cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Oblivious
Good Citizen / Bon Citoyen

2FA in Self-Serve Account

Hi,

 

Just wondering if anyone knows if Public Mobile has plans to implement two-factor Authentication (2FA) to the Self-Serve My Account login anytime soon?

Like either a code sent to text message, code sent to email, or an authenticator app?

 

It seems like a basic security measure these days. 


Accepted Solutions
benfatto
Deputy Mayor / Adjoint au Maire

Re: 2FA in Self-Serve Account

Nothing even hinted. So, best you can do is use a fake name on your account and a password used nowhere else. 
Then secure all your bank/PayPal etc. accounts with any 2fa other than SMS where possible. PayPal, for example, accepts Authy. 

View solution in original post


All Replies
Quigley
Town Hero / Héro de la Ville

Re: 2FA in Self-Serve Account

No plans for that. Sorry

BeachNBeer
Town Hero / Héro de la Ville

Re: 2FA in Self-Serve Account

Would help avoid all the sim jacks.

benfatto
Deputy Mayor / Adjoint au Maire

Re: 2FA in Self-Serve Account

Nothing even hinted. So, best you can do is use a fake name on your account and a password used nowhere else. 
Then secure all your bank/PayPal etc. accounts with any 2fa other than SMS where possible. PayPal, for example, accepts Authy. 

View solution in original post

Staliger
Mayor / Maire

Re: 2FA in Self-Serve Account

@Oblivious for now, it is unknown. Only PM knows that. Maybe in some future this feature would be added.

Korth
Mayor / Maire

Re: 2FA in Self-Serve Account


@BeachNBeer wrote:

Would help avoid all the sim jacks.


Not really. If the attacker already knows the SIM ID, the phone number, the email or password or PIN for the account, and/or "three pieces of private information to confirm identity" then theft of the SIM, the phone number, and the account can proceed anyways.

 

The only thing 2FA (through the customer phone number) would accomplish is make it easier for the thief to "prove" identity while making it harder for the victim to prove identity - because the victim isn't even aware of the theft until working phone service has been fully transferred to the thief's phone. Unless the 2FA uses some other resource (another email, another phone number) which PM keeps on record for recovery purposes but does not reveal or display anywhere on Self-Serve account.

 

Putting an extra deadbolt on the front door doesn't add any real security if the backdoor is always left unlocked.

BeachNBeer
Town Hero / Héro de la Ville

Re: 2FA in Self-Serve Account

@Korth  Wouldn't the attacker need to log into the account first to change the sim #? If PM had 2fa would that not mean the original owner would get the text? 

Oblivious
Good Citizen / Bon Citoyen

Re: 2FA in Self-Serve Account


@Korth wrote:

Unless the 2FA uses some other resource (another email, another phone number) which PM keeps on record for recovery purposes but does not reveal or display anywhere on Self-Serve account.


For Mobile Services not just Public Mobile, 2FA probably has to be using email, a third-party authenticator app or a hardware key. Email would probably be cheapest.

mh1983
Deputy Mayor / Adjoint au Maire

Re: 2FA in Self-Serve Account

Would be nice to have extra layers of security, for sure.

 

Meanwhile, I'd strongly suggest to use a secure password generator for all your accounts. I use Lastpass so it works across platforms, but if you have Chrome or Firefox, those can now auto-generate secure passwords too.

Korth
Mayor / Maire

Re: 2FA in Self-Serve Account


@BeachNBeer wrote:

Wouldn't the attacker need to log into the account first to change the sim #? If PM had 2fa would that not mean the original owner would get the text? 


Think about it from the thief's perspective. The mental exercise of what you would do to "steal" your own account and phone number.

 

If you couldn't login to your account - forgot your password or whatever - then how would you prove your identity to PM? What information would you need to provide, and how could others obtain that information?

 

And without some sort of physical identity confirmation - face-to-face and photo ID check, etc - how can PM truly know that a person on the internet is actually who they claim to be?

 

(I'm ignoring technical "envelope metadata" like IP addresses, etc. We are not obligated to login from our own devices or home networks, we don't need to use uniquely-fingerprinted hardware or software, we can even use technical things like IP masking and TOR clients and VPNs to retain legal anonymity. And if we have those abilities then so do tech-savvy hackers and thieves.)

Need Help? Let's chat.