QF trialling two-factor authentication for QFF accounts

[Pushka]

The best solution is you don't actually answer the question with the correct answer. Eg, for your mother's maiden name, you just make something up that you'll remember. Means no-one else is going to guess it, as your mother's maiden name is not exactly top secret or difficult to find the answer to.

Therefore, my point is the question asked isn't important. Your nonsense answer is.

Yes. But I must have answered that correctly back in the mid '90's when I started my QFF account when this wasn't on the radar. Too late!

If you have your card on you it's printed there...

Yes. I know that now but often it isn't on me. But something for others to remember from now on if this pilot test is extended.

 

[Daver6]

Yes. But I must have answered that correctly back in the mid '90's when I started my QFF account when this wasn't on the radar. Too late!

Call QF and tell them your mother changed her maiden name

 

[ajd]

I don't recall ever giving them information like that requested. Sure, dob, join date, postcode/address. Information about family? nope.

From the QFF signup form, as of right now:



That said, the use of security questions in general is idiotic and is considered deprecated by just about every IT security practitioner I've heard from. They are nothing more than additional passwords, and it's rather problematic when every other company asks for exactly the same maiden names, first friends and colour of your first car...

 

[Pushka]

Call QF and tell them your mother changed her maiden name

Yeah. That's going to work.

 

[MikeG]

I think keep the 4 digit code or normal password for read-only access, and to change anything 2FA via Qantas App (kinda like CBA do their via the CBA app) and that way it works globally and only when its absolutely necessary.

Currently its screwing with my AwardsWallet membership, as AW polls daily and gets an error because of this silly 2FA to login bizzo.

M

 

[Daver6]

I think keep the 4 digit code or normal password for read-only access, and to change anything 2FA via Qantas App (kinda like CBA do their via the CBA app) and that way it works globally and only when its absolutely necessary.

Currently its screwing with my AwardsWallet membership, as AW polls daily and gets an error because of this silly 2FA to login bizzo.

M

Sounds like are really rolling out a half cough solution here. They need to add the ability to add app passwords for things like AwardsWallet. That or implementing tokenised API access.

I suspect you're actually breaking the terms and conditions by giving out your QF credentials to AwardsWallet. Ie, keeping your password safe.

 

[ajd]

I think keep the 4 digit code or normal password for read-only access, and to change anything 2FA via Qantas App (kinda like CBA do their via the CBA app) and that way it works globally and only when its absolutely necessary.

Currently its screwing with my AwardsWallet membership, as AW polls daily and gets an error because of this silly 2FA to login bizzo.

M

Gee, it's going to be fun when someone compromises AwardWallet or any of the similar services that hold FFP passwords.

 

[ajd]

Sounds like are really rolling out a half cough solution here. They need to add the ability to add app passwords for things like AwardsWallet. That or implementing tokenised API access.

Yeah, you'd want API tokens and/or a "Log in with Facebook"-style OAuth-style system (which I think they've already implemented to some degree for login on qantaspoints.com).

However, is it necessarily in QF's commercial interests to provide an official mechanism for third-party access? I'm not sure...

 

[Pushka]

This for last 24 hours. Getting annoying

 

[greyyy]

¯\_(ツ)_/¯ don't use a service that attempts to log in on your behalf?

As previously mentioned, I'm sure these services (sharing your credentials) are against TOS anyway

 

[Oneworldplus2]

There is much more to 2FA than sending a code via SMS. As I previously mentioned, Google authenticator is one such option. Every 60 seconds it creates a new 6 digit code. No internet connection required for this.

+1

Google Authenticator is brilliant

 

[Miss Arrrr]

A bit late to this thread but one of my parents was included in the trial and is currently overseas and so cranky about the 2FA (and she's the tech-savvy one). She's finding the timing of the SMS too delayed to be useful. Does anyone know if there's an option to opt-out of the trial/revert back to the standard authentication method?

(I'm on the boat that they could have gone with greater password complexity... or something not reliant on SMS as neither of my folks use their phones regularly when travelling - wonderful when I have to get in touch with them too )

 

[Pushka]

Agree re the SMS timing. I was recently overseas and didn't receive the text. So I logged in using the 'alternate' but that process did not log me in properly. I couldn't access anything.

QANTAS - I hate the new process. I'm actually going to tweet that - seems to be the only way to get things sorted.

 

[Vic]

Join month is the same as expiry month, if that helps. At least for me.

 

[Pushka]

Join month is the same as expiry month, if that helps. At least for me.

Yes, you also need the Year of join.

Anyway, just tweeted Qantas and explained the Pilot is a pain in the neck and I want out. Explained some of the issues - eg booking for a third party. While there is an alternate way of logging in it did not work properly for me last week when I was overseas and needed to access my account. My husband's account that isnt part of the trial worked just fine so it was this issue that was causing problems.

Qantas replied to the tweet but clearly had no knowledge of what the trial is about.

 

[Sdtravel]

Qantas replied to the tweet but clearly had no knowledge of what the trial is about.

I cant help but think that the old Red Roo would have that sorted out and fixed in no time.

 

[Pushka]

I cant help but think that the old Red Roo would have that sorted out and fixed in no time.

If it's a full blown trial (and think that's the case) then it is up to the boffins who do all the odd Qantas 'enhancements'. I hate it. If it gets brought into full scale membership then watch this space.

 

[Miss Arrrr]

Sad news for us all - Qantas confirmed in a PM on Facebook that it will be rolled out to all members shortly. The CS rep has yet to address the issues I raised regarding 2FA but I doubt that would be information they'd have on hand.

 

[Quickstatus]

i think 2FA is a good idea.

There are several ways this can be achieved. I think the best is not to uses SMS because travellers often use different sim cards.
I use a disconnected security token which is a device supplied by the bank. It regular intervals it generates a code which is used to authenticate. On the other hand connected security tokens also exist but require connection to the computer. However because if mobile devices these are not favoured

Alternatively smartphone apps can also generate such codes such as Entrust IdentityGuard Mobile ST. These apps are linked into the website authentication at setup by IT (you have to use the token app required by IT - can't use any app). These do not need sms. I use this to login into a secure work intranet from anywhere. To login here I need to enter username, password and security token code

But setting up millions of customers with a security token app is not going to be easy - so gradually introduce it for FF members who hit 100000 points

Of course if you lose your phone.....

 

[MikeG]

AFAIK it's not a trial, it's the new regime...