Leave a legacy.

Allow users to secure their accounts with 2-Factor Authentication (2FA)

By: minimike86 | 31-07-2018 01:33

Problem Statement

Currently you log into giffgaff via your username (member name or mobile number) and your password.

Attackers can very easily enumerate member names using giffgaff's own affiliate links. For example: When you browse to https://www.giffgaff.com/orders/affiliate/minimike86 you will see that I am offering a joining bonus. However when you browse to https://www.giffgaff.com/orders/affiliate/ijustmadethismembernameup which is an invalid member name you are redirected to https://www.giffgaff.com/orders/mgm and with a few lines of code you can find all of the possible member names on the site.

What is your idea?

"2-Factor Authentication (2FA)" is a security control whereby a physical device (something you have) in the possession of the user produces random one-time use codes that are supplied with or after the username/password (something you know) combination. Example: a mobile phone running the google authenticator application <- Most Secure

"two-step verification" is a security control whereby you would receive a text message or email with a code that you would then enter after a successful login using a username/password combination, which would then authenticate you. This security control is not currently activated. <- Somewhat Secure

How will this benefit giffgaff and it’s members? Why should giffgaff implement your idea?

Currently the ONLY thing protecting any giffgaff customer from account compromise is their password.
It should therefore be fairly obvious what the benefits of adding one or both of the above ideas are...

  • Customer data will be more secure from account compromise (guessing username/password)!
  • GiffGaff will boost its customer reputation!
  • GiffGaff will reduce its operating costs - when informing customers about suspicious activity on their user accounts!



by: shawabawa
on: 20-06-2019 17:18

+1 to this.

SIM ports are an absolutely HUGE attack vector at the moment, and if giffgaff supported strong 2FA options (TOTP, U2F), it would be absolutely the best and most secure network provider in the UK, and all high-risk targets would be encouraged to use it

by: nottmartin
on: 19-08-2018 12:52

I totally agree with this, the prevalence of SIM swapping attacks means that a breach of my GiffGaff account could lead to takeover of other accounts/services. This needs to allow the use of MFA apps such as Authy rather than just SMS.

by: minimike86
on: 16-08-2019 21:16

a year later and still no option for 2FA... but giffgaff are including 2-step for some interactions which is a (excuse the pun) step in the right direction; but its NOT proper 2FA!

by: msmon55
on: 24-06-2019 01:05

Hope this is implemented pronto. Security must always come first.

by: mathlete76
on: 26-04-2019 19:26

yes please. I use 2FA on many sensitive accounts online, but found out to my cost recently that most of them can be bypassed if a user has access to your phone number. Someone got access to mine by hacking my giffgaff account, sim swapping my number to thir sim and then using "forgot password" procedures to have back up codes texted to my number over which he had control.

Mobile numbers are a last form of defence, so giffgaff must allow us to properly secure them with 2FA.

I was very lucky to have logged in to my giffgaff before the hacker could change my password or I'd have been utterly screwed. 2FA would have prevented this easily.

by: claire1uk
on: 15-10-2018 21:42

As an additional option, this would be useful, but not compulsory. Members should have a choice.

by: terzorosso
on: 26-12-2019 16:28

I agree. I don't like 2FA

by: shahz49283
on: 25-02-2021 18:36


by: xantha
on: 10-02-2021 18:44

The lack of 2FA using an Authenticator App such as Google Authenticator is the last remaining weak point in on line presence. I have managed to secure all my other sensistive accounts with complex password, 2FA using apps not SMS and very concerned that I cannot protect my giffgaff account in this way. This feature should be implemented as the number 1 priority.

by: ahreh20
on: 30-01-2021 20:01

Fantastic idea

by: two00lbwaster
on: 03-01-2021 17:22

2FA is probably a prerequisite theses days for services providers.

SMS and email should not be considered for a 2FA system (especially email as this is the way that password resets are handled so email then isn't a second factor if the email account is compromised through phishing. And yes I know that banks are a bunch of clowns when it comes to this stuff.)

TOTP/UF2 are better, but if your phone is compromised, so likely is your email and your TOTP which means that Security Keys are probably one of the only secure factors. This will all have been covered elsewhere by other people.