SMS Login Verification - Argh

[Beano]

Just got a dual sim phone and not expensive, Samsung A51. Desperate to try it out in OZ. Was going to but travel was cancelled at the last minute a week before the lockdown on both sides of the Tasman.

 

[Chicken]

You're missing the point of multi-factor authentication. The idea behind it is there are two different factors. Something you know, you're password/pin/answers to questions and something you have, you're phone.

This article sums up the issues with SMS fairly well: NIST Plans to Drop SMS for Two-Factor Authentication | Pindrop

You see how we are just going around in circle?

I am not missing the point, I completely get the technical points. Which is why the discussion here is so stupid.

• My random password generated by Keepass could be stolen.
• challenge questions could be guessed
• SMS verification could be stolen because your phone number could be ported away, and changing a SIM card is too bloody hard.
• Let install key gen app on the phone, so it would be easy to log in. Except, the next person who saw you using your phone, saw you unlock your phone, then steal it from you. 1 single weak point, and that person would unlocked every internet account you have, because everything is on your phone.
• people installing dodgy apps on phone (WeChat TicToe), or go to dodgy web sites on their computer.

How about we just don't use security then?

While this discussion is going round and round in circle, people are right now using 1 or 2 simple passwords for every single internet account! Then they criticise people who try so hard trying to stop them from doing this stupid practice. We could eliminate most security hoops we make people jump thru, if people just use a password manager and set password expiration dates for them. This would eliminate 99% of the chance of an account being compromised.

This is like, OMG, the banks are ripping us off! They never follow interest rate reductions, they always charge so many fees. The big 4 banks are just taking and taking my money!!! Meanwhile, as people complain, they stay with their banks, to keep giving their money to the banks. OMG, the banks is taking my money, while I stay to give them more of my money!

OMG, Qantas is making it harder and harder for me to log in, while I keep sharing my password across all my accounts, and they make it even harder, while I make my password even more simple, while I try to bypass even more security!

 

[sudoer]

• My random password generated by Keepass could be stolen.
• challenge questions could be guessed
• SMS verification could be stolen because your phone number could be ported away, and changing a SIM card is too bloody hard.
• Let install key gen app on the phone, so it would be easy to log in. Except, the next person who saw you using your phone, saw you unlock your phone, then steal it from you. 1 single weak point, and that person would unlocked every internet account you have, because everything is on your phone.
• people installing dodgy apps on phone (WeChat TicToe), or go to dodgy web sites on their computer.

How about we just don't use security then?

There is no such thing as a completely secure system, but that's not a reason to say we shouldn't attempt to secure them as best we can using the tools we have available. Qantas trialing 2FA in 2018 was late, but a step in the right direction. Now offering TOTP is again a further step in the right direction.

Is it wrong to critique the security culture of an organisation which generates a significant amount of revenue from selling data?

Which is why the discussion here is so stupid.

This is like, OMG, the banks are ripping us off! They never follow interest rate reductions, they always charge so many fees. The big 4 banks are just taking and taking my money!!! Meanwhile, as people complain, they stay with their banks, to keep giving their money to the banks. OMG, the banks is taking my money, while I stay to give them more of my money!

Pot, meet Kettle.

 

[Chicken]

There is no such thing as a completely secure system

Of course not.

but that's not a reason to say we shouldn't attempt to secure them

We would not have this thread, if people weren't complaining about Qantas introducing SMS back in 2018/2019. In fact, if you read my posts back in 2019, you will see that I was the one who hit back (plus a few others), that people here complaining about QF tightening security, while also complaining about, or disputing the fact that, QF accounts have been hacked and QF points stolen.

Is it wrong to critique the security culture of an organisation which generates a significant amount of revenue from selling data?

Not if it is constructive, but this thread isn't, this thread is a whine thread, where QF gets hammered regardless of what they do.

I don't particular like Qantas, and I think their QF FF is cough; but the complains here are just ridicules.

There is nothing wrong with critiquing banks charging high fees high interests, calling them out, and find ways to beat them; but if people just keep saying they are being charged fees while at the same time giving more and more of their money to their banks, then it is just stupid people doing stupid things.

 

[sudoer]

In fact, if you read my posts back in 2019, you will see that I was the one who hit back (plus a few others), that people here complaining about QF tightening security, while also complaining about, or disputing the fact that, QF accounts have been hacked and QF points stolen.

I think you'll find the complaints back then weren't about tightening security, but rather that Qantas weren't following best practices in doing so.

I recall the majority of complaints were against the use of SMS specifically - it's widely considered one of the least secure 2FA delivery methods, and requires roaming when overseas.

Not if it is constructive, but this thread isn't, this thread is a whine thread, where QF gets hammered regardless of what they do.

I'm not sure who you are referring to as "hammering" QF on today's change? The general consensus on implementing TOTP has been positive?

There is nothing wrong with critiquing banks charging high fees high interests, calling them out, and find ways to beat them; but if people just keep saying they are being charged fees while at the same time giving more and more of their money to their banks, then it is just stupid people doing stupid things.

I don't disagree with you, but the banking sector has absolutely nothing to do with this thread.

 

[AustraliaPoochie]

Anyway, I haven't recieved the verification email from Qantas.

If you are on prepaid, and not topped up, with the Aust major phone companies, you get given a grace period of 6 month to top up, and then you will loose your number.
I have got 2 prepaid broadband sim devices, and thought, umm, that is too expensive to support, so one will do.
Still had some credit, not much, so though I would do an experiement.
Telstra gave me 3 months to top up, I didn't so the number in the end, disappeared from my listing.
They do say that as Aust mobile phone numbers are limited, they can an will be reissued to someone else.
Its a pity that you don't/didn't top up, so even though QFF might have your "former phone number", its very likely that that number has been issued to someone else, if you haven't topped it up in a while.

 

[samh004]

I'm not sure when QF allowed authenticator apps to be used instead, but saw it in my April account summary and have switched to that now, as 1Password works really well for me! Just need to get my family switched over now and all will be well... so much easier to finally manage their accounts for them (shared vaults).

 

[p--and--t]

dual-SIM phones are still not that common (iPhone has never had them).

Not true

current version of iPhone supports dual SIM capability. One physical, one logical. Many phone companies supply logical SIMs (including those selling multi country travel SIMs).

 

[Beano]

If you are on prepaid, and not topped up, with the Aust major phone companies, you get given a grace period of 6 month to top up, and then you will loose your number.
I have got 2 prepaid broadband sim devices, and thought, umm, that is too expensive to support, so one will do.
Still had some credit, not much, so though I would do an experiement.
Telstra gave me 3 months to top up, I didn't so the number in the end, disappeared from my listing.
They do say that as Aust mobile phone numbers are limited, they can an will be reissued to someone else.
Its a pity that you don't/didn't top up, so even though QFF might have your "former phone number", its very likely that that number has been issued to someone else, if you haven't topped it up in a while.

My prepay is with Optus so I better do a topup even if I don't use it.

Post automatically merged: Apr 16, 2020

Still waiting on the verification email, but all my devices are active in QF and havn't needed to verify for a long time now.

 

[kookaburra75]

Not true
current version of iPhone supports dual SIM capability. One physical, one logical. Many phone companies supply logical SIMs (including those selling multi country travel SIMs).

Also the Motorola G series have provided twin SIM, plus a memory card capability for the past several years. And for less than half the price of an iPhone.

 

[Beano]

I really don't know what the fuss is about.
I've never had problems with the verifiaction. OK, so it can be annoying to answer the questions if you are not near your registered phone, but it's not a bigy. As I said before i've not had to answer the verification questions for a while.
As to dual sims phone, it's not diffficult to shop around and see what is out there.
We need to chill out on this.

 

[BorisWood]

Does anyone have advice on which authenticator app is best or are they all much the same? I use an iPhone XS Max.

 

[jfl]

Does anyone have advice on which authenticator app is best or are they all much the same? I use an iPhone XS Max.

It's based off an industry standard called TOTP (RFC6238 if you want to look it up). A number of clients will work and they all work very similarly:

- Google Authenticator
- Microsoft Authenticator
- Authy
- Duo
- OnePassword's TOTP field

Among others.

 

[Daver6]

Does anyone have advice on which authenticator app is best or are they all much the same? I use an iPhone XS Max.

I like Authy for the fact it can back up and sync between devices. I previously used Google Authenticator but is royally painful if you get a new phone or worse, lose your old one.

 

[jane blogs]

I hate QF two factor authentication. I am P1 so (used to) travel and therefore book a lot. I believe I have strong passwords already and have no desire to waste the time on waiting for an sms or a confirmation code. I already established fake challenge answers on all my accounts years ago so have taken precautions way ahead of QF. QF didn't offer a choice about it and as others have mentioned it is particularly annoying when overseas if not using an Australian sim. So if I am prepared to take the risk with one strong password then why irritate me everytime I make a booking Qantas? Or offer me an email option that is just click and go & not necessarily related to the phone. Would be nice to think QF would be using this downtime to be thinking about their customers for a change rather than what is convenient for them. Australian banks do the same whereas my US banks also offer email options.

 

[jfl]

I hate QF two factor authentication. I am P1 so (used to) travel and therefore book a lot. I believe I have strong passwords already and have no desire to waste the time on waiting for an sms or a confirmation code. I already established fake challenge answers on all my accounts years ago so have taken precautions way ahead of QF. QF didn't offer a choice about it and as others have mentioned it is particularly annoying when overseas if not using an Australian sim. So if I am prepared to take the risk with one strong password then why irritate me everytime I make a booking Qantas? Or offer me an email option that is just click and go & not necessarily related to the phone. Would be nice to think QF would be using this downtime to be thinking about their customers for a change rather than what is convenient for them. Australian banks do the same whereas my US banks also offer email options.

They just launched TOTP auth, which negates these concerns. There is no wait time for TOTP.

 

[Daver6]

I hate QF two factor authentication. I am P1 so (used to) travel and therefore book a lot. I believe I have strong passwords already and have no desire to waste the time on waiting for an sms or a confirmation code. I already established fake challenge answers on all my accounts years ago so have taken precautions way ahead of QF. QF didn't offer a choice about it and as others have mentioned it is particularly annoying when overseas if not using an Australian sim. So if I am prepared to take the risk with one strong password then why irritate me everytime I make a booking Qantas? Or offer me an email option that is just click and go & not necessarily related to the phone. Would be nice to think QF would be using this downtime to be thinking about their customers for a change rather than what is convenient for them. Australian banks do the same whereas my US banks also offer email options.

Also you don't need to re-authenticate with a SMS or TOTP if using the same browser and computer (assuming cookies are enabled).

 

[Jean Prouvaire]

When I saw the headline "Qantas Enhances Two-Factor Verification" in the AFF Gazette email I thought that meant Qantas now required you to fax a copy of your passport to a 19 number and snail mail a vial of your blood to a Norfolk Island PO Box before allowing you to access your account.

 

[Mr_Orange]

I hate QF two factor authentication. I am P1 so (used to) travel and therefore book a lot. I believe I have strong passwords already and have no desire to waste the time on waiting for an sms or a confirmation code. I already established fake challenge answers on all my accounts years ago so have taken precautions way ahead of QF. QF didn't offer a choice about it and as others have mentioned it is particularly annoying when overseas if not using an Australian sim. So if I am prepared to take the risk with one strong password then why irritate me everytime I make a booking Qantas? Or offer me an email option that is just click and go & not necessarily related to the phone. Would be nice to think QF would be using this downtime to be thinking about their customers for a change rather than what is convenient for them. Australian banks do the same whereas my US banks also offer email options.

You also do not need overseas roaming enabled to use MFA/2FA apps so there is no cost.

 

[sxc]

How do I get to the page to use Authenticator apps instead? I haven’t had a Qantas email about it.