Leave a legacy.

Allow users to secure their accounts with 2-Factor Authentication (2FA)

By: minimike86 | 31-07-2018 01:33

Problem Statement

Currently you log into giffgaff via your username (member name or mobile number) and your password.

Attackers can very easily enumerate member names using giffgaff's own affiliate links. For example: When you browse to https://www.giffgaff.com/orders/affiliate/minimike86 you will see that I am offering a joining bonus. However when you browse to https://www.giffgaff.com/orders/affiliate/ijustmadethismembernameup which is an invalid member name you are redirected to https://www.giffgaff.com/orders/mgm and with a few lines of code you can find all of the possible member names on the site.

What is your idea?

"2-Factor Authentication (2FA)" is a security control whereby a physical device (something you have) in the possession of the user produces random one-time use codes that are supplied with or after the username/password (something you know) combination. Example: a mobile phone running the google authenticator application <- Most Secure

"two-step verification" is a security control whereby you would receive a text message or email with a code that you would then enter after a successful login using a username/password combination, which would then authenticate you. This security control is not currently activated. <- Somewhat Secure

How will this benefit giffgaff and it’s members? Why should giffgaff implement your idea?

Currently the ONLY thing protecting any giffgaff customer from account compromise is their password.
It should therefore be fairly obvious what the benefits of adding one or both of the above ideas are...

  • Customer data will be more secure from account compromise (guessing username/password)!
  • GiffGaff will boost its customer reputation!
  • GiffGaff will reduce its operating costs - when informing customers about suspicious activity on their user accounts!



by: gcase64
on: 27-09-2019 22:15

Another great idea.It is imperative that giffgaff implemented asap.Come on giffgaff don't drag your heels on this.

by: dorianm
on: 05-09-2019 08:50

2FA with Authy is an absolute must and needs to be offered by Giffgaff asap. This is critical for me, and I'm considering leaving Giffgaff due to the fact that they are not yet offering this feature yet. SIM Swapping attack is the weakest link and often leads to loss of online data (email / photos) as well as money theft via online purchases.

Example of SIM Swapping experience here (T-Mobile): https://www.zdnet.com/article/how-i-survived-a-sim-swap-attack-and-how-my-carrier-failed-me/

by: rje95
on: 29-08-2019 15:03

After a year I feel this should have already been implemented, perhaps this needs to be prioritised more as it's a fairly important security feature.

by: tomhowe
on: 17-06-2019 22:03


I also think that any change to ownership of the phone number/sim etc should require a callback to the customer after 24hrs so that in the event of a phone being stolen to be used for 2fa authentication the customer has time to cancel the phone.

This is a very scary story of someone who's stolen sim caused them loss of their gmail and twitter account and almost significant financial loss.


Given that phones have become defacto 2fa for email/chrome/bank accounts, getting hold of passwords in your Chrome account plus the phone for 2fa gives a thief almost unlimited access to your personal information and assets.

I'll be leaving for a service that does offer better security if not taken seriously and implemented in the next 2-3 months.

regards, Tom

by: bing5582
on: 01-06-2019 18:25

Absolutely good idea

by: parad0xical
on: 27-05-2019 11:34

Absolutely agree with "minimike86" and "erisds" that this needs to be implemented as an option for users as soon as possible. Almost every month we hear about data breaches, including user IDs and passwords, of web applications which host personal and confidential information. Many more occur which don't make it into the media. Two-factor authentication (2FA) is one way to prevent unauthorised access to your account even in the event of such a breach (which is a matter of "when", not "if"). This is now industry best-practice for online banking, email and even social media.

Compromise of giffgaff user credentials would not only be inconvenient (loss of account control and personal data) but also creates financial risk. As "mathlete76" has already pointed out, an attacker could assume your identity by gaining control of your number through a SIM swap or use PAC to change to another provider. Many people already use SMS codes as a second factor for other accounts (e.g. online banking) which means an attacker would be able to use your hijacked number to receive your SMS codes to authenticate to your bank if also in possession of your compromised user ID and password. Needless to say, you would not be able to access any of these accounts because you would no longer be receiving your SMS codes.

I say "option" because every user should be able to make a personal choice whether to use the additional control or not. Personally, I would use it every time I accessed my giffgaff account through a browser and the first time I logged into the smartphone app.

Google Authenticator is pretty ubiquitous....

by: klas82ipad
on: 23-05-2019 14:45

Yes, This Needs to happen. GiffGaff you need to give this to us. User security must be a priority. I'm currently responsible for 5 GiffGaff accounts (the Family's tech Guy and Admin) and even though its all different passwords I would still like the ability to enable 2FA. Also, PLEASE! Not that stupid SMS 2FA either. I want That google authenticator style or Microsoft Prompt Style 2FA.

by: peterg92
on: 23-05-2019 11:22


by: kzar
on: 20-05-2019 13:10

I would really like this feature.

Thanks, Dave.

by: msmon55
on: 08-05-2019 13:26

It should be standard practice. Come on GG, please implement this asap. GG should put the security of their members at the very top of their priorities.