QF trialling two-factor authentication for QFF accounts

[MikeG]

I think just beefing up their password strength and requiring password changes every 12 months would be enough.

Also if the user logs in from a new IP address, certainly have an email confirmation sent, which the user needs to click a button in the email to allow that IP address access would be enough to cater for hack attempts. Of course, if someone wants into your account bad enough they can spoof your IP address or hack your email to work around this - nothing is infallible, but you want to ensure you make it hard for them without adversely affecting the user experience (which Qantas obviously doesn't really understand)

 

[Daver6]

i think 2FA is a good idea.

There are several ways this can be achieved. I think the best is not to uses SMS because travellers often use different sim cards.
I use a disconnected security token which is a device supplied by the bank. It regular intervals it generates a code which is used to authenticate. On the other hand connected security tokens also exist but require connection to the computer. However because if mobile devices these are not favoured

Alternatively smartphone apps can also generate such codes such as Entrust IdentityGuard Mobile ST. These apps are linked into the website authentication at setup by IT (you have to use the token app required by IT - can't use any app). These do not need sms. I use this to login into a secure work intranet from anywhere. To login here I need to enter username, password and security token code

But setting up millions of customers with a security token app is not going to be easy - so gradually introduce it for FF members who hit 100000 points

Of course if you lose your phone.....

Or just use Google Authenticator which is a disconnected security token. Simple and no problem setting up millions of customers on the same day.

 

[Pushka]

Just received a phone call from the media team and can confirm it is rolling out to all. The person I spoke to had also been selected and is also having issues. Feedback has been sent to Qantas with little effect it seems. Trial started in March 1.

 

[opusman]

So instead of fixing their coughpy PIN-based security and introducing proper, strong passwords they decided to shift the burden onto the customer. Nice.

 

[Pushka]

So instead of fixing their coughpy PIN-based security and introducing proper, strong passwords they decided to shift the burden onto the customer. Nice.

Yep. The social media crew know about the issues and management are not budging on the roll out.

 

[QF WP]

Not that I understand any of the It-speak, but it sounds like QF have made a decision and like the runaway train, will only realise what they have done when it wrecks (not fixing the brakes aka password issue). Right, my goal is to make sure I never have to use it, or switch even more of my flying to VA.

 

[Pushka]

Not that I understand any of the It-speak, but it sounds like QF have made a decision and like the runaway train, will only realise what they have done when it wrecks (not fixing the brakes aka password issue). Right, my goal is to make sure I never have to use it, or switch even more of my flying to VA.

I am now having to use the dual log in every single time whereas before it was more random. I can however make bookings using the APP without it. Damn annoying and yes it will be a train wreck. They have not asked for any feedback whatsoever from Pilot testers and if it all goes to sh#t it serves them right. They are worse than our politicians. The Social Media team are very aware of the issues and have fed that back to the boffins so there can be no excuse from the boffins that the issues were not anticipated. How will travel agents make bookings now without passengers having to give all their details as they certainly wont be holding customers mobile phones.

 

[oz_mark]

How will travel agents make bookings now without passengers having to give all their details as they certainly wont be holding customers mobile phones.

Unless you are making an award booking, you don't need to be logged into anyones FF account.

 

[Pushka]

Unless you are making an award booking, you don't need to be logged into anyones FF account.

We log in as a matter of practice and all details then are pre-filled. Saves any incorrect spelling etc. or incorrect number entry.

 

[cgichard]

Will this affect use of the Qantas Cash (debit) card? That's the only part of Qantas that I use, having bailed out years ago from flying with them.

 

[straitman]

Will this affect use of the Qantas Cash (debit) card? That's the only part of Qantas that I use, having bailed out years ago from flying with them.

Maybe you should look at this thread.

Qantas Cash ripoff...

 

[drron]

Well this is not good.I have to have a code for new payments using netbank.The SMS basically doesn't work for us overseas.

 

[cgichard]

Thanks, Straitman. I had missed that thread. I know the Citibank card is regarded as a better option, but I couldn't sign up for that without a mobile number. I don't use the Qantas card in Australia, but I like being able to load it up with euros before I travel, and then not have to think about exchange rates at all while I'm away.

 

[coriander]

Well this is not good.I have to have a code for new payments using netbank.The SMS basically doesn't work for us overseas.

Actually, Ron, this is not quite correct. Netbank is actually one of the best online banking services around. Authentication for new payments using Netbank is via a 6-digit code sent to your Commbank App on your phone. As long as you have connectivity (wifi or 3G/4G), you'll instantly get the required code. When I'm in the US, I use t-mobile sims, but never miss a required code (I usually have to log on to pay staff and urgent invoices whilst away).

Citibank has an (OneTimePin) OTP generator in its smartphone app which works well when OS......... that is, until Citibank issues an update to its app: this breaks the OTP generator and you need to receive a new code by SMS to re-initialise the OTP generator. The updates are pushed to your phone and you can't (or I haven't found out how to) disable the updates in Settings. At least they'll give you a free hardware dongle on request if you need to rely on Citibank's OTP for making payments whilst overseas.

 

[drron]

But no commbank app on the flip phone I have.

 

[Jet L]

But no commbank app on the flip phone I have.

Ask commbank for a code generator keychain thing if they don't issue them anymore then maybe its time for a phone upgrade...

 

[Bazzi]

QFF Account OTP verification

Logged into my QFF account this morning and had to verify the account with an OTP sent to mobile. I've logged in this account (and partner's acct) a few times over the last week and this hasn't happened before. Is this new? Targeted? Signed out and back in and same, same.

If you can't access the OTP, the other choice to verify is mother's maiden name, postcode, DOB and month and year you joined QFF!

 

[straitman]

Re: QFF Account OTP verification

Logged into my QFF account this morning and had to verify the account with an OTP sent to mobile. I've logged in this account (and partner's acct) a few times over the last week and this hasn't happened before. Is this new? Targeted? Signed out and back in and same, same.

If you can't access the OTP, the other choice to verify is mother's maiden name, postcode, DOB and month and year you joined QFF!

The year you joined Qantas :?: Wow :!:

(I know it's on the FF card)

 

[Bazzi]

Re: QFF Account OTP verification

The year you joined Qantas :?: Wow :!:

(I know it's on the FF card)

Yeah, I know! just wondered how many people would know that off the top of their head! I never carry the card with me, surprised to find I've been a member since 1995!

 

[mviy]

Re: QFF Account OTP verification

There's a long thread on this: http://www.australianfrequentflyer....rialling-two-factor-authentication-81325.html

It would be nice if QF offered a more readily accessible two-factor option that didn't require a mobile that may not work overseas and also didn't require remembering when you joined the program.