Maybank users hanging on to their M2U MY app may have had a rude shock if they’ve tried to use it on a new phone recently. The company announced last month it would be disabling new activations for its Secure2u two-factor authentication starting September 26, effectively sunsetting the app and forcing users to migrate to its newer product, MAE.
Now, if you’ve already activated Secure2u using your current phone, you’ll still be able to use the M2U MY app to authenticate online banking transactions, just as before. But many of you will have bought new phones recently, and if you try to register your new device for Secure2U in the app, you’ll get the following screen:
Maybank’s move to enforce a migration to the MAE app comes as the company works to fully replace SMS-based one-time passwords (OTPs) with its Secure2u in-app authentication by June next year. It says its decision is “part of our continuous effort to safeguard your online banking security.” But there’s a problem with that—to me, MAE isn’t actually a better solution than M2U MY.
MAE isn’t advertised as a banking app
In case you didn’t know, MAE by Maybank2u was launched in 2019 as a form of eWallet, allowing users to track their expenses; they can also set up a “Tabung” to save up for big purchases or other financial goals. Since then, Maybank has turned it into a “super app”, adding the ability to buy food and groceries, browse properties and purchase tickets for movies, buses, trains and flights. There’s even a physical MAE card that you can apply for, allowing you to make purchases using the eWallet.
You can still perform online banking transactions through the MAE app, such as transferring money, paying bills and making purchases via QRPay. But these functions are cast off to the side, and in fact, MAE’s online banking features are right at the bottom of both the Maybank website and its listings on the Apple App Store and Google Play Store. This led me to believe MAE is a companion app to M2U MY, rather than being Maybank’s default app—and I’m sure I’m not the only one.
That’s the problem with the “super app” approach favoured by a growing number of companies. Sure, MAE’s broad spectrum of features are nice to have, but as a banking app, I should have my banking functions front and centre. And honestly, who wants to use a Maybank app to buy flight tickets, or a house?
Yes, I understand I sound like a Luddite who’s unwilling to try new things, even if they might actually turn out to be better. And yes, I do have the opposite problem of having too many apps—something that my colleagues have chided me on more than once. So whether you choose to use MAE or M2U MY is purely personal preference. But there’s another, more pressing issue with the MAE app that is inarguable.
MAE isn’t actually more secure
Maybank’s claim that MAE is a more secure app than M2U MY is undermined by one glaring flaw. While a six-digit PIN (or fingerprint or facial recognition) can be used to unlock certain features, for full functionality you’ll need to sign in using your password.
For reasons unbeknown to us, however, Maybank has blocked autofill with its password field, preventing password managers from working properly. If you auto-generated a Maybank2u password and saved it, it won’t show up on your keyboard.
This means you’ll have to go to the manager app you’re using (or the phone’s settings if you use iCloud Keychain or Google Password Manager), copy the password, then go back to the MAE app to paste it. This discourages people from using an auto-generated complex password in favour of something that’s easy to remember, ironically making the app less secure than M2U MY.
Now, some users have remarked that certain password managers like SafeInCloud Pro do work as intended, while others like Bitwarden on Android will pop up the password instead of autofilling it. But these seem to be exceptions rather than the rule—in our experience, MAE doesn’t play nice with either 1Password or iCloud Keychain.
Unfortunately, Maybank is not alone with this. Banks do have a tendency of blocking autofill, with one user pointing out that CIMB, Hong Leong Bank, Tabung Haji and Bank Islam all implement some form of blocking. And it’s not just local banks that are guilty of this.
According to CNET, an Australian bank, CommBank, once actively discouraged password managers, saying that while it saw the value in these services, hackers could trick customers into revealing their passwords through sophisticated phishing schemes. But those are exactly the sort of schemes that password managers are designed to prevent—if the autofill doesn’t pop up, something is up. In any case, forcing users to remember passwords that are likely weak or reused is hardly the last word in safety.
Reminder: Activating Secure2u blocks transactions for 12 hours
Regardless of what you feel about the MAE app, you’ll need to be braced for a bit of a wait before you can use it on your new phone. Starting last week, Maybank implemented a 12-hour activation period, which comes into effect whenever you enrol a new device into Secure2u. This effectively puts a freeze on all banking transactions that require authorisation, with the exception of transfers marked as favourites.
This happened to me this week when I was making a purchase at a shop that inexplicably only accepted bank transfers and not cards—requiring a slightly embarrassing walk to the nearest ATM. It’s unfortunate that users will likely only encounter this when they need to make transactions the most, which is why we’re reminding you to activate Secure2u (or your bank’s own two-factor authorisation) as soon as possible if you bought a new phone, lest you end up in the same situation.
To do so through the MAE app, tap on “More” on the bottom navigation bar, then “Secure2u”. You will then need to tap on “Activate Now,” confirm your number and wait for the OTP SMS (oh, the irony). After that, input your IC number, passport number or any other ID number registered to your account, then assign a name to your device. Then you’re done!
Maybank says the 12-hour “cooling-off” period, as mandated by Bank Negara, gives users time to retrieve the phone or report it as stolen if the device falls into the wrong hands; CIMB added a similar system recently for its SecureTAC feature. Not all banks have to implement a 12-hour period—Public Bank’s Secure Sign requires you to go to an ATM or branch to activate it. It’s an old-school method, but one that’s perhaps more secure, as it requires you to actually be present for authorisation.