We'd like to remind Forumites to please avoid political debate on the Forum. This is to keep it a safe and useful space for MoneySaving discussions. Threads that are - or become - political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
We're aware that dates on the Forum are not currently showing correctly. Please bear with us while we get this fixed, and see Site feedback for updates.
2 factor authentication: a solution looking for a problem?
I am posting this to the Mobile Phones Board, as this is where I crashed into this issue.
My stepson is in long-term mental health care. His Mum (my wife) has full control over his affairs (covered by LPA and Deputyship). This includes managing his mobile phone contract. He does not live with us, although we are fortunate (in some respects) that he lives not too far away.
Recently, we found that his monthly mobile bill had increased to £17 from £6, overnight as it were. I thought to access his account to find out what was happening but, although we have the account number and password, the company's introduction of 2 factor authentication meant that they send the relative code to the mobile phone in question viz the phone held by my stepson. For a number of reasons, it would not be appropriate to phone him up and ask him for the code (a suggestion made by the company) to enable access to the account. Nor are they able to direct to code to an alternative phone.
The outcome is that EVERYONE is now locked out of the mobile phone account, unless we can contrive to get a laptop and the phone in question in the same room at the same time. And it would be "contrive", as the logistics of getting a mental health patient to cooperate with stuff like this are a challenge.
I have had experience of 2 factor authentication myself. When on-line shopping, some transactions go through an app which sends me a code which I need to input to authorise the purchase. This is fine, as I have my mobile and laptop readily available.
Up to a point, fair enough. On-line security is an issue. A stolen credit card can be used almost anywhere, considering how prevalent "self-service" and contactless tills are, in addition to online.
But I have never had a text with a 2 factor code while standing at a till in Sainsburys. I know I need the PIN over £100.
It does rather seem to me that every time IT security is "increased" (passwords, 2 stage checks, 2 factor authentication) it merely operates to exclude a proportion of the population from being able to transact at all.
I would dearly love some IT security professional to explain how this is all supposed to work and what the various industries using 2 factor authentication are doing to recognise that there ARE difficult cases which they need to cooperate in the management of.
Not wanting to be excessively controversial, but 4 hours on live chat without success is certainly frustrating.
My stepson is in long-term mental health care. His Mum (my wife) has full control over his affairs (covered by LPA and Deputyship). This includes managing his mobile phone contract. He does not live with us, although we are fortunate (in some respects) that he lives not too far away.
Recently, we found that his monthly mobile bill had increased to £17 from £6, overnight as it were. I thought to access his account to find out what was happening but, although we have the account number and password, the company's introduction of 2 factor authentication meant that they send the relative code to the mobile phone in question viz the phone held by my stepson. For a number of reasons, it would not be appropriate to phone him up and ask him for the code (a suggestion made by the company) to enable access to the account. Nor are they able to direct to code to an alternative phone.
The outcome is that EVERYONE is now locked out of the mobile phone account, unless we can contrive to get a laptop and the phone in question in the same room at the same time. And it would be "contrive", as the logistics of getting a mental health patient to cooperate with stuff like this are a challenge.
I have had experience of 2 factor authentication myself. When on-line shopping, some transactions go through an app which sends me a code which I need to input to authorise the purchase. This is fine, as I have my mobile and laptop readily available.
Up to a point, fair enough. On-line security is an issue. A stolen credit card can be used almost anywhere, considering how prevalent "self-service" and contactless tills are, in addition to online.
But I have never had a text with a 2 factor code while standing at a till in Sainsburys. I know I need the PIN over £100.
It does rather seem to me that every time IT security is "increased" (passwords, 2 stage checks, 2 factor authentication) it merely operates to exclude a proportion of the population from being able to transact at all.
I would dearly love some IT security professional to explain how this is all supposed to work and what the various industries using 2 factor authentication are doing to recognise that there ARE difficult cases which they need to cooperate in the management of.
Not wanting to be excessively controversial, but 4 hours on live chat without success is certainly frustrating.
0
Comments
-
Sorry, could this be posted to the Mobile Phones board. I thought that was what I was doing, but it has ended up in entirely the wrong place.0
-
I have requested it be moved - I can't do that at the moment.I’m a Senior Forum Ambassador and I support the Forum Team on the Pensions, Annuities & Retirement Planning, Loans
& Credit Cards boards. If you need any help on these boards, do let me know. Please note that Ambassadors are not moderators. Any posts you spot in breach of the Forum Rules should be reported via the report button, or by emailing forumteam@moneysavingexpert.com.
All views are my own and not the official line of MoneySavingExpert.1 -
This is an EU directive that was delayed due to Covid. I like 2FA when they let you use third-party authenticators. Not so keen on the text message method or where they force you to use their own phone app.I am an Independent Financial Adviser (IFA). The comments I make are just my opinion and are for discussion purposes only. They are not financial advice and you should not treat them as such. If you feel an area discussed may be relevant to you, then please seek advice from an Independent Financial Adviser local to you.1
-
There was a scary story in the ST about a guy who was mugged and beaten etc until he gave up not only his phone but all his passwords and so forth. He had all his financial life on the phone. The worst part was that not only did the thieves have control over everything but he couldn't get control back because 2FA was sent to the phone.For myself, I don't do anything financial on the phone - I do it either in person or on a browser on a PC (which I protect as well as I can of course). I get 2FA codes either as emails or to my landline.I'm not happy with the 2FA developments. I would prefer if everybody used a card reader for access control.0
-
dave0564 said:I would dearly love some IT security professional to explain how this is all supposed to workTo answer your question, the company is trying to solve the problem of authentication, i.e. making sure that the person who is attempting to access a service is the same person who matches the identity of the account holder. This is done by asking for a series of one or more 'factors':- something you know, e.g. a password- something you have, e.g. an access card or one time code- something you are, e.g. biometrics such as a fingerprintIn your case, the company is asking for two factors, the password and proof you have the mobile phone. The fact that you cannot gain access to the account does actually prove that the system is working because, by admission, you are not the person who matches the identity of the account holder.But that doesn't mean that the design was right in the first place! If the system designers haven't designed for the situation where one identity (you) needs to gain authorised access to the account of another (your SIL) then yes, you are in effect locked out. You also need to recognise that there will be many people who will try to gain unauthorised access to peoples' accounts on a daily basis for all sorts of illegal activities so the phone company needs to provide a reasonable level of security against this threat for all customers.To put this into perspective, my threat model will be very different to yours, and in the reverse situation, i.e, if someone could gain access to my accounts without my knowledge, I would be livid. Similarly, the threat model is different when you are at the till in the supermarket. You've provided one factor for authentication (the card), and a second for higher value transactions, but the volume of in-person fraud won't be worth the effort or inconvenience of sending codes to each shopper: it is simply cheaper and easier to just refund people when it happens.So how to resolve this?1) Contact the company in question and be added as authorised person- Maybe there is a phone number you can call and try to get through to a specalist team for these more sensitive topics or go to a high street shop?2) Cancel the accout, set up a new one with a different provider and port the number across
0 -
squirrelpie said:There was a scary story in the ST about a guy who was mugged and beaten etc until he gave up not only his phone but all his passwords and so forth. He had all his financial life on the phone. The worst part was that not only did the thieves have control over everything but he couldn't get control back because 2FA was sent to the phone.For myself, I don't do anything financial on the phone - I do it either in person or on a browser on a PC (which I protect as well as I can of course). I get 2FA codes either as emails or to my landline.I'm not happy with the 2FA developments. I would prefer if everybody used a card reader for access control.I see 2FA as essential. I think there's a serious case of complacency slip in the older generation, and a complete failure to grasp the risks for the younger generation. I'm of the 'older generation' and remember a time thinking I'm never doing anything financial online, and later 'on a phone' as it's simply not safe. Same with contactless payments. Now, a few years on, I doing all those things without so much as a second thought. And for the younger generation, they have never known any different.The simple fact is that single factor authentication (normally something you know - password, pin. memorable information etc) is far too easily compromised such that additional layers of complexity are essential.I agree having your financial life on your phone protected by nothing more than a password/PIN and/or thumb print is inherently risky as your ST story illustrates.
1 -
xkcd 538 covered this quite effectively.squirrelpie said:There was a scary story in the ST about a guy who was mugged and beaten etc until he gave up not only his phone but all his passwords and so forth.
N. Hampshire, he/him. Octopus Intelligent Go elec & Tracker gas / Shell (now TT) BB / Lebara mobi. Ripple Kirk Hill member.
2.72kWp PV facing SSW installed Jan 2012. 11 x 247w panels, 3.6kw inverter. 33MWh generated, long-term average 2.6 Os.Not exactly back from my break, but dipping in and out of the forum.Ofgem cap table, Ofgem cap explainer. Economy 7 cap explainer. Gas vs E7 vs peak elec heating costs, Best kettle!1 -
xkcd is always good.
The point of the tale was not so much about the fact you can be mugged though. It was rather about the apparent fact that he wasn't able to recover access to his accounts in any straightforward way, thanks to 2FA security. As tafelmoneysaver said, the system design is wrong.
1 -
Could you use an app to autoforward the text you you by email?
eg. https://www.autoforwardtext.com/
(I've not used this app, so not a recommendation of it over any other)0 -
Not available for iPhones.marlot said:Could you use an app to autoforward the text you you by email?
eg. https://www.autoforwardtext.com/
(I've not used this app, so not a recommendation of it over any other)
0
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 348.3K Banking & Borrowing
- 252.1K Reduce Debt & Boost Income
- 452.4K Spending & Discounts
- 240.9K Work, Benefits & Business
- 617.2K Mortgages, Homes & Bills
- 175.7K Life & Family
- 254.1K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 15.1K Coronavirus Support Boards