Knowledge Base
Community

Launching multi-factor authentication

Started by: captainben
On: 13/08/2019 | 09:04
Replies: 76
Reply

by: captainben
handy giff-staffer

on: 13/08/2019 | 09:04 edited: 13/08/2019 | 09:42

Hello everyone,

 

Today I come bearing some big news. Something which has been requested by you guys and our product teams have worked very hard on to deliver.

 

As you know, our members safety is extremely important to us and we try our very best day in day out to ensure our members are safe. 

 

As part of that, we are now launching multi-factor authentication for members requesting a SIM swap or wanting to change the email address linked to their accounts.

 

This means that when a member wants to do a SIM swap or change their email address, they will receive a text message and an email with a verification code to their mobile number or registered email address. They will then have to pop the code in right before the process is completed.

 

SIM swap journey:

 

Screen Shot 2019-08-06 at 16.24.46.png

 

Changing an email address:

 

Screen Shot 2019-08-06 at 16.20.33.png

 

 

Because this is new to us and we want to make sure it is working as it should, we will be rolling it out gradually over the next few days starting with a small number of members and eventually reaching everyone.  We will be closely monitoring its performance and the feedback we get from our members to ensure that everything is working smoothly. This is just the first step in us releasing multi-factor authentication and we plan to expand that to more journeys in the future.

 

To make sure everyone knows this is happening, we will be reaching out to all of our members via email and let them know. We will also use this opportunity to share more general advice with our members on how to keep their account and personal details secure and point them to this thread if they want to read more. 

 

Many thanks to @leeputman1@magnushirst, @nimistry001 and the rest of the team that worked really hard to bring this to life for our members. 



Thanks folks, 

Ben

giffgaff Head of Security
Message 1 of 77
by: endorphin
on: 13/08/2019 | 09:51

@captainben hopefully this will prove effective. Can you confirm that the verification code will be sent by text and email in all cases - someone requesting a SIM swap because they have lost their SIM won't be able to receive a text!

Get a free giffgaff SIM/microSIM/nanoSIM with free £10 credit
Message 2 of 77
by: roxy_r
community giff-staffer

on: 13/08/2019 | 10:02

Hi @endorphin , yes, the system is designed to send an SMS as well as an email for that specific reason. Because this is the first iteration of our implementation of multi-factor authentication, we would very much need your help in keeping an eye on it and making sure it behaves as it should.

 

If you spot that an email has not been sent, could you please let one of the Educators know? Just please make sure they are checking the email they registered with their account. Smiley Happy

community manager in the Help&Support area
links Visit the community guidelines <Check the Knowledge base
Message 3 of 77
by: andy69
on: 13/08/2019 | 10:10
At last giffgaff are starting to take security seriously. I hope it won't be long before giffgaff customers are protected from payforit scams by implementing 2fa authentication for such charges: see https://labs.giffgaff.com/idea/16712363/require-2-factor-authentication-to-sign-up-for-payforit-text...
Get a free giffgaff Sim
Message 4 of 77
by: giffgaff20147
on: 13/08/2019 | 10:51

@captainben 

Hello what a good idea hopefully it should stop some of the scams 

well done 

Mary 

Message 5 of 77
by: ma2013
on: 13/08/2019 | 11:40
This is great news for security, all the best sites have this 2-factor verification code system now. Nice one giffgaff! :-)
If I've been helpful, feel free to award Kudos / Mark As Accepted Solution to posts. Get a free giffgaff Sim
Message 6 of 77
by: endorphin
on: 13/08/2019 | 11:43

@roxy_r wrote:

If you spot that an email has not been sent, could you please let one of the Educators know? Just please make sure they are checking the email they registered with their account. Smiley Happy

Will do!

Get a free giffgaff SIM/microSIM/nanoSIM with free £10 credit
Message 7 of 77
by: bobrobinson
on: 13/08/2019 | 12:04 edited: 13/08/2019 | 12:05

Great work @captainben  @roxy_r    Its nice to see giffgaff are working hard to keep these nasty little buggers 

from scamming us.

So well done to all involved in putting this all together

All the best Bob.Smiley Happy

 

Get a free giffgaff Sim
Message 8 of 77
by: alexmgg2
on: 13/08/2019 | 12:43

In the case of changing an email address, will the verification code be sent to the old address, the new address, or both? I can think of good reasons for each way of doing things.

If someones answer has helped you solve your problem, please consider setting it as Best answer, or leaving them Kudos points. Thanks!
Message 9 of 77
by: harrrrrry
on: 13/08/2019 | 12:43

@captainben 

 

I'm wondering how this will work in the fairly frequent case that a member needs a sim swap, but uses their phone as their email device and has not set up independent access to another device.

 

So:

 

  • the member cannot receive the code via text (because the phone is not working)
  • the member cannot receive the code via email (because their email can only be collected on the phone that is not working)
  • in some cases, the member cannot set up a new device to receive emails, because their email host has set up 2FA which requires receipt of a text that they cannot receive

What advice do we give in that case? "You should have thought of that before putting all your eggs in one basket" may be the correct answer, but isn't very helpful when given retrospectively (hence https://community.giffgaff.com/t5/Tips-Guides/Make-sure-you-have-independent-access-to-your-email/m-... but it needs to be done in advance).

 

Best I can think of is to report the sim as "lost or stolen" and get a special replacement by post, assuming that giffgaff has the correct address on record. But that's 3-5 working days which is rather a long time to be without emails, calls, texts, internet access (other than via wifi) and 2FA for the bank.

 

Get a free giffgaff Sim

Message 10 of 77