Friday, 16 December 2016

How not to do 2FA?

We have purchasing cards with Barclays and the statements come in on a web portal.

The site has a secondary question, which I think they pick from various questions that were asked when originally set up.

So, I logged in, and was asked the extra security question, and got it wrong. The problem is that it was "What is your mother's middle name?". This is a horrid question! (a) not everyone has a middle name, and (b) she has two of them. So I forgot what I had put originally and got it wrong.

So, locked out. Great.

I have spent literally a month trying to get it sorted, with email replies taking a week, and eventually a lot of phoning and getting our business relationship manager to chase, finally, the login was reactivated. Not a good user experience at all.

Same question, same mistake, locked out again, arrrrg!

OK, one more time with the shouting and chasing, and what do I get.

Seriously?


Yes, an unsigned, unencrypted, plain text email with a plain text password quoted that is valid for 2 months! (Yes, I have changed it).

Anyway, this time I guessed the right answer to the question.

To be fair, a password reset process is tricky, we send a link valid for a few hours, but that too is as good as plain text in a way as someone could use it. Just seems so very wrong sending a plain text password by email somehow. I am glad we are setting up the proper 2FA stuff on our systems.

Even so, this looked so much like some sort of spam I nearly deleted it.

2 comments:

  1. I always make up total lies now to the kind of questions like your mother's maiden name - don't want that to be leaked to staff who I don't trust - and to annoying questions that don't even have answers, especially if you're not american (all people are) and if you were not brought up in a city (people only live in "cities"). I of course write down the questions and answers and store them somewhere secure.

    I've started using a couple of apps on my iPad, the standard Apple Notes app and also a third-party password management app which is very flexible and good for storing all kinds of details not just passwords and which integrates with Safari well.

    ReplyDelete
  2. And yet some places go to the polar opposite - one bank I've dealt with have password reset emails that are only valid for a couple of minutes. Completely bonkers that they seem to be under the impression that emails are always delivered instantly (makes it impossible to reset my password without first sshing into my mail server and turning off greylisting!)

    ReplyDelete