You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Mar 4, 2026. It is now read-only.
Since the operations the user has access involve money, I consider this site to contain highly sensible data and actions. Thus, I strongly recommend implementing 2FA mechanisms that the user could choose to enable in its profile for example.
Since you are already collecting email addresses, it would be easy to automatically enable 2FA by email at least providing a minimal layer of security. I would tho suggest using Authenticator App (OTP) that the user could enable in its profile, which is more robust and safe than email or SMS 2fa.
Without 2FA mechanisms, you cannot properly enforce imputability and non-repudiation of operations. A user could cause legal problems to your entity because there are no ways to "prove" without a doubt that an action was made by the user themselves. They could claim a transfer of 10k$ was made without their consent and without 2FA, you cannot refute possible foul play. Either you must have very solid terms and conditions or implements way to prove operations are made by users. Also, some juridictions (like Quebec where I live) do not really acknowledge terms and conditions which have abusive terms (like putting 100% of responsibility of the account security on the shoulder of the users). They want the application / company to do at least the required basic security practices to ensure account security (like 2FA in 2025 for such a highly sensible environment).
Since the operations the user has access involve money, I consider this site to contain highly sensible data and actions. Thus, I strongly recommend implementing 2FA mechanisms that the user could choose to enable in its profile for example.
Since you are already collecting email addresses, it would be easy to automatically enable 2FA by email at least providing a minimal layer of security. I would tho suggest using Authenticator App (OTP) that the user could enable in its profile, which is more robust and safe than email or SMS 2fa.
Without 2FA mechanisms, you cannot properly enforce imputability and non-repudiation of operations. A user could cause legal problems to your entity because there are no ways to "prove" without a doubt that an action was made by the user themselves. They could claim a transfer of 10k$ was made without their consent and without 2FA, you cannot refute possible foul play. Either you must have very solid terms and conditions or implements way to prove operations are made by users. Also, some juridictions (like Quebec where I live) do not really acknowledge terms and conditions which have abusive terms (like putting 100% of responsibility of the account security on the shoulder of the users). They want the application / company to do at least the required basic security practices to ensure account security (like 2FA in 2025 for such a highly sensible environment).