
Ask HN: Is Chime's (online US bank) 2FA system flawed? - mttjj
I signed up for a Chime (https:&#x2F;&#x2F;chime.com) account last weekend. The first thing I did was try to find out how to turn on 2FA for my account. Not finding the setting I reached out to the company on Twitter. They replied and said that 2FA is turned on for all accounts by default. (It&#x27;s SMS based and cannot be configured to be One-Time Password based which is less than ideal but that&#x27;s not my point here.) I was confused when they told me that it was on for everyone because I was not asked for a 2F code when I logged into my account on my Mac. I reached out again and here&#x27;s first response I got back:<p>https:&#x2F;&#x2F;pastebin.com&#x2F;JbGGXYzN<p>This was immediately concerning to me and rather confusing. What is the criteria for when it asks and when it doesn&#x27;t? Will I be lucky enough that when a bad actor obtains my credentials from a security breach that they will be asked to supply a 2F code to access my account? I tried logging in on a few more devices. I cleared cookies and caches on them and even switched to a cellular network on my phone. I was NOT asked for a 2F code on two devices (one being the cell network-connected phone) and WAS asked for a 2F code on two other devices. I replied to the support response and got this as a reply:<p>https:&#x2F;&#x2F;pastebin.com&#x2F;BXEGeNbK<p>Am I crazy or does this completely defeat the purpose of 2FA? In my above scenario where this bad actor already has my credentials it sounds like they have free reign to my account. I practice good password habits (different passwords on every account and changing passwords immediately upon hearing about a breach) but this system still leaves me vulnerable if I don&#x27;t hear about a breach for a few days.<p>Please put my mind at ease and tell me that their 2FA system is not as bad as I think it is. If they gave me control to configure it so the system asks _every_ time I log in I wouldn&#x27;t have as much of a problem. But I don&#x27;t like this mysterious algorithm that decides when it&#x27;s going to ask for a 2F code.
======
Thespian2
Their second description is not 2FA, but password recovery.

At best, the support rep is confused between the two, very different, flows.

Your understanding of 2FA is correct. If what the support rep said is
accurate, I wouldn't trust them with my money.

~~~
mttjj
Agreed. I planned on moving my money over the next few weeks but now I’m just
going to close my account.

About the support, (of course) it was two different people who responded. Even
though I kept the same email chain.

------
mttjj
Sorry about the pastebin links. I ran over the character limit.

