Saturday, 21 May 2016

Vodafone and two factor authentication

Vodafone has two factor authentication for logging in to "My Account". I have to supply a username and a password. Then they text a six digit code to my phone, which I type in, and that's the second factor. How could this go wrong?

It starts off with A) we have four phone numbers with them; my phone, ladysolly's phone, ladysolly's iPad and ladysolly's iPad mini. B) the account is in her name, she set it up. C) I do all the tech stuff, including printing out our monthly bill for our records.

So yesterday, I got the email telling me my monthly bill is ready. I went to their web site, gave it my username and password as usual. But usually, it offers me four phone numbers to text the six digit code; this time, it only had one, and it wasn't mine. It was ladysolly's.

So I phoned Vodafone, and explained the problem. "I'll have to put you through a security check first," said John. That fell at the first hurdle. "What is the name of the account owner?" I gave ladysolly's name. "I need to speak to her."

I told him that I was her, but he didn't believe me, which is, of course, transphobia, and probably illegal. But he wouldn't budge. I took my phone to her to do the necessary, but she was asleep, and I'm not going to wake her up for something so silly, and I told John that.

So, impasse.

Then he suggested that I give him our Vodafone PIN, and I did, and he was happy with that.

He looked at our account, and decided to give me a new username and password, which after a couple of attempts, worked. Then I was able to log on, and as the second factor authentication, it offered me a choice of five phone numbers. Five? One of the numbers offered, isn't one of ours. I know this, because I just checked our bill.

I'll call them and see what they have to say.

... later ...

This time, they believed me when I said I was ladysolly. He sounded a bit surprised, but he didn't actually call me a liar! So I answered all the "security" questions correctly, which turned out to by ladysolly's date of birth, and our address, neither of which are a big secret. Then I gave him our pin code, which he said was wrong.  It turns out that when they changed my login, that invalidated the pin code. So we set up a new pin code.

He also set up a new login for me. I tried it, it didn't work.

After the fifth email with yet another login, he told me that "online access was being updated" and that's why I couldn't log in. I flatly don't believe this, but I didn't tell hom that. He suggested that I restart my browser; I offered to use Chrome instead, but he said that wouldn't work, because Chrome doesn't allow flash. He was wrong. Chrome does allow flash, and I was able to log in. And when I logged in, it offered me the phone number for the two factor authentication, and we were back to it offering only one phone number, which wasn't mine, it was ladysolly's.

At that point, I think he gave up, said he'd escalate the problem, and that I should expect it to take five days. And I bet my PIN code is wrong again.

Fortunately, I don't actually need to log in to My Vodafone right now.

One word, rhymes with "anchors".

1 comment: