Originally Posted by
lopinc1
If you were already logged in (via remembered cookies) then you wouldn't be prompted for the two-factor code. The two-factor code is used when you log in on that browser initially.
The best solution would be if AW requires another prompt for a two-factor password in order to display a clear-text loyalty password. This way even if a user did something dumb like leave their account logged in on a public computer, the clear text password wouldn't be displayed without another two-factor confirmation.
Also keep in mind that just because the loyalty passwords are being shown to you clear-text, doesn't mean they are stored that way. They have to be readable so AW can use them to check your points balance, so they can't be hashed, but I'll bet they are stored encrypted in their DB.
You are exactly right, the passwords to loyalty accounts are all stored encrypted (not hashed) so that we can check the balances. Removing the option to to display the password in clear text (after you enter the password) or adding second factor auth in there would not make it more secure, we would also have to get rid of the auto-login feature to make it more secure. I also want to point out that if your password is unique to AwardWallet and complex you have nothing to worry about.
We have 315,891 accounts on AwardWallet as of now, 250 got hacked and their usernames and passwords were very weak, like abcd / abcd so that is ~0.079%
Thanks,
-Alexi