Two-Factor Authentication
Two-factor authentication (2FA) is an additional security layer that’s coming to Balance. This guide explains what it is and how it will protect your account.
Coming Soon!
Current Status: Two-factor authentication is planned for a future Balance update.
Expected availability: We’re actively researching the best 2FA implementation for our users. Stay tuned for announcements!
What is Two-Factor Authentication?
Two-factor authentication (also called 2FA or multi-factor authentication) requires two different types of verification to log in:
- Something you know - Your password
- Something you have - Your phone or authentication app
Think of it like: Having both a key and a keycard to enter a building. Even if someone steals your key (password), they still can’t get in without your keycard (2FA code).
Why 2FA Matters
Extra Security Layer
Even if someone:
- Guesses your password
- Sees you type your password
- Steals your password in a data breach
- Phishes your password
They still can’t log in without the second factor - your phone or authentication device.
Real-World Benefits
- Prevents 99.9% of account takeovers (Microsoft research)
- Protects if password is compromised - Most common attack vector
- Peace of mind - Know your financial data is extra secure
- Industry standard - Banks and financial apps use 2FA
- Quick and easy - Takes seconds to enter a code
Types of 2FA
Balance will likely support multiple methods:
SMS Text Messages
How it works:
- Enter your phone number
- Receive 6-digit code via text
- Enter code to complete login
Pros:
- ✅ Simple to use
- ✅ No app needed
- ✅ Works on any phone
- ✅ Familiar to most users
Cons:
- ❌ Requires cell service
- ❌ Can be intercepted (rare)
- ❌ SIM swap attacks possible
- ❌ May cost if abroad
Authenticator Apps
How it works:
- Download authenticator app (Google Authenticator, Authy, etc.)
- Scan QR code in Balance
- App generates rotating 6-digit codes
- Enter current code to login
Pros:
- ✅ More secure than SMS
- ✅ Works offline
- ✅ No cell service needed
- ✅ No interception possible
- ✅ Free
Cons:
- ❌ Requires app download
- ❌ Need backup if phone lost
- ❌ Slightly more setup
Popular apps:
- Google Authenticator
- Authy
- Microsoft Authenticator
- 1Password (includes authenticator)
Email Verification
How it works:
- Code sent to your email
- Check email
- Enter code in Balance
Pros:
- ✅ No phone needed
- ✅ Can access from any device
- ✅ Good backup method
Cons:
- ❌ Less secure if email compromised
- ❌ Requires email access
- ❌ May be delayed
- ❌ Email could be phished
Backup Codes
How it works:
- Generate one-time backup codes
- Save codes securely
- Use if primary method unavailable
Pros:
- ✅ Emergency access
- ✅ Works if phone lost
- ✅ No tech needed
Cons:
- ❌ Must keep codes secure
- ❌ One-time use only
- ❌ Can be lost
How 2FA Will Work in Balance
Enabling 2FA (Future)
Once available:
- Go to Settings → Security
- Enable Two-Factor Authentication
- Choose method (SMS, app, or email)
- Verify setup - Enter test code
- Save backup codes - For emergencies
- Confirmed - 2FA now active!
Logging In With 2FA (Future)
- Enter email and password as usual
- 2FA prompt appears - “Enter authentication code”
- Get your code:
- SMS: Check text message
- App: Open authenticator app
- Email: Check inbox
- Enter the 6-digit code
- Logged in! - Extra secure
Optional: “Remember this device for 30 days” - Skip 2FA on trusted devices
When 2FA Will Be Required
Always:
- Logging in from new device
- Logging in from new location
- After password change
- After 30 days (if using “remember device”)
Optional (your choice):
- Every login (maximum security)
- Sensitive actions (account deletion, bank connections)
- Payment updates
- Security settings changes
Security Benefits
Protects Against
- ✅ Password breaches - Stolen passwords useless without 2FA
- ✅ Phishing - Fake login sites can’t get your 2FA code
- ✅ Keyloggers - Even if password captured, need 2FA
- ✅ Brute force - Can’t guess password alone
- ✅ Social engineering - Harder to manipulate users
- ✅ Shoulder surfing - Seeing password isn’t enough
Extra Protection For
- Couples accounts - Both partners protected
- Shared devices - Prevent unauthorized access
- Public Wi-Fi - Even on insecure networks
- High-value accounts - Extra security for financial data
- Peace of mind - Sleep better knowing account is secure
Best Practices (For When 2FA Launches)
Setup
- ✅ Use authenticator app - Most secure option
- ✅ Save backup codes - Store securely (password manager)
- ✅ Add backup method - Both SMS and app if possible
- ✅ Test immediately - Make sure it works before relying on it
- ✅ Update contact info - Current phone number and email
Daily Use
- ✅ Keep phone charged - Need it for 2FA codes
- ✅ Keep backup codes accessible - But secure
- ✅ Don’t screenshot codes - Write down or use password manager
- ✅ Check device regularly - Don’t miss code expiration
- ✅ Use trusted devices - Enable “remember device” on personal devices
Security
- ❌ Don’t share codes - Never give 2FA codes to anyone
- ❌ Don’t use auto-forward - Don’t auto-forward SMS
- ❌ Don’t post screenshots - Codes or QR codes online
- ❌ Don’t ignore unexpected codes - Sign of attempted access
- ✅ Update if phone changes - Set up 2FA on new device
Backup & Recovery
If You Lose Your Phone
With backup codes:
- Use backup code to log in
- Go to Security settings
- Remove lost phone as 2FA device
- Set up 2FA on new phone
Without backup codes:
- Contact Balance support
- Verify your identity (security questions, email verification)
- Support will disable 2FA temporarily
- Log in and set up 2FA again
If You Change Phone Numbers
Before changing number:
- Switch to authenticator app
- Or update phone number in Balance settings
- Save backup codes
After changing number:
- Update phone number in Balance settings
- Test 2FA with new number
- Generate new backup codes
If Authenticator App Breaks
- Use backup code to log in
- Remove broken authenticator
- Set up new authenticator app
- Generate new backup codes
Or:
- Use backup method (SMS or email)
- Contact support if all methods unavailable
Common Questions
Q: When will 2FA be available in Balance?
A: We’re actively developing 2FA. We’ll announce when it’s ready to launch!
Q: Will 2FA be required or optional?
A: Initially optional, but we strongly recommend enabling it. We may require it for high-risk actions.
Q: Can I use biometric login with 2FA?
A: Yes! Biometric login will work seamlessly with 2FA for enhanced security.
Q: What happens if I lose my phone?
A: Use backup codes to log in, then update your 2FA settings. If no backup codes, contact support for identity verification.
Q: Will 2FA slow down my login?
A: Slightly (5-10 seconds), but you can use “remember this device” to skip 2FA for 30 days on trusted devices.
Q: Can my partner and I share an account with 2FA?
A: Yes, both partners can save backup codes or use the same authenticator app setup. Consider each having your own authenticator app entry.
Q: Does 2FA cost money?
A: No, 2FA is free for all Balance users. SMS messages use your carrier’s texting plan (usually free).
Q: Which 2FA method is most secure?
A: Authenticator apps are most secure, followed by SMS, then email.
Q: Can I use multiple 2FA methods?
A: Yes, we recommend setting up multiple methods as backups.
What to Do Now
While waiting for 2FA:
Maximize Current Security
Use strong, unique password
Enable biometric login (if on mobile)
Secure your email - Your email is account recovery method
- Enable 2FA on your email account
- Use strong email password
- Monitor for suspicious activity
Keep app updated - Latest security patches
- Update Balance regularly
- Enable auto-updates
Review account regularly - Spot unauthorized access
- Check bank connections
- Review transaction categories
- Monitor budget changes
Prepare for 2FA Launch
Download authenticator app - Get ready
- Google Authenticator
- Authy
- Microsoft Authenticator
Ensure phone number is current - For SMS 2FA
Set up password manager - To store backup codes
- 1Password
- Bitwarden
- LastPass
Join beta program - Test 2FA early
- Email support@balancebudget.app
- Subject: “2FA Beta Testing”
Industry Standards
2FA is standard for financial services:
Banks Using 2FA
- Chase
- Bank of America
- Wells Fargo
- Discover
- Capital One
- And virtually all others
Financial Apps Using 2FA
- Venmo
- PayPal
- Coinbase
- Robinhood
- Acorns
- Mint (before shutdown)
Balance will join this standard to protect your financial data with the same security as these trusted services.
Technical Details
For the technically curious:
TOTP (Time-Based One-Time Password)
Authenticator apps will likely use TOTP:
- RFC 6238 standard - Industry standard protocol
- Time-based algorithm - New code every 30 seconds
- Shared secret - Established during setup
- Offline capable - No internet needed to generate codes
- Synchronized clocks - Device and server time-synced
SMS Security Considerations
SMS has known vulnerabilities:
- SS7 attacks - Telecom protocol vulnerabilities
- SIM swapping - Attacker transfers number
- Interception - Could be intercepted in transit
Despite limitations, SMS 2FA is still much better than no 2FA.
Future Enhancements
Balance may eventually add:
- Hardware security keys (YubiKey, etc.)
- Push notification approval - Tap to approve login
- Biometric 2FA - Use fingerprint as second factor
- Location-based trust - Skip 2FA in trusted locations
Stay Informed
Want to know when 2FA launches?
- Email notifications - All users will be notified
- In-app announcements - Update notices
- Blog posts - Feature announcement articles
- Beta program - Test before public release
Join the conversation:
- Email feedback: support@balancebudget.app
- Request features: Which 2FA methods do you prefer?
Next Steps
Enhance your security now:
- Password Best Practices - Create unbreakable passwords
- Biometric Authentication - Enable biometric login
- How Balance Keeps Data Safe - Our security measures
- Account Recovery - Password reset process
Questions about security? Contact our team - we’re here to help!
Status Update: This article will be updated with full instructions once two-factor authentication is released.