2 Factor Authentication on Account

Hi @mrcarrot66 

Are you referring to the iD Mobile app/website?

Unfortunately this isn’t something supported on there, sorry.

Tom

Hi thanks for your reply, yeah that's what I mean. 

That's really bad that it's not supported. Like I don't think I've ever had a phone contract where the provider didn't at least send an SMS verification message

Come on iD. 2FA is absolutely essential!

Hi @mrcarrot66,

Welcome to the Community!

This isn’t something that we offer at the moment.

However we can assure you that your account is safe and secure.

Kash

What exactly is your assurance that our accounts are secure? Not having 2FA in 2024 is frankly reckless.

Can you please ensure that at least by the time you offer eSIMs you have 2FA implemented? Also, that you offer TOTP or other methods that don't rely on SMS?

Thanks

Agreed. None SMS based would be best but at least SMS would be a start. 

ID team this really needs attention. You absolutely shouldn't be allowing access to such sensitive information without 2FA. 

I disagree that accounts are secure.  My daughter’s account has been hacked twice in the last five months necessitating a new mobile number each time.  Your procedures for allocating e-sims is not secure, so 2 -factor authentication is essential.  Perhaps a complaint to the Information Commissioner about your lack of customer account security is required to make you start taking security seriously.

Hi @LeeJenk24 

You are free to make a complaint to whomever you wish to.

If someone is having issues with their account, we’d recommend them getting in touch with us themselves.

Tom

It has happened again this morning, so iD’s claim that accounts are secure is incorrect.  This was after having a new number allocated, changing the e-mail address linked to the account and updating the password.  As ID have no procedure for checking requests for eSims, or double checking requests to port numbers to other providers, other than a text saying the request is being carried out (which still happened today after my daughter contacted you to say the request was not from her, and was told it would need to go to technical which will take up to 48 hours) multifactor authentication is vital in 2024.  A complaint will be submitted to the ICO.  iD have a duty of care to customers which it is failing at.  How a technology company can be so lax with security is beyond me. 

Hi @LeeJenk24,

I would advise that you contact our Live Chat Team and they can assist you further.

Kash

Hello Tom,

Are you seriously an ID Mobile employee? I ask because your reply to @LeeJenk24 is nothing less than patronising and, quite frankly, ridiculous, blasé and offensive. Certainly not what one would expect from a representative of any professional organisation.

@LeeJenks24 makes a serious and valid point regarding the lack of, and need of, 2FA authorisation for a communications company in today’s scamming environment. Not being able to understand this galvanises a lack of urgency and commitment by ID Mobile. Shame on you and shame on the company. 
 

i, for one, shall be taking my business to a more reputable organisation, and will be encouraging others to do the same.

I’ll just add my bit on this and leave the debate for others.

The reliance on us being part of this 2FA is a tad unfair IMO. I say this because for the most part the devices we use should have a PIN/pass code/face/fingerprint to unlock that device(s). So that, I have to assume is what iD take into consideration, is step 1 of the (used loosely) authentication.

Step 2 I would presume used to be the fact that early versions of the app would automatically sign out after X amount of time (and in honesty I preferred the UI on that version as it had less bloatware and had better usage information - it counted how many texts and minutes of calls being made). We then had to put the pin in again every time to open the app.

When app version 6.3.0 came out (I have to say more likely due to the eSIM fraud) the app was made more secure (in regards to the internal app security with several background checks being made, parts checking for rooted/jail broken devices and things like what connection is being used), but it stopped automatically signing us out if biometrics was already off. So if someone could get into the device they could simply click on the app and away they go. But would this not be our fault if we don’t use a lock on the device?

But, like my wife uses, if fingerprint biometrics is used within the apps settings we can’t manually log out of the app because this deletes the stored fingerprint (they store it at their end) - on the subject of the fingerprint biometrics this auto deletes after 90 days, whereby you’d need to save one again.

And with that thus far I have not been able to find a way to have a pin AND fingerprint biometrics login within the app. And to confirm app version 6.4.0 deletes the fingerprint if you manually log out too.

Should you manually log out you would need to know the email address used for the account, the account passkey and the options for face or finger biometrics are again offered. If you click maybe later you can use a pin code if you then enable biometrics via the apps settings.

So what about the pin number based biometrics. This simply asks you for your unlock pin to gain access to the app which is better than not having this enabled. If you leave the app open but idle it will prompt for the pin code which is handy. At least even an unlocked phone given to another then the pin request stops them accessing the app without the pin.

So personally if the app had a face/fingerprint/a biometrics pin AND a login pin (if we want 2FA) then this should shut us up. As an aside changing the customer pin to one we pick could be beneficial should a SIM/eSIM be ordered and it wasn’t us via our locked down app. Just to add regarding obtaining an eSIM, this now can only be requested via live chat (and if the customer pin is one we picked rather than one allocated (just in case its an algorithm based pin) again we’d know if it wasn’t us ordering one)

As a potential better way so sign into the online account, I’d be happy enough if it was like how my phone pings a connection attempt when trying to login to my email via another device. My phone ‘tells’ me someone is trying to access my email account and I either tap yes or no - obviously yes prompts either a random 4 digit pin or an 8 digit pin and I have x amount of seconds to copy that into the other device. Only then does my emails load on this other device. The only negative is if we want to access the online account via the device. But again needing a pin code and maybe the customer pin would offer 2FA too.

Anyway, just my thoughts and observations.

Hey there ​@Phil Stockford, we’re sorry about that, and would never mean to make our customers feel this way.

We completely appreciate all your guys feedback on 2FA, and we’ll certainly take it on-board.

Thanks,

Tyler

Another vote for 2FA.

My mobile account is one of the most important ones I own and I want to secure it as much as possible - 2FA is mandatory for me on accounts like this.

I may leave ID because of this - thankfully only on a 1 month contract.

Since posting the above I have since read a post from a staff member with words to the effect of …… when a replacement SIM is now ordered the registered number now gets a text message - how that works if your SIM is lost/broken/stolen is an unknown to me at this point but that’s better than nothing I guess.

Hoping this is clarified

Why has 2FA still not been implemented?

Are you for real iD?