upstate-SC
Superuser
Superuser
Status: Accepted

For change in personal information (address, email address, payment information) send a temporary code to email address registered. This adds another layer of protection from hackers/ scammers.

 

Also two factor authentication could be included for login in web browser on laptops.

Mobile apps are secure with biometric authentication. So it cannot be accessed without the consent of the account owner in most cases.

 

Hope Visible takes step in fixing this major vulnerability. Until then 🙂

42 Comments
upstate-SC
Superuser
Superuser

Yes, if they send 2FA codes to both email and SMS at the same time we can use one or the other.

ZipperDrive
Novice III

There's also a bug with Visible's verification system where I have never received an OTP or verification link via text message for customer service, esim transfer, etc. I've always had to rely on the email. And it's pretty clear that I'm not the only one who has this problem. Lately, the website has been very glitchy for some folks, such as logging in errors, 502 messages, billing/autopay issues, to the point where I can't trust this MFA feature.

Don't want to get locked out of my account and sit in chat for a couple hours with reps who may or may not fix the problem because Visible can't get it together.

markoola
Novice

yes our accounts needs 2fa.

 

visible is opening itself up to many legal issues by not allowing 2fa 

upstate-SC
Superuser
Superuser

Could you please implement the option to receive the OTP code in email as well. 

Either send the code to both registered email and through SMS or provide the customer the ability to choose which way they want to get the OTP.

upstate-SC
Superuser
Superuser

Imagine a scenario where a customer missed a payment and want to pay through website. When the customer logs into the website and then it asks for OTP sent to the mobile number (for the mobile number the service is stopped)

 

How will the customer can login to the account and pay for the service, in this scenario.

@DS-VisibleMgr 

RyanBlakeIT
Superuser
Superuser

Very good point, @upstate-SC, I didn't even think about the payment aspect.  That would be awful, adding insult to injury.

 

I have ran into the issue multiple times where SMS stops working on my phone.  Can't log in to the portal to get support (or redo the eSIM) and can't get the code from the support team because, well, SMS is broken.  Instead I have to join the chat and wait for help from someone while clicking the "I'm here" button in the chat every 10 minutes until someone does join.  Finally get someone on the line and guess what?  They have to escalate it!  Gonna be another day or two...without SMS.  I highly doubt I'm the only person that has ever had this happen to them.

 

So to come at this with a solution to the above problem:
1. Add the option for TOTP that work with apps like Authy and Google Authenticator as this will work whether SMS (or e-mail) works or not.
2. Do what upstate-SC said and send both a SMS and an e-mail at the same time as either a second level authentication for certain changes (such as setting up a new eSIM) or as an alternative to the first option.

 

The great thing about TOTP is that even if your phone service stops working, it will still work on your phone and the alternating passwords are secured on a chip on your phone (encrypted).  It's a standard used by many companies for secure access to resources.

 

upstate-SC
Superuser
Superuser

@RyanBlakeIT  Thank you for your inputs. TOTP apps are better from security standpoint. But if I think me as a common man, these TOTP apps are too much overwhelming. We already have email registered with Visible. Email route is low hanging fruit in my opinion and easily achieved. We are already accustomed to get OTPs from financial institutions and other online websites.

RyanBlakeIT
Superuser
Superuser

@upstate-SC - I should've explained my logic a little more.  When I tried to get an eSIM, they required two methods of validation and since the only two that are offered is SMS and e-mail, they couldn't do it.  So then they had to escalate and I had to wait hours to get my SMS working (I think it was at least 24 hours total).  I was just saying this to suggest that there would be a third option.

With that said, admittedly after many years of working in IT leadership in a heavily regulated industry where security isn't an option (it's a requirement), I do sometimes forget about how things can be complicated like with TOTP for a typical end-user.  I know some of my family members can be quite frustrated with technology!  After all, I'm their "IT Support" and they are typical end-users. 🙂

tl;dr - My apologies for my oversight, I think at least adding e-mail would be great as you mentioned, but having TOTP as a 3rd option would be nice, too.

phylament
Novice II

It would be nice of they sent it to registered email as well. I am getting a replacement SIM which deactivated the faulty original SIM. This means no texts and unable to access account now because can't authenticate. Hopefully the new SIM will be able to be activated without entering a 6 digit code.

ZipperDrive
Novice III

If you are encountering a sudden loss of service and need to reprovision the SIM, you may need to re-login to the mobile app. During this step, without functional service, you will be unable to get the 2FA code. There needs to be an alternative 2FA method such as TOTP, FIDO2 Security Key, or worse, Email to complement the SMS OTP.