Paren

About time too.

I've been telling BA for years to improve customer account security, including via the use of MFA.

At one time, my BAEC account would not even let me set a secure password (100 character random password with lots of special characters). The website still struggles with this when I try to set it so it's much less characters now, but at least it now lets me add special characters.

My account has not prompted me to set an MFA code yet but hopefully the Apple password app is supported.

Assuming something like the Apple password app is supported, you would be able to get the verification code across all your devices should one fail (E.g. Mac, iPhone, iPad etc).

catandmouse

It might be OK if they could already get "single-factor authentication" to work. Trying to login to the BA website is fraught with difficulties, with one or more of the following occuring randomly.
The login link is no longer present.
The login credentials are not recognized even though they are definitely correct
After login you get a message along the lines that the systems are overloaded, try again later (a bit like when you try and phone)
The login goes into hang mode with BA's equivalent of the egg-timer (the moving bar in the middle of the screen)
Maybe they should try and fix these problems before venturing into something so complicated as 2-FA?

Stormbel

This morning I received an email from
ExecutiveClub at crm dot ba dot com.
it's about new features.
It quotes the correct Avios and tier points in my account and asks me to login to check that the details are okay, but doesn't address me by name.
Looks odd.

Simonp27

I have had loads of emails from that sender email and they look fine.

plunet

It's very much normal these days to separate bulk and mass email into a subdomain (in this case crm.ba.com) away your BAU transactional email (ba.com). The address that actually matters is the envelope from which is usually hidden to you as an end user but the from address that you see is usually in the same subdomain.

If the email has pointers of current data that pertains to you then there's little to worry about.

Traveller 935

I've had multiple emails from [email protected] going back 6 months or so which were all valid. They definitely do use the crm.ba.com domain.

Not sure what you're actually asking here but if you want confirmation if this is spoofing or not then please share the raw email headers.

rockflyertalk

I had the two factor authentication email yesterday from BA crm address. It displays my membership details so I guess it’s legit. I don’t tend to click through on marketing emails regardless other than verification links.

Stormbel

Here's the email

​

From: "British Airways Executive Club" <[email protected]>
To: xxxxxxxxxxx
Cc:
Sent: Thu, 15 Feb 2024 at 12:12
Subject: Important update to your Executive Club account login

Help us protect your account Dear Customer, At British Airways, we‘re committed to ensuring your data is secure. We wanted to let you know that we’re adding an extra step when you log in to your Executive Club account on ba.com, similar to other services such as online banking. It’s also coming soon to our app on mobile devices. This extra layer of security helps protect your account with a choice of quick and easy extra methods to verify your identity, as well as your username and password. You’ll shortly be required to set this up when you log in on ba.com. It’s essential that your email address and mobile telephone number in your profile are up to date now. Please take a few moments to log in and check these details are correct. You can review and update your personal information in the Manage My Account section. If your details aren’t up to date, you might be unable to log in to your account later on. For more information, assistance or to view our Privacy Policy, please visit ba.com. Thanks for your cooperation. Warm regards, Your Executive Club Team

BOH

I only have an I-phone and a laptop PC (Windows). Plus, what is "MFA"?

rockflyertalk

Multi Factor Authentication. Not just a username and password via one other means. It could mean verification via email, text, call etc

plunet

The problem here is that having just a username and password has for a long time been considered insecure. Apart from common sense need to protect their systems and services, additionally BA are on the hook legally to protect customer's personal data, some of which is deemed sensitive by law.

If a data breach were to occur whereby it was determined that BA as a processor of data had "failed to take appropriate technical measures" to secure access to personal data they could be looking at a fine of up to 4% of global turnover. Just having a username and password is no longer considered an appropriate technical measure for an internet facing service. Whether the regulator and the courts would use their remedy to the full extent is unknown, but BA's insurers will be influencing things here to eliminate risk.

Then you have got to ask yourself if they had an exemption process (and it could well be that they do to cater for customers with specific needs) would that would not absolve them from needing to protect your data, so they are unlikely to offer exemptions willingly, it would be likely based on medical need, as every exemption is overhead and risk.

Unfortunately 2FA and MFA is the way the world is going, and indeed password less where you only use the one time token and don't have a password.

MFA is multi-factor authentication (where you might have several options)
2FA is two factor authentication a subset of MFA.

adrianlondon

My guess is that they'll make it compulsory but it won't work

Tiffywren

I loathe 2FA, I'm in the Navy and when deployed I can' neither get a phone signal nor access my personal emails. It makes 2FA impossible for me.

DeathSlam

I currently do 2FA with with email on a web app, so no phone access required. So anywhere I could get access to BA.com I would also be able to get to my second ID if they allowed email verification.
But from the email we received it seems like they may not allow this option for their version of 2FA.
There are other alternatives to phones that I use for other more secure applications.
One is to have a linked RSA generator where you get a dongle or device and look up a code on there and plug it in. But I suspect they won't want to do that as it costs money.
The other is to have a phone app that essentially does the same thing. But I have not used one of those. Theoretically there is no need for such an app to require a phone signal at the time of use, but it would need internet connectivity when first set up. I don't do apple, so I don't know if that is how Apple Key works.

plunet

As above, your service providers would hopefully support a TOTP (time based one time password)... This is a seemingly random 6 digit number that changes every 30secs. Provided that you have a device such as a mobile phone where you can periodically sync the clock, or a dedicated RSA keyfob token can gan generate the 6 digit time based codes this is completely offline and shouldn't impact you getting into services.