clicked "Do not trust this computer" and logged out. Logged in again - with no success, no 2FA. So she said she'd talk to the tech team, put me on hold, then said they have issued a case number and in 3-5 business days, I should have 2FA provided for each time I log in. She said customers have to request this. I have my doubts! I will log in next week and see if this magnificent event transpires. If not, I'll be back on the phone with Ally. I will update you!

VictorStarr - Many thanks for going out of your way to help figure this out!!! I really appreciate it. Please let us know if Ally actually puts the 2FA in effect for your account.
User avatar
VictorStarr
Posts: 746
Joined: Sat Jan 04, 2020 9:13 pm
Location: Washington

Re: Ally Never Uses 2FA --Should I worry?

Post by VictorStarr »

evelynmanley wrote: Thu Jan 06, 2022 3:32 pm
Goatie, what an ordeal this is! I'm very determined because I'm appalled that I haven't been able to get 2FA each time I log in to my Ally accounts, and I really don't want to leave Ally. I think 2FA is very important, despite what Ally rep #3 said.

I called once again and asked to be transferred to a tech team associate. The rep said she had to try to help me first, could not just transfer me. I went through the entire spiel again. She said that YES, Ally does provide 2FA if the customer opts for "Do not trust this computer" when setting up again. So she reset my account. I logged in, clicked "Do not trust this computer" and logged out. Logged in again - with no success, no 2FA. So she said she'd talk to the tech team, put me on hold, then said they have issued a case number and in 3-5 business days, I should have 2FA provided for each time I log in. She said customers have to request this. I have my doubts! I will log in next week and see if this magnificent event transpires. If not, I'll be back on the phone with Ally. I will update you!

VictorStarr - Many thanks for going out of your way to help figure this out!!! I really appreciate it. Please let us know if Ally actually puts the 2FA in effect for your account.
evelynmanley, I completely agree with you that 2FA is a must for any financial account, 2FA with SMS is a bare minimum. I will check my account in a couple of days and report if 2FA is enabled for my account.
FedGuy
Posts: 1677
Joined: Sun Jul 25, 2010 3:36 pm

Re: Ally Never Uses 2FA --Should I worry?

Post by FedGuy »

I'm still following this thread with interest. When I asked several years ago, Ally told me in no uncertain terms that they do not offer 2FA. That's one of the reasons I resisted moving most of my emergency fund there for so long.
athenslb57
Posts: 32
Joined: Mon Feb 20, 2017 6:49 pm

Re: Ally Never Uses 2FA --Should I worry?

Post by athenslb57 »

Under their security code delivery section:
We recommend receiving your security code by SMS text message instead of email for a more secure delivery. Be sure to remove your email if you have it listed as a delivery option.

Sorry, but that statement is incorrect. My email is secured by a hardware based token and is much more secure than any SMS.
PaunchyPirate
Posts: 1164
Joined: Sun Nov 30, 2014 6:58 pm

Re: Ally Never Uses 2FA --Should I worry?

Post by PaunchyPirate »

athenslb57 wrote: Thu Jan 06, 2022 8:36 pm Under their security code delivery section:
We recommend receiving your security code by SMS text message instead of email for a more secure delivery. Be sure to remove your email if you have it listed as a delivery option.

Sorry, but that statement is incorrect. My email is secured by a hardware based token and is much more secure than any SMS.
The text in their "security code delivery" is just odd. As you mention above, it sounds like if you want SMS text messages, you should not add your email as a delivery option. Then below that, they say "We recommend you have at least 2 options, but you can add up to 6." And they then let you add only an email address or another phone number.

I don't know how it would work if you listed multiple phone numbers and no email address.

I have both a phone number and an email address listed. I don't think they have ever sent me 2FA code. Ever. Even after I clear my internet browser cache. I think, as others above have posted, that this just doesn't work. Hopefully those who have called and had a case created will shed some light on getting it working.
athenslb57
Posts: 32
Joined: Mon Feb 20, 2017 6:49 pm

Re: Ally Never Uses 2FA --Should I worry?

Post by athenslb57 »

PaunchyPirate wrote: Fri Jan 07, 2022 6:56 am
athenslb57 wrote: Thu Jan 06, 2022 8:36 pm Under their security code delivery section:
We recommend receiving your security code by SMS text message instead of email for a more secure delivery. Be sure to remove your email if you have it listed as a delivery option.

Sorry, but that statement is incorrect. My email is secured by a hardware based token and is much more secure than any SMS.
The text in their "security code delivery" is just odd. As you mention above, it sounds like if you want SMS text messages, you should not add your email as a delivery option. Then below that, they say "We recommend you have at least 2 options, but you can add up to 6." And they then let you add only an email address or another phone number.

I don't know how it would work if you listed multiple phone numbers and no email address.

I have both a phone number and an email address listed. I don't think they have ever sent me 2FA code. Ever. Even after I clear my internet browser cache. I think, as others above have posted, that this just doesn't work. Hopefully those who have called and had a case created will shed some light on getting it working.
Agreed. I created a new case for this issue with them last night. I am already looking at Marcus and others who actually implement this very basic security option.
evelynmanley
Posts: 1029
Joined: Tue Sep 21, 2010 9:13 am

Re: Ally Never Uses 2FA --Should I worry?

Post by evelynmanley »

Update: Yesterday, when I made the four phone calls to Ally, I completed the surveys after each phone call and opted to have someone from Ally call me. Two reps called me today, and I told them both what happened during each phone call and how frustrated I am that Ally doesn't offer 2FA at each login as part of its security protocol. Both reps expressed surprise that I was told that customers can't get 2FA under any circumstances, and both of them told me that customers CAN request to have 2FA at each login if they call Ally and request it. They both said that a case report has to be generated by the tech team, and the 2FA should take effect within 3-5 business days. (We shall see.)

One of the reps said he was "stunned" at the misinformation given to me by Ally rep #3 yesterday, who told me that Ally was doing the customers a favor by not offering 2FA at all because using 2FA too much actually increases the risk of text intercept, phone can be cloned, etc. He said that some of the Ally reps are not Ally employees; they work at a contracted call center but are still expected to find out the correct answers to customer questions. Obviously their training is not uniform.

I'm very curious to see if those of us who called Ally and generated a case report yesterday will actually find resolution to this issue. I think it's ludicrous that they don't offer 2FA to every customer at each login. Why should we have to call in and have to generate a report to make this happen? And if that's the case, then why don't they make that public on their "security" page?

My confidence in Ally is not high anymore. This 2FA issue and the lack of uniform training of their reps is absurd. Even if they do set my account for 2FA, if other banks start offering similar or higher interest rates than Ally, and if they offer 2FA for each login, I'll start researching which bank to transfer my funds to.
Marseille07
Posts: 16054
Joined: Fri Nov 06, 2020 12:41 pm

Re: Ally Never Uses 2FA --Should I worry?

Post by Marseille07 »

I'm actually in the camp of not wanting 2FA on every login from the same device. That said, if they never prompt 2FA then something is wrong. Iirc they did prompt me 2FA when my IP changed after rebooting my router.
evelynmanley
Posts: 1029
Joined: Tue Sep 21, 2010 9:13 am

Re: Ally Never Uses 2FA --Should I worry?

Post by evelynmanley »

Marseille07 wrote: Fri Jan 07, 2022 1:54 pm I'm actually in the camp of not wanting 2FA on every login from the same device. That said, if they never prompt 2FA then something is wrong. Iirc they did prompt me 2FA when my IP changed after rebooting my router.
Totally understand where you're coming from. You must have chosen "Trust this computer." We have the option of choosing "Do not trust this computer," which is supposed to generate 2FA at each login, but it obviously doesn't work for many of us. It didn't even work when the Ally rep tried to reset my account. The reps are saying we have to call Ally and request automatic 2FA, but they don't have that information anywhere on their website. If you read the language on their security menu, it's very confusing, as someone has mentioned above. I've never run into this situation with any other institution. Even the Social Security website now requires that we sign up for 2FA.
Marseille07
Posts: 16054
Joined: Fri Nov 06, 2020 12:41 pm

Re: Ally Never Uses 2FA --Should I worry?

Post by Marseille07 »

evelynmanley wrote: Fri Jan 07, 2022 2:16 pm Totally understand where you're coming from. You must have chosen "Trust this computer." We have the option of choosing "Do not trust this computer," which is supposed to generate 2FA at each login, but it obviously doesn't work for many of us. It didn't even work when the Ally rep tried to reset my account. The reps are saying we have to call Ally and request automatic 2FA, but they don't have that information anywhere on their website. If you read the language on their security menu, it's very confusing, as someone has mentioned above. I've never run into this situation with any other institution. Even the Social Security website now requires that we sign up for 2FA.
Ally's 2FA is sporadic. I recently cleared my cache but I don't believe I got 2FA'ed. I believe they're more likely to flag new logins when your IP address changes.
evelynmanley
Posts: 1029
Joined: Tue Sep 21, 2010 9:13 am

Re: Ally Never Uses 2FA --Should I worry?

Post by evelynmanley »

Marseille07 wrote: Fri Jan 07, 2022 2:50 pm
evelynmanley wrote: Fri Jan 07, 2022 2:16 pm Totally understand where you're coming from. You must have chosen "Trust this computer." We have the option of choosing "Do not trust this computer," which is supposed to generate 2FA at each login, but it obviously doesn't work for many of us. It didn't even work when the Ally rep tried to reset my account. The reps are saying we have to call Ally and request automatic 2FA, but they don't have that information anywhere on their website. If you read the language on their security menu, it's very confusing, as someone has mentioned above. I've never run into this situation with any other institution. Even the Social Security website now requires that we sign up for 2FA.
Ally's 2FA is sporadic. I recently cleared my cache but I don't believe I got 2FA'ed. I believe they're more likely to flag new logins when your IP address changes.
I've never gotten a 2FA from a new IP address or a new device. The Ally rep who called me today said that using a VPN will always trigger a 2FA and sometimes lock the account. His explanation for this was that VPNs have servers overseas, so they trigger suspicion. I never know what to believe from Ally. Some of their explanations for things are ridiculous.
Marseille07
Posts: 16054
Joined: Fri Nov 06, 2020 12:41 pm

Re: Ally Never Uses 2FA --Should I worry?

Post by Marseille07 »

evelynmanley wrote: Fri Jan 07, 2022 3:39 pm I've never gotten a 2FA from a new IP address or a new device. The Ally rep who called me today said that using a VPN will always trigger a 2FA and sometimes lock the account. His explanation for this was that VPNs have servers overseas, so they trigger suspicion. I never know what to believe from Ally. Some of their explanations for things are ridiculous.
Something is up then. Iirc I got 2FA when my IP got changed; which I can test right now but not inclined to, as other institutions might think my location has changed.
Post Reply