The Transport for London (TfL) website will soon require people to have a phone as well as their usual username and password if they want to log in to their online account.
TfL is introducing what’s known as Multifactor authentication (MFA/2FA), which means that after you’ve entered your username and password, you’ll also need to enter a 6-digit code that’s sent to your phone.
This additional layer of protection is increasingly common with websites, and TfL will be adding it to their website shortly.
Using two forms of authentication means that if for some reason your password was leaked, it’s unlikely that the person who has the password would also have your phone as well — so two forms of proof that it’s you trying to log in to the account.
There are typically two ways of providing phone authentication – and TfL has opted to send a text message to your phone with the 6-digit code.
A TfL spokesperson said that this “adds an accessible and commonly used layer of security to protect our online services”
However, there is a more secure way of doing this, and that’s to have an app in the smartphone that generates the code itself (such as Authy), as that avoids the risk of the text message being redirected by the attacker. That sort of attack is more of a risk for bank accounts which are a higher target for hackers, but the smartphone app option is increasingly offered by ordinary websites as well.
Asked if TfL plans to offer that, they said that “We continue to review our security to find the best balance between protection and usability.”
So in the next few weeks, if you have an account on the TfL website, expect to be asked to provide your phone number so they can send a text message to you the next time you log in.
Why add MFA?
The reason websites are adding this extra layer of security is the risk of passwords being stolen by hackers and sold.
The risk is not that TfL’s website could be hacked, as large firms tend to take security seriously — but that another small website is hacked and it leaks passwords.
Understandably, the majority of people use the same few passwords for most of the websites they log in to, as it’s a lot easier to remember one password than try to remember a different password for each website. However, if a small website that doesn’t protect itself properly were to be broken into, a hacker could have the password you use to log in to all the other websites you use.
So, for a hacker, breaking into TinyLittleFirm could get them the password you use to log in to BigOnlineBank.
Hence, a second layer of authentication to protect your account.
And that’s what TfL is introducing.
Use a Password Manager
If you are one of the majority of people who are sharing passwords across multiple websites, I would recommend using a password manager for your accounts.
This is a piece of software for your computer and smartphone that generates a random password every time you open an account and fills in the password forms for you automatically. That way, over time, every single website you use will have a different randomly created password.
All you have to remember is the password for your computer – the software handles the websites for you.
That way, if TinyLittleFirm’s website is broken into, then the password you used there won’t work anywhere else, as your password manager always creates unique passwords for each website you use.
There are quite a few companies offering password managers, from functional to very complicated.
If you’re an average person, like me, then an average password manager will be fine. I use 1Password, simply because it does the job, others are available. You usually have to pay an annual fee ($43 per year for 1Password), but treat it like insurance – you always think it’s a waste of money, until the day it protects you.
There is a risk that the Password Manager itself could leak your passwords, and there has been a scandal recently about LastPass, which turned out to be less secure than it had claimed — however, I’d still recommend using a password manager as they’re still a lot more secure than any of the alternatives.
Anything is better than the “pick pictures of a fire hydrant” system you have to use at the moment!
You don’t. Tfl dropped the picture select (× 2) captcha access a few months ago thankfully. Might have guessed that brief hiatus was exactly that.
Will the separate Santander bike website also be changing? (It would be useful if there was a common credential between the main TfL and the Santander bikes)
SMS based MFA is the worst possible option. SMS are sent effectively unencrypted over the air and phones can be hijacked using “SIM Swap” attacks, a technique that was used to empty cryptocurrency wallets. That’s why it is deprecated by the US National Institute of Standards and Technology that among other things makes US security standards including for the Federal Government.
Much better would have been to rely one phones’ security features within the app, e.h. face or fingerprint recognition as well as the Passkeys feature. This is security theater at best.
SIM swaps are a fairly sophisticated attack requiring a lot of intel. No one is doing that to get the £20 on an oyster card. The advantage of SMS is it works on all devices regardless of age (not everyone is using a smartphone) and it’s much cheaper to implement, developing a secure multi platform app isn’t eye-watering but it is an expense.
TfL have already implemented the clunky Cloudflare on their site ensuring anybody outside the UK can’t access Oyster login. This means that any British citizen based overseas with an account won’t be able to perform anything like adding funds or basic admin stuff. TfL said those people will have to make an expensive international telephone call to their 0345 number or fill in an online form and wait up to 10 days for a response. The Oyster account is now useless to me but trying to get TfL customer service to delete it is near impossible. No other “international” city I travel to have closed off their operations like this.
You’ve just typed that comment on a website using “clunky Cloudflare”, so I doubt their caching is the issue.
The cynics amongst us might think that their intent is really to prevent access to your account through third-party systems. For example Reeclaim (www.reeclaim.co.uk).
It does seem strange implementing an SMS based system, when the better app based (TOTP) system is just as easy, perhaps easier to put in place.
Disclaimer: I have no connection to Reeclaim.
The reeclaim website has been down for over a year – because they can’t access the current login system.
How will people without mobile phones log in to their Oyster accounts?
The same way people without an email address do.
TFL acounts need to be accessde by holders of E.G., Senior Citizen railcards, and updated each year. Mnay dont use smartphones. ANd some just dont want to whatever their age, form home.
SHould be able to do it from a dongle, or home phone.
You don’t need a smartphone to receive a text message – any mobile phone can do that.
I doubt TFL are going to accept international phone numbers for txt verification, which means that even using a VPN to access Oyster accounts will no longer work. Sigh.