VOIP not eligible for bank 2FA verification
Our bank (BMO in Canada) requires 2FA verification when using their site. In particular whn adding a recipient for an Interac transfer or a Payee for bills. Likely others too.
What happens, is that they call our home number, we answer and a recorded message gives us the code. We then enter the code and should be on to next step.
Well, we get the code, but after entering it get a page that says "Something went wrong" . After a number of calls and discussions, I am now told that their system does not work with VOIP phones. We have had OOMA for 10 years without a problem until now. It seems that the bank will not budge on this restriction.
We could give up on OOMA, but what would we replace it with? Our internet is through Bell Fibe. They have a phone option, but presumably it too is VOIP.
The bank says we can use a mobile phone and they will text the code. However, not sure out pay as you go phones would be more secure, especialy if misplaced or lost.
Interested in if others have faced this type of issue.
What happens, is that they call our home number, we answer and a recorded message gives us the code. We then enter the code and should be on to next step.
Well, we get the code, but after entering it get a page that says "Something went wrong" . After a number of calls and discussions, I am now told that their system does not work with VOIP phones. We have had OOMA for 10 years without a problem until now. It seems that the bank will not budge on this restriction.
We could give up on OOMA, but what would we replace it with? Our internet is through Bell Fibe. They have a phone option, but presumably it too is VOIP.
The bank says we can use a mobile phone and they will text the code. However, not sure out pay as you go phones would be more secure, especialy if misplaced or lost.
Interested in if others have faced this type of issue.
-
- Posts:1
- Joined:Sat Jun 08, 2024 9:41 am
Re: VOIP not eligible for bank 2FA verification
Ooma does not support texting unless you have the business package. However a voice code over a phone line should work, VOIP or no VOIP. I am a retired telco guy. The telco networks themselves are using VOIP these days in their central office switching. I think the issue is the bank.
I have a similar option on my TD account, I just tested it with ooma, it worked fine. They are feeding you a line.
Regardless a text to a cell number will work.
I have a similar option on my TD account, I just tested it with ooma, it worked fine. They are feeding you a line.
Regardless a text to a cell number will work.
Re: VOIP not eligible for bank 2FA verification
It is no doubt the bank (BMO). This is a recent change and BMO are likely over-reacting to the spate of security issues they have had over the past three years.
We have an account at RBC and there our OOMA VOIP still works for all 2FA. They also still have other options like personal questions etc.
Interesting that TD also works fine with Ooma. By the way, the 2FA Voice OTP works for log-ins and some other activities on BMO, but it does not work for addiing a contact for bill payment or Interac. CRA 2FA log-in also goes through BMO and that still works.
A text to a mobile would work. But we do our banking at home on PC and only use our cell phones for emergency use in cars. I don't see that adding another device, that could be lost or stolen, instead of using the Voice OTP would somehow improve security.
We have an account at RBC and there our OOMA VOIP still works for all 2FA. They also still have other options like personal questions etc.
Interesting that TD also works fine with Ooma. By the way, the 2FA Voice OTP works for log-ins and some other activities on BMO, but it does not work for addiing a contact for bill payment or Interac. CRA 2FA log-in also goes through BMO and that still works.
A text to a mobile would work. But we do our banking at home on PC and only use our cell phones for emergency use in cars. I don't see that adding another device, that could be lost or stolen, instead of using the Voice OTP would somehow improve security.
Re: VOIP not eligible for bank 2FA verification
If the bank won't budge, then maybe give up on the bank. SMS is not secure. Voice call options are somewhat better; at least VoIP isn't vulnerable to SIM swapping. Texting may be more convenient, (for both providers and their users), but other options, (such as an authentication app, or a hardware key) are much more secure.
If the VoIP phone receives a voice code at all, but entering the code into the bank's web page fails, then the problem is with the bank, not with VoIP. Try (temporarily) sending a voice code to the mobile phone, to see if that makes a difference. If not, then the problem is with voice vs. text, not with VoIP vs. mobile.
If the VoIP phone receives a voice code at all, but entering the code into the bank's web page fails, then the problem is with the bank, not with VoIP. Try (temporarily) sending a voice code to the mobile phone, to see if that makes a difference. If not, then the problem is with voice vs. text, not with VoIP vs. mobile.
Re: VOIP not eligible for bank 2FA verification
Our bank is not the only one on which VOIP phones are not eligible for OTPs for adding payees. This is aparently quite widespread. Ooma customers like us will proably be more likely to leave Ooma than to leave their bank. We only have about 5 choices of big banks in Canada and all will likley be making changes as fraud increases.
The issue with the OTP code not working for certain action, such as adding new payees is no doubt a deliberate attempt to reduce fraudulent use. I too can't see why they think a text to a mobile phone is safer than a time limited voice call to a home number. Even an Ooma home number.
An email is also acceptable, but not if the only other means of contact is a VOIP phone.
I have no idea what they should do. The bank has a whole team of experts working on their fraud prolems, so who am I to critisize their efforts! But it could affect our use of Ooma.
The issue with the OTP code not working for certain action, such as adding new payees is no doubt a deliberate attempt to reduce fraudulent use. I too can't see why they think a text to a mobile phone is safer than a time limited voice call to a home number. Even an Ooma home number.
An email is also acceptable, but not if the only other means of contact is a VOIP phone.
I have no idea what they should do. The bank has a whole team of experts working on their fraud prolems, so who am I to critisize their efforts! But it could affect our use of Ooma.
Re: VOIP not eligible for bank 2FA verification
Please explain whether this 2FA issue is with VoIP specifically, or with voice calls in general. Why does this bank bother sending a voice code to a VoIP number at all, only to reject it later on? What happens if the bank tries to send a voice code to a mobile phone instead? And what could Ooma do to resolve this issue?
Some telecomm providers offer "text enablement" for VoIP, but that is not the same as SMS. Online account providers can verify which numbers are registered with mobile providers, and they can refuse to send texts to "suspicious" non-mobile numbers. In that case, text codes would not work with VoIP phones, either.
Ooma is already doing the only thing it can do: accepting an incoming phone call, and putting it through; that part seems to work just fine. Ooma can't force online account providers to support 2FA over VoIP. And if a customer considers that a good enough reason to give up VoIP altogether, then that is their choice.
Some telecomm providers offer "text enablement" for VoIP, but that is not the same as SMS. Online account providers can verify which numbers are registered with mobile providers, and they can refuse to send texts to "suspicious" non-mobile numbers. In that case, text codes would not work with VoIP phones, either.
Ooma is already doing the only thing it can do: accepting an incoming phone call, and putting it through; that part seems to work just fine. Ooma can't force online account providers to support 2FA over VoIP. And if a customer considers that a good enough reason to give up VoIP altogether, then that is their choice.
Re: VOIP not eligible for bank 2FA verification
As I see it, the bank always allow a VOIP connection. For lower risk activities, they then will provide the code via a voice call if that option is chosen. For higher risk activities like adding a pyee for Interac or payments, they require two methods of contacting client, neither of which can be a VOIP phone.Please explain whether this 2FA issue is with VoIP specifically, or with voice calls in general. Why does this bank bother sending a voice code to a VoIP number at all, only to reject it later on? What happens if the bank tries to send a voice code to a mobile phone instead? And what could Ooma do to resolve this issue?
I can't answer your question re mobile phone because I do not use one for any banking or investing activities.
You are right that there is nothing Ooma can do. But if VOIP becomes ineligible at more banks, then Ooma should be aware that it could affect their business. Although not much seeing most people these days are happy to use their mobile phones for just about anything!
My issue with bank is resolved, so no point in keeping this thread alive.
Re: VOIP not eligible for bank 2FA verification
So, the OP does not really seem that "interested in if others have faced this type of issue". Maybe one of those others would bother taking a few minutes to test whether sending a voice code to their mobile phone works the same way or not, just to let everyone else know.Agent99 wrote:My issue with bank is resolved, so no point in keeping this thread alive.