Two-Factor Authentication with upper/lower code

One of my credit card companies has taken to using two-factor authentication with upper/lower case letters instead of the usual all UPPERCASE when I try to access it through Quicken. Has anybody else encountered the upper/lowercase coding?

I have found the upper/lowercase coding extremely hard to read on my AT&T FlipIV flip-phone. The lowercase letters are very small, the lines of text overlap and some letters (notably UCI and LCL) look exactly the same. Trying to decipher the codes takes so long that the codes seem to time out. I have gotten through a few times, but today I failed twice. I’m wondering if this is a new problem from a poor coding system, my crappy phone, my aging eyes, or something else?

How is the code delivered? A text message? Can you adjust the font and/or size to make it easier to read?

This sounds like your credit card company is totally clueless about the nature of 2FA. Without getting into the discussion about how SMS is not secure as a 2FA mechanism, their decision to used mixed-case text for a 2FA code is pointless. It makes the system more difficult to use without improving security at all.

Most companies just use a numeric code of 6 or 8 digits. And that is really all you need. It’s not like a password where it will persist for a long time, making length and complexity important. The code is probably going to expire in a few minutes or less. It will expire long before a brute-force attempt (whether sequential or random) can succeed. And if they’re concerned that it might not, they can revoke the code (forcing you to request another one) after a small number of failures.

It’s delivered kind of like a text message, which looks something like an SMS but including lowercase letters and numbers in the code, which might have of eight characters (I didn’t count). At one point I was able from the usual small size to a slightly larger size, but finding that option would take a while. I think it is now in the slightly larger size, which does not fit entirely on the tiny screen.

I have complained to the card company, and have yet to hear back. It’s helpful to learn that this is not some new standard for “more security.” I do wonder if this might be intended to respond specifically to Quicken checks of the account, which I use to keep track of the account, so Quicken might be responsible for the format.

Thanks for your help. I don’t know if it’s “just me” but it’s frustrating.

So they have their own authenticator app, but you need to type in the code.

Well, that’s better than SMS, but IMO, once you’re connecting to a bank-specific app, they could just as easily ask you to tap an “Allow” button (maybe in conjunction with face/touch ID) to authenticate the login.

Google does this for their 2FA if you have an Android phone logged in to your Google account (using the phone’s screen-lock for security - I wish they’d also require a fingerprint or re-entry of the unlock code). And my bank does it with their mobile app (using your password or face/touch ID to access the app in order to get to the button).

Apple is extra cautious here. Your iCloud login gets a notification. Then you need to unlock the phone, allow the 2FA request, and then copy a locally-generated 6 digit number. Great security but IMO, more than should be necessary. At least it’s only a 6 digit number.

I got a call from the credit card company shortly after I posted and they seem to recognize the problem. They fixed up my account so Quicken would not require the authorization code when it was trying to download (which it had not done before, and which Bank of America and my local bank do not do). He said they are trying to fix the system so they use only digits, which apparently was Quicken’s idea. The waffle words reflect a certain amount of waffling because the call came when we were in the midst of preparing dinner and it took me a couple of minutes to remember what I had just set aside mentally to help fix dinner. But the good news to me is that the credit card company (a Credit Union) knows that the codes should be numbers, which should solve the unreadable lowercase character problem. I find it disturbing that Quicken thinks that using the mixed characters would improve security, but I over the past couple of years I have seen Quicken solve some problems they have created, so I can hope they may not break anything more seriously.

More troubling is that it’s so easy to break the way multi-factor authentication can be broken by someone trying to increase security without realizing the limits of crappy phone displays.

The annoying part is nothing new - that IT departments constantly confuse “inconvenient” with “secure”. Just because something makes access difficult for you doesn’t necessarily mean it will have any impact on an attacker (who is probably using bots, scripts and other sophisticated tools).

Just like policies asking you to change your password every 90 days. Absolutely pointless (and leads to users creating more easily guessed passwords). If a password is secure today, it will be secure in 90 days or 900 days, as long as there hasn’t been a data breach. And if there is a data breach, it will compromise passwords changed five minutes before the breach just as well as ones that have been used for a decade.


Thank you! I started asking why password changes were a good thing almost 20 years ago, and I never received a convincing response. Perhaps if I had expressed myself as succinctly as you did, i could have made a difference (but probably not; based on my small sample size, most IT departments seem pretty calcified).

1 Like