TFL account login

[adamskiodp]

Hi folks and a Happy New Year.

I’ve just received an email from TFL saying that I will soon need to use a verification code that will be sent to my mobile phone before I can log into my account to top up my Oyster card and look at the transaction history.

What happens to those that don’t have a mobile phone? How would those people, access their Oyster account. I can’t see any solution on the website and am awaiting a reply from TFL’s Twitter account.

Surely TFL won’t be discriminating against those that don’t have a mobile phone, or have a disability that prevents then using one?

Hopefully I am missing something really obvious and I won’t be locked out of my TFL account if I lose my phone?

 

[Mike395]

Two-factor authentication (the technical name for what they're essentially forcing) is a good thing generally - but agree sites that offer SMS-based auth as the only option are problematic so yes, good idea to be asking the question. They should also be offering token-based 2FA as an option also (and that token can be generated by software on a desktop/laptop PC if necessary, so no need to have a mobile phone).

 

[adamskiodp]

Two-factor authentication (the technical name for what they're essentially forcing) is a good thing generally - but agree sites that offer SMS-based auth as the only option are problematic so yes, good idea to be asking the question. They should also be offering token-based 2FA as an option also (and that token can be generated by software on a desktop/laptop PC if necessary, so no need to have a mobile phone).

Thanks Mike.

Not sure why they can’t also send the code via email as I check my TFL account on my PC?

 

[ainsworth74]

Not sure why they can’t also send the code via email as I check my TFL account on my PC?

Or by phone call. At least one bank I've dealt with in the past would ring you and give you the code via phone call.

There's a number of ways of doing it and if TfL really are only going for SMS that's extremely disappointing and needs raising as an issue.

 

[87 027]

My BT landline accepts SMS messages - it will ring as for a voice call and then read them out.

Some organisations do send codes by email, but the disadvantage security-wise is that an attacker only needs to compromise your PC. SMS-based authentication isn't considered particularly secure either, authenticator apps are better.

The tone of TfL's email is very much 'this is going ahead regardless'

 

[adamskiodp]

The tone of TfL's email is very much 'this is going ahead regardless'

That was my impression.

 

[Andyh82]

How many people use Oyster online to top up their Oyster card, but doesn't have any kind of mobile phone that receives text messages?

 

[OscarH]

Long overdue, 2FA should have been supported long ago. Unbelievable to only offer SMS in this day and age though, should be authenticator apps minimum, and really FIDO (eg Yubikeys) too

 

[Elecman]

Long overdue, 2FA should have been supported long ago. Unbelievable to only offer SMS in this day and age though, should be authenticator apps minimum, and really FIDO (eg Yubikeys) too

Asda have just done exactly the same SMS only

 

[Thirteen]

If I was being cynical, it does strike me as TfL trying to push more people towards contactless.

 

[Gerald Fiennes]

OK, but you would still need a TfL account to work out what the faceless, contactless backoffice has lifted from you so you would still be stuck. I would have thought a confirmation phone call would have been enough for 2FA, it's not like TfL is offering you banking services ie. can't do that much even if you do get access to an account. Their IT department has won out over the TfL people that have to deal with the public, I suspect!

 

[AM9]

OK, but you would still need a TfL account to work out what the faceless, contactless backoffice has lifted from you so you would still be stuck. I would have thought a confirmation phone call would have been enough for 2FA, it's not like TfL is offering you banking services ie. can't do that much even if you do get access to an account. Their IT department has won out over the TfL people that have to deal with the public, I suspect!

Why? Yesterday I travelled from Wembley Park to North Greenwich and back using contactless. The fare should be £3.10 each way and it will be simple to check that on my credit card account at the end of the month. If I want I can log in in a couple of days to check that. If I need to query any charge it will be against the card number, not an account that I might hold with TfL.

 

[PeterC]

Why? Yesterday I travelled from Wembley Park to North Greenwich and back using contactless. The fare should be £3.10 each way and it will be simple to check that on my credit card account at the end of the month. If I want I can log in in a couple of days to check that. If I need to query any charge it will be against the card number, not an account that I might hold with TfL.

And when you get charged something different which journey do you want corrected? You can only find that from your TfL account.

 

[AM9]

And when you get charged something different which journey do you want corrected? You can only find that from your TfL account.

I've only made three contactless journeys since they were introduced.

 

[ainsworth74]

I've only made three contactless journeys since they were introduced.

Good for you, I'm not sure that's necessarily true of everyone however!

 

[Taunton]

Two-factor authentication (the technical name for what they're essentially forcing) is a good thing generally - but agree sites that offer SMS-based auth as the only option are problematic so yes, good idea to be asking the question. They should also be offering token-based 2FA as an option also (and that token can be generated by software on a desktop/laptop PC if necessary, so no need to have a mobile phone).

Two Factor Authentication (TFA) is whoop-de-do for IT geeks, but for the real world in something which is just public facing is a right palaver and nuisance, and turns significant numbers off. It is notably being applied to Oyster transactions, which TfL are keen to get rid of in favour or Contactless, so they couldn't care less if Oyster user reduce.

TFA also means they have to maintain all of your web address, email address, mobile phone number etc in one place at TfL so they can do the cross-check. It is thus dependent on THEIR system being somehow secured and not being hacked, or having IT staff that drop all the files out into a spreadsheet and sell them. We may also notice that TfL have given their IT support out to the bottom bidder. Yeah yeah, value for money, etc, etc ...

 

[Roast Veg]

Two Factor Authentication (TFA) is whoop-de-do for IT geeks, but for the real world in something which is just public facing is a right palaver and nuisance, and turns significant numbers off. It is notably being applied to Oyster transactions, which TfL are keen to get rid of in favour or Contactless, so they couldn't care less if Oyster user reduce.

TFA also means they have to maintain all of your web address, email address, mobile phone number etc in one place at TfL so they can do the cross-check. It is thus dependent on THEIR system being somehow secured and not being hacked, or having IT staff that drop all the files out into a spreadsheet and sell them. We may also notice that TfL have given their IT support out to the bottom bidder. Yeah yeah, value for money, etc, etc ...

I don't think this argument is nearly enough to suggest that Multi Factor Authentication shouldn't be used. Account fraud is very serious and ultimately inevitable without MFA. It's not loved by us IT geeks for no reason - it almost completely eliminates a class of fraudulent account use that can be devastating to those victims.

 

[adamskiodp]

I don't think this argument is nearly enough to suggest that Multi Factor Authentication shouldn't be used. Account fraud is very serious and ultimately inevitable without MFA. It's not loved by us IT geeks for no reason - it almost completely eliminates a class of fraudulent account use that can be devastating to those victims.

Maybe it should be made optional for those that choose not to have it.

 

[Mojo]

It can be a pain where it comes through as an SMS as opposed to Email, or some other alternative like iMessage or via an Authenticator app, for when there is no mobile signal, but the data connection is working fine.

I've had problems over the past year getting connected to various services where:
1. I've been abroad and had a foreign Sim card in my phone
2. I've been changing phone networks and waiting for my number to port over; my phone is connected to WiFi so I can get iMessages and Facetime calls but not SMS
3. No phone signal but connected to WiFi

 

[Horizon22]

Two Factor Authentication (TFA) is whoop-de-do for IT geeks, but for the real world in something which is just public facing is a right palaver and nuisance, and turns significant numbers off. It is notably being applied to Oyster transactions, which TfL are keen to get rid of in favour or Contactless, so they couldn't care less if Oyster user reduce.

TFA also means they have to maintain all of your web address, email address, mobile phone number etc in one place at TfL so they can do the cross-check. It is thus dependent on THEIR system being somehow secured and not being hacked, or having IT staff that drop all the files out into a spreadsheet and sell them. We may also notice that TfL have given their IT support out to the bottom bidder. Yeah yeah, value for money, etc, etc ...

TFA is all over the place and will become increasingly common, so this is hardly some dramatic development. Agreed with others that have posted that different forms of the "two" should be available though.

There are other places to continue to top-up.

 

[Thirteen]

I use the app to top up which I assume won't be affected.

 

[87 027]

I use the app to top up which I assume won't be affected.

I expect you will be required to log in to the app again and as part of the process taken to a screen where you need to enter the 2FA code.

I agree that 2FA is more secure than reliance on simple user ID/password combination alone but there should be a wider range of options for the 2nd factor than SMS alone. I have a vague recollection that TfL accounts came under sustained cyber attack a year or two ago. I for one would not welcome some imposter poking around in my account and adding their PAYG Oyster to my auto top-up, for example

More generally with cyber security it is easy to fall into the trap of only thinking about how one's own personal convenience is impacted by additional security measures, without thinking about the attack vectors the additional measures are attempting to address and the downsides if an account is compromised

 

[ainsworth74]

Just realised that I've had the same email (I tend to ignore emails from TfL as they're usual service updates and as I don't live in London mostly irrelevant!) so thought I'd post the text below for anyone who might not have seen it:

Dear X,

We are contacting you to inform you of the introduction of Multi-Factor Authentication (MFA) to TfL Oyster and contactless accounts to help ensure that your account and personal details are kept safe. This update will be launched in early 2023.

As you do today, you will sign in to your TfL Oyster and contactless accounts using your existing email address and password. Following the update, you will be required to set up MFA by providing your mobile number. As part of the update, we have also redesigned some of our website so some screens will look a bit different.

What is MFA?

MFA is an authentication method providing an additional layer of security to the sign in process when you access your TfL account. This is a check to ensure you are who you say you are, when signing into your account.

What does this mean to me?

This means that from early 2023, when creating a new account or signing into an existing account, you will be asked to set up MFA to verify your identity. This is applicable to both the Oyster and contactless websites and the TfL Oyster app. Once MFA setup has been completed, you will receive an MFA challenge every time you sign in to confirm you are who you say you are when accessing your account.

How do I set up MFA?

When you first sign in, you will be prompted to set up MFA by providing a mobile number. A six-digit code will then be texted to you using the mobile number provided. Enter the six-digit code to complete the setup. You can then continue to your account and use your account as normal.

Do I have to set up MFA?

Yes, you must set up MFA to continue using your TfL account.

What if I can't remember my sign in details?

If you don't remember the sign in details of your TfL account, select the 'Forgot your password?' link when trying to sign in.

Further information can be found on our website.

Yours sincerely,

Customer Information Team
Transport for London

 

[PeterC]

I have double checked and don't seem to have had the email. Perhaps my provider thought it so suspiciously spam like that it didn't even make it to the spam folder.

I just hope that this will be instead of the two pages of captcha and not in addition.

 

[MikeWh]

I just hope that this will be instead of the two pages of captcha and not in addition.

My thought exactly. 2FA is likely to be faster than those blessed captchas, especially if you get one wrong.

 

[ChrisC]

If I was being cynical, it does strike me as TfL trying to push more people towards contactless.

It’s not really an option if you have a railcard linked to your Oyster card.

 

[Dave W]

Maybe I'm being a bit cynical also, but of those who login to their Oyster account, how many really, honestly, truly don't have a mobile phone? I work in IT and have dealt with implementing 2FA/MFA before, and I accept, perhaps, that more than one method of authentication would have been more user-friendly.

But the notion that this will alienate swathes of TfL users is utter nonsense. The reason TfL are saying "this is happening, like it or lump it", is because in practice, no one is actually going to lump it. Replace those horrific Captchas with this, and the user experience is simpler.

 

[Roast Veg]

Maybe it should be made optional for those that choose not to have it.

The method of MFA should be optional, but some form of authentication other than username and password should be mandatory.

 

[westv]

I can't remember the last time I logged into my TFL account. I just use my Oyster card as and when needed and it auto tops up when required.

 

[pitdiver]

You should try login in to a TfL Pension Account.