Leave a legacy.

u2f to protect personal data on My giffgaff with 2-step ("2 factor") authentication option for My giffgaff logins

By: timsmall | 03-12-2015 19:54

There's a lot of personal data on My giffgaff which members need to keep secure.

Companies like Google, Dropbox, Github (soon PayPal, EBay, Visa, Mastercard, Microsoft and others) support the excellent "FIDO u2f" standard so that users can opt-in to secure logins to their websites.

See this example video for how it works: https://www.youtube.com/watch?v=EVx3QkJ8_J0

... since it was made, Microsoft and Firefox have announced upcoming support in their browsers too.

You can buy the USB keys from many different manufacturers from about £5 (some also work with NFC for tablet and phones without plugging in), and use each key with multiple sites (without compromising privacy).

Google, Dropbox, Github all allow users to add these to their account, and require their use either for every login, or just for the first login from a particular computer.

I've been using one for a couple of weeks now, and I think they're great! Google have reported a more than 75% reduction in unauthorised access to accounts (e.g. via malware etc.) for users who use them.

-

Comments

by: iqbal92307
on: 08-10-2019 14:18

Sounds good

by: tracy71
on: 26-08-2019 11:58

you have got my vote

by: 1445824
on: 20-06-2019 18:44

I have no idea on the cost to Giffgaff to implement u2f, but it would be extremely wise to do so, many companies have, my email supplier for one...If in the future if another network implements this security feature, I would probably change over, even though it may cost more per month, I feel online security is an important feature along with coverage and cost.

by: muddycalhoun
on: 18-06-2019 10:47

YES

Edited
by: parad0xical
on: 27-05-2019 11:24

Absolutely agree with the OP and "erisds" that this needs to be implemented as an option for users as soon as possible. Almost every month we hear about data breaches, including user IDs and passwords, of web applications which host personal and confidential information. Many more occur which don't make it into the media. Two-factor authentication (2FA) is one way to prevent unauthorised access to your account even in the event of such a breach (which is a matter of "when", not "if"). This is now industry best-practice for online banking, email and even social media.

Compromise of giffgaff user credentials would not only be inconvenient (loss of account control and personal data) but also creates financial risk. As someone has already pointed out, an attacker could assume your identity by gaining control of your number through a SIM swap or use PAC to change to another provider. Many people already use SMS codes as a second factor for other accounts (e.g. online banking) which means an attacker would be able to use your hijacked number to receive your SMS codes to authenticate to your bank if also in possession of your compromised user ID and password. Needless to say, you would not be able to access any of these accounts because you would no longer be receiving your SMS codes.

I say "option" because every user should be able to make a personal choice whether to use the additional control or not. Personally, I would use it every time I accessed my giffgaff account through a browser and the first time I logged into the smartphone app.

by: erisds
on: 10-04-2019 13:21

I keep being told by Giffgaff support that I have to comment here if I want to be heard, so here I am.

It is absolutely imperative that Giffgaff adds second or multi-factor authentication on their online accounts immediately. There are now at least 7 ideas that cover this:

https://labs.giffgaff.com/idea/16713916/2-factor-authentication

https://labs.giffgaff.com/idea/16712158/allow-users-to-secure-their-accounts-with-2-factor-authentication-2fa

https://labs.giffgaff.com/idea/16701487/u2f-to-protect-personal-data-on-my-giffgaff-with-2-step-2-factor-authentication-option-for-my-giffgaff-logins

https://labs.giffgaff.com/idea/16712363/require-2-factor-authentication-to-sign-up-for-payforit-texts

https://labs.giffgaff.com/idea/16707920

https://labs.giffgaff.com/idea/16703325

Many of these are over 4 years old. It's very clear that no one reads or moderates this board.

That's fine - it's up to you to choose whether to moderate the board, but if you're not going then your agents need to stop telling people to raise ideas for things that have been open for 4 years already and be honest about the fact that no one cares what's written here.

by: nickyheywood
on: 25-01-2019 00:57

good idea

by: adamtheant
on: 20-07-2018 21:02

sounds good

by: adamtheant
on: 30-12-2018 17:06

As it's a good idea

by: mikejonesey4
on: 07-08-2016 20:28

or OATH-TOTP, (u2f is not supported on all browsers nativley yet...)

by: leshin
on: 02-08-2016 16:30

Good if giffgaff can it. Giffgaff isn't a big tech company