BAEC two-factor authentication
#16
In memoriam
Join Date: Apr 2008
Location: San Francisco, CA
Programs: BA GGL/CCR/GfL
Posts: 405
Sadly this actually makes the BA login flow *less* secure. Using SMS for two-factor is worse than not having two factor at all as it gives a false sense of security.
At least it's consistent with the ridiculous "security" questions they ask when you call in... where all the information needed to answer them is available in the PNR.
Security theatre.
At least it's consistent with the ridiculous "security" questions they ask when you call in... where all the information needed to answer them is available in the PNR.
Security theatre.
#17
Join Date: Jan 2010
Posts: 441
Locked out of Exec club account - not receiving 2FA code
I've been locked out of my exec club account for over a week now. When I try to reset the password, I receive the reset password link in my email but then the process on BA.com goes on to ask me to verify my identity by entering a 2FA code to be sent to my email address.....except this never arrives (have tried sending it multiple times). I've called up the helpline numerous times but only get through to an overseas call centre - they said they will send the code manually and it will take 24 hours...72 hrs later still not got it. Called again and they said 7 working days.
Getting a bit frustrating. Anyone had something similar and know how to resolve?
Getting a bit frustrating. Anyone had something similar and know how to resolve?
#18
Ambassador, British Airways Executive Club, easyJet and Ryanair
Join Date: Sep 2011
Location: UK/Las Vegas
Programs: BA Gold (GGL/CCR)
Posts: 15,914
Sadly this actually makes the BA login flow *less* secure. Using SMS for two-factor is worse than not having two factor at all as it gives a false sense of security.
At least it's consistent with the ridiculous "security" questions they ask when you call in... where all the information needed to answer them is available in the PNR.
Security theatre.
At least it's consistent with the ridiculous "security" questions they ask when you call in... where all the information needed to answer them is available in the PNR.
Security theatre.
#19
Join Date: Nov 2015
Location: London
Programs: BA Gold
Posts: 1,680
I have had the 2-step authentication, it is not required for every login - when I was selected the SMS message was sent immediately and I was logged in in a matter of seconds. SInce this was introduced I have not been required to beat the CAPTCHA challenge - thank goodness.
#20
Join Date: Mar 2005
Programs: BA, Virgin, Lufthansa
Posts: 183
Many apps on your phone can have access to text messages so if one of them is malicious then they can forward the code on.
Another issue is if your number is switched to another SIM without your consent (anecdotally this seems to happen more in the US than the UK but that might be just the tech news I read)
SS7 which is the underlying network protocol is woefully insecure too
So there are many ways SMS messages can be intercepted.
Another issue is if your number is switched to another SIM without your consent (anecdotally this seems to happen more in the US than the UK but that might be just the tech news I read)
SS7 which is the underlying network protocol is woefully insecure too
So there are many ways SMS messages can be intercepted.
#21
Original Poster
Join Date: Jun 2014
Posts: 756
An update:
I used Twitter to contact BA (via direct message), and I received this reply within the hour, without supplying any further credentials (my Twitter handle is a verified - i.e. blue tick - account with my real name; I don't know if that has anything to do with it): I'm sorry to hear you have been experiencing problems accessing your account online. Please can you try logging in again, as this issue should now be resolved.
Indeed it was resolved. From their response it sounds like the non-arriving verification code is a known bug.
I used Twitter to contact BA (via direct message), and I received this reply within the hour, without supplying any further credentials (my Twitter handle is a verified - i.e. blue tick - account with my real name; I don't know if that has anything to do with it): I'm sorry to hear you have been experiencing problems accessing your account online. Please can you try logging in again, as this issue should now be resolved.
Indeed it was resolved. From their response it sounds like the non-arriving verification code is a known bug.
#23
Join Date: Nov 2015
Location: London
Programs: BA Gold
Posts: 1,680
Many apps on your phone can have access to text messages so if one of them is malicious then they can forward the code on.
Another issue is if your number is switched to another SIM without your consent (anecdotally this seems to happen more in the US than the UK but that might be just the tech news I read)
SS7 which is the underlying network protocol is woefully insecure too
So there are many ways SMS messages can be intercepted.
Another issue is if your number is switched to another SIM without your consent (anecdotally this seems to happen more in the US than the UK but that might be just the tech news I read)
SS7 which is the underlying network protocol is woefully insecure too
So there are many ways SMS messages can be intercepted.
Surely one of the most base purposes of 2FA is that it requires two quite different hacks to overcome it?
I'm not suggesting it's perfect, but I'm pretty certain even text message 2FA would be broadly considered to be more secure than password alone.
Out of general interest are there any reported cases of widespread 2FA attacks? Would say google authenticator be considered more secure than text message 2FA?
#24
Join Date: Aug 2011
Location: PWM/CDG
Programs: AF/KL Plat, AA Plat, HH Diamond
Posts: 789
Bumping this thread up, as I am facing the same issue: a request for 2-factor authentication, but the code is never delivered, be it via email or SMS. I tweeted BA, they forwarded my request to BAEC, but I'm still locked out after two days. Very frustrating.
#26
Join Date: Nov 2013
Location: Glasgow
Programs: BAEC (Silver), IHG (Plat Elite)
Posts: 541
I also had the request for 2FA a few days ago, numerous requests for a code sent by text or email and it never arrived. This was on a my work laptop, using Chrome.
Once i got home that night, I tried again on my own laptop and it was delivered immediately. Using Chrome again, go figure.
Once i got home that night, I tried again on my own laptop and it was delivered immediately. Using Chrome again, go figure.
#27
Join Date: Dec 2004
Location: London
Posts: 6,265
I had a 2fa challenge yesterday, but wasn't told about it in the app, the app just refused to update data and any attempt to log in failed with a generic login error.
It wasn't until I went to the website and logged in there that I was challenged.
Yet another poor set of IT work from BA...
It wasn't until I went to the website and logged in there that I was challenged.
Yet another poor set of IT work from BA...