Tembo account security

Eyeful

Joe901 said:

With Tembo, if you have access to the 'username' (email) then you also have access to the password. That just seems very, very wrong. 

I understand your concern.
May be then you should concentrate on making sure that no one has access to that email address. 

Some suggestions:
1. Use an Email address that is only used for Tembo
2. Use password less sign into that Email address, on either Outlook, Gmail or use a Yubikey. 
3. Alternatively use the double blind method, on your email address:

https://www.youtube.com/watch?v=boj9q26gadE

 

friolento

Joe901 said:

friolento said:

Joe901 said:

With Tembo, if you have access to the 'username' (email) then you also have access to the password. That just seems very, very wrong.  

I don’t understand what you mean. To get at the code sent by email, you need to have access to the email account, which presumably you have secured with 2FA? If not, why not?

The Tembo account only works through a phone/tablet app - you can't log in outside the app (I suppose a PC android emulator, for example, might be made to work). If someone got hold of your phone and unlocked it (or it was unlocked) then the phone's own email is the 'username', which most phone's will auto-populate to make it even easier, though viewing the Google email on your phone is simple. The password/'magic number' is then auto sent to you by Tembo - using this same email - every time you log in, thus, it will pop up automatically as a new email notification. But I'm needlessly overcomplicating this - don't overthink -->

The whole point I'm trying to get across is that Tembo is using ONLY an email address as a (traditional) username...and then sending the password to that SAME email address. Focussing only on that and comparing it to a 'traditional' Username/Password where the Username is NOT hard-connected to the Username - thus, it is not delivered to you on a plate - and hopefully you see the backward step.

Apologies but I cannot follow you, or see any backwards step. The email address Tembo sends anything to is the email adress you have registered with them. Nobody can get into my email account on my phone without knowing the 2FA information. I have never heard of an email account that is automatically accessible on an unlocked phone. Unless, obviously, the user is negligent enough not to protect their email account with login information.

I am now out of this thread.

ToastLady

Don't know if this will help or not, but I put another lock on all my banking apps on mobile phone. You'd have to check your own individual phone for how to do this. On mine (Xiaomi) there is the option of facial ID, fingerprint or PIN. Obviously if you choose the latter, it would be different to those you use for lock screen and banking apps. It just makes things a bit more of a fuss, but security is all too important for banking.

Zaul22

The point OP is making is customers should not have to mitigate one step security. Apps should be forced to prevent it in the first place. If everyone lets this laziness slip, more and more providers will do it, which is already happening. 

ToastLady

Zaul22 said:

The point OP is making is customers should not have to mitigate one step security. Apps should be forced to prevent it in the first place. If everyone lets this laziness slip, more and more providers will do it, which is already happening. 

I totally agree with you, it seems very slipshod and certainly not security conscious to me. Putting on another layer of your own security though, might give a bit of peace of mind.