-
Our new ticketing site is now live! Using either this or the original site (both powered by TrainSplit) helps support the running of the forum with every ticket purchase! Find out more and ask any questions/give us feedback in this thread!
TFL account login
- Thread starter adamskiodp
- Start date
- Status
Sponsor Post - registered members do not see these adverts; click here to register, or click here to log in
R
RailUK Forums
Goldfish62
Veteran Member
- Joined
- 14 Feb 2010
- Messages
- 11,668
I have an online savings account with a building society that uses 2FA via SMS when I log on. There is no alternative way of logging on.
What's the problem? None.
Online banking with my bank uses MFA that requires use of their mobile app to authenticate online payments. No app, no online payments.
People really do sometimes think up showstopper problems where they don't exist.
What's the problem? None.
Online banking with my bank uses MFA that requires use of their mobile app to authenticate online payments. No app, no online payments.
People really do sometimes think up showstopper problems where they don't exist.
An attacker who is able to impersonate you, can then persuade your mobile phone provider to swap your phone number to the SIM in 'your' 'new phone'.
It's not a hypothetical and has already happened to a fair number of people.
Goldfish62
Veteran Member
- Joined
- 14 Feb 2010
- Messages
- 11,668
I was referring to going from no additional authentication to 2FA. That seems to be the issue being discussed here in that some people don't want it.
Mikey C
Established Member
- Joined
- 11 Feb 2013
- Messages
- 7,522
It can be useful or at least interesting to see your journey history. And by logging in you can see if you have any incomplete journeys.
I had a relative over from Asia recently, and by registering her Oyster card under my name, I was able to see two incomplete journeys (only one I had known about), and resolve both on the phone to TfL.
Dave W
Member
And yet this is still more secure than an attacker just getting your username and password and completing the simple Captcha.
There's nothing wrong with that suggestion, except that the "luddite Grandma" that some people are arguing will be prevented from using the service with MFA would be no more able to use it. Authenticator and phone call seem like fine suggestions for other MFA options to me.
I don't see why they, and any organisation, can't use email for 2FA. Amex has done so for years. I don't have a problem with an app if the service is already linked to an app (as I can run most apps from my desktop computer).
One of these days I will set up a virtual number that sends texts to my email.
One of these days I will set up a virtual number that sends texts to my email.
Email typically is a password rather than requiring the user to have access to something else. In a significant proportion of compromised credential events more than one login is impacted either through password reuse, passwords stored together or email compromised & forgot password journeys used to gain access to other platforms.
2FA with text/push notifications isn't perfect, e.g. phones showing message content including code without being unlocked or physical/virtual theft but attackers in general have to be targeting a particular person rather than an automated system which does most of the hard work.
It's possible the system is being built with an opt-out mechanism that's not advertised, disabling the feature quietly for a small fraction of users avoids attackers putting effort into targeting the platform as it's unlikely any compromised account would have the feature disabled if they even realise such accounts exist.
Its worth noting banks are a terrible example for security practise, I don't know of any that support modern secure 2FA methods. Email is better than nothing, but it's worse than SMS which isn't great itself, so I don't think it's worth implementing as an option for the tiny fraction of people that can't use SMS, especially as some people that could use SMS might then choose the less secure option.
Its even less worth it when they could also implement TOTP codes (the codes apps like Authy generate), which can be generated by a desktop for people who can't use SMS. As a bonus these are far more secure than SMS too (and hence the lack of this option in 2023 is unforgivable on TfL's part in my opinion)
I do wonder why SMS is still so popular. It doesn't take much imagination to see a point in time in the future where SMS is still hanging on for various activities in much the same way as fax machines and cheques remain now. The mere fact that SMS messages are easily crafted with fake numbers really should make companies think about their use for purposes like this.
I also notice there's a parking payment app which currently offers to send you an SMS when your paid parking time is nearly up. Nice feature. Except they charge you 10p per SMS for the privilege of doing this and an in-app notification is probably much more suitable. But, of course, that wouldn't create any revenue.
I also notice there's a parking payment app which currently offers to send you an SMS when your paid parking time is nearly up. Nice feature. Except they charge you 10p per SMS for the privilege of doing this and an in-app notification is probably much more suitable. But, of course, that wouldn't create any revenue.
317 forever
Established Member
Even to top up my Oyster card on Thursday with £10 I got a verification code on my mobile. I did not have this when I topped up my pay as you go phone by £10 earlier in the week.
Annoys me when companies do this. My council has just started doing it. What is someone going to do? Hack into my account and pay my council tax bill for me?! They’re more than welcome if so…
Three send an authorisation code to my phone if I want to access my account from another device.
I'll have to try accessing my TfL account, I only needed my password when I topped up before Christmas. So far they haven't contacted me about registering a mobile number.
No, but they could get your details and then use them for fraudulent purposes. If like many people you use the same password for multiple accounts then those could be compromised as well. Although not perfect 2FA methods give a lot more protection than just passwords.
Class800
Established Member
If the Equality Act still applies - and sometimes I do wonder - surely companies will have to offer an alternative to individuals who cannot use the normal system for reasons of a disability?
What does one do if they need to log on to their account at a station and there is no mobile phone reception? Not impossible in London and on O2 many parts of Greater London ate busy.
I can make calls over WiFi but I can't send or receive text messages. Nothing I can do about that on O2.
I rarely need to access my account at a station but I did once.
I can make calls over WiFi but I can't send or receive text messages. Nothing I can do about that on O2.
I rarely need to access my account at a station but I did once.
Snow1964
Established Member
I haven't yet received the email, but do have a TfL account login, not that I have used it since moving from London.
However due to the amount of travel updates (irrelevant since leaving London), did unsubscribe from emails. However do still have Royal Mail forwarding, but seems TfL can't be bothered to write to me to tell me about the changes knowing I am no longer contactable by email.
However due to the amount of travel updates (irrelevant since leaving London), did unsubscribe from emails. However do still have Royal Mail forwarding, but seems TfL can't be bothered to write to me to tell me about the changes knowing I am no longer contactable by email.
I had that problem for a long time. To log into Internet banking on a gid day I had to put the phone in the garden. On a bad day I had to walk to the end of the street.
Now I usually have a good enough connection for SMS but not fir a voice call. At least, if I have a signal, the text gets through. Email confirmations are problematic as my provider often decides that they look so dodgy that they won't accept them into their system at all.
Lemmy99uk
Member
- Joined
- 5 May 2015
- Messages
- 513
I have no mobile signal at all, but all my calls and texts are received via my wi-fi.
I thought this was standard now.
I can make calls via Wi-Fi but have never had an SMS over Wi-Fi, only iMesssge, etc. In any case, many networks, in particular the cheaper ones, do not support Wi-Fi Calling.
Many photos won't support it.
O2 does if you have the right phone but done support SMS over WiFi.
If I was in a design or implementation meeting at TfL, regarding this, it is one of the things I would have raised pretty quickly.
BahrainLad
Member
- Joined
- 3 Aug 2015
- Messages
- 384
Why can’t we have Face/Touch ID on iPhone? If it’s good enough to log into my banking apps, surely enough for TfL?
Probably because it would cost more money. TfL are a public service and not a private bank.
BahrainLad
Member
- Joined
- 3 Aug 2015
- Messages
- 384
Adding FaceID to an iPhone app is really rather simple. Loads of apps have it, not just banks.
developer.apple.com
Logging a User into Your App with Face ID or Touch ID | Apple Developer Documentation
Supplement your own authentication scheme with biometric authentication, making it easy for users to access sensitive parts of your app.
kevin_roche
Member
- Joined
- 26 Feb 2019
- Messages
- 958
Sending SMS messages must cost money too!
Unless I'm missing something, fingerprint sensors and face ID are usually used for unlocking an app once you've done the initial sign in, so unless the TfL app is asking for an SMS everytime it's opened, not just at the frequency it asks for you password it's not equivalent (though TfL does make you sign in again too often)
Good point. Once I hadn't thought of. Maybe that is from a different kind of budget or being an on going cost is possible whereas the sudden development cost isn't
That is usually the case for first time sign on or maybe if you haven't signed up on a while but otherwise they usually remember.
- Status