upstate-SC
Superuser
Superuser
Status: Accepted

For change in personal information (address, email address, payment information) send a temporary code to email address registered. This adds another layer of protection from hackers/ scammers.

 

Also two factor authentication could be included for login in web browser on laptops.

Mobile apps are secure with biometric authentication. So it cannot be accessed without the consent of the account owner in most cases.

 

Hope Visible takes step in fixing this major vulnerability. Until then 🙂

42 Comments
Anonymous
Not applicable

I have been reading up on 2FA and I do use it in a few places, credit card for one. Usually when it is needed is because I haven't signed in for a while, I have made changes or signing in from a new device. It asks me how I want it sent but it doesn't appear to be the case here. I have not set it up because of the text only and I think it should be a choice to have it sent to one or the other or even automatically sent to both. If I set it up my luck would be is that I would lose service and be locked out of my account because I couldn't verify who I am if it happened to lock me out on the website on my laptop also. How would I be able to verify it is me without phone service and it being sent only by text. Visible has to figure this into the worst case scenario and add authentication by email also. 

RyanBlakeIT
Superuser
Superuser

This happened to me before, 2FA was enabled on my account and I wasn't receiving text messages (having issues with my service).  I ended up having to open a chat with support, wait in the queue for a while, they validated me by e-mailing me a code/link, and then they had to submit an offline ticket.  About 24 hours later, they were able to temporarily disable 2FA so I could get into my account so I could reprovision my eSIM.  This is all without service during that 24 hour period.

This is *not* the solution, there needs to be a self-service way to get 2FA through e-mail (at the least), if not additionally having the option to use a TOTP code through an app like Authy.  This would allow 3 ways to authenticate and would allow for 2 MFA requests for more risky requests (such as issuing a new eSIM through self-service).

DavidN
Novice

I had the misfortune of attempting to upgrade my service today (totally forgot how 2FA would impact that. Thanks Visible). I am now without service as I have to authenticate with SMS, which I can’t do due to my service being temporarily disabled during the migration process. This has resulted in me having to contact support. From what it seems they don’t have the access/tools necessary to temporarily disable 2FA for me to complete activation. Supposedly the contact informed me it shouldn’t take longer than a few hours tops, but we’ll see. In short this further emphasizes comments from others that there HAS to be a 2nd method for 2FA. TOTP is the best from a security standpoint, followed by phone and email. Even just having the ability to setup another phone number would be better than nothing. If I remember to, I’ll update my journey once my problem is resolved. 

 

Update

It took about 4 hours to receive an email that my 2FA had been temporarily disabled for 24 hours. Once disabled I was able to finish the steps needed for me to complete my activation. If anyone else is planning to update their service I would suggest reaching out to support first to have 2FA temporarily disabled, to avoid any service disruption. Hopefully when 2FA is fully rolled out Visible will have a better solution.

Visibilities
Novice II

single most urgent feature visible needs to implement - standard everywhere else and must be here too.

william7778
Novice

That would be nice but how else would they ruin you life with just your email to verify it’s you lol. 

Visible ruined my life and will yours. DO NOT SIGN UP WITH THIS COMPANY.  I am homeless because if 2 step verification using the number they provided. Plus the email associated with my account was hacked and visible ONKY USES YOUR EMAIL TO VERIFY ITS YOU. They don’t use anything important like a pass key or you birthdate and not even your social security number. I AM HOMELESS BECAUSE OF THIS AND STARTING MY LIFE ALL OVER AGAIN

VisibleAnyone
Novice II

SMS for 2FA should not be the only method.

 

Here are a few key reasons:

  1. SMS can be intercepted: SMS messages are sent over unencrypted channels, which means they can potentially be intercepted and read by hackers. This is especially true if the user's phone is connected to an unsecured public Wi-Fi network. Authentication apps and security keys, on the other hand, use encryption to protect the data being transmitted, making them a more secure option.

  2. SMS can be spoofed: It is possible for hackers to spoof a phone number and send a fake SMS message that appears to come from a legitimate source. This can trick the user into providing their login credentials or other sensitive information. Authentication apps and security keys provide a higher level of security because they require physical access to the device, making it much more difficult for hackers to spoof the authentication process.

  3. Authentication apps and security keys are more convenient: With an authentication app or security key, users don't need to rely on a cellular signal or worry about running out of battery life on their phone. Authentication apps can be installed on a variety of devices, including smartphones, tablets, and laptops, while security keys can be easily carried on a keychain or in a pocket.

  4. Authentication apps and security keys offer better protection against phishing attacks: Phishing attacks are a common tactic used by hackers to steal login credentials. These attacks often involve sending the user to a fake login page that looks like the real thing, but is actually a fraudulent site designed to steal the user's information. Authentication apps and security keys can help protect against these types of attacks by providing a more secure method of authentication that is not vulnerable to phishing.

Overall, while SMS can be a convenient option for two-factor authentication, using an authentication app or security key provides a higher level of security and protection against various types of attacks.

 

Anonymous
Not applicable

I was just forced to sign up for 2FA. I signed into my account today and asked me to set up 2FA and I didn't want to yet and there is no way around it. I know it helps secure my account but we need an email being sent besides texts if we lose service but that has not been fixed. I already read on Visible subreddit there has been one reported that isn't getting the SMS text for the code. 

 

It makes no sense that I can get an automated email and text verification that I set up 2FA on my account but I can't be sent the 2FA code automatically by email.

 

When is email notification with the code going to set up? This really needs to be added.

 

Edit: Why am I asked to enter a code every time I sign in? This is not how 2FA works on account I have set up elsewhere. I am only asked to enter the code if signing in on a new device or making changes to my account. I have signed in on one tab and opened forums in another, if I need to look something up to answer someone's question I need to access Visible's website and of course to do that my sign on page comes up and have to sign in and if a certain amount of lapses I have to sign in again but now I have to enter a code every time I log in, this needs to be addressed. Out of the 6 or 8 places that I use 2FA this is the only one that asks for a code every time. I have had I think one that if I don't sing in for a few months then it asks for verification.

It would really be nice if you worked the bugs out of these things you add on before implementing them or forcing us to use them.

jcp
Novice

This is an extremely botched attempt at 2FA.

 

Couple of things:

 

1. 2FA should not be mandatory, it should be an option and up to the user.

 

2. Even IF (BIG IF) 2FA is wanted, SMS should not be the only way to receive codes. Email/Apps should be an option to receive the codes.

 

Extremely poor attempt Visible. Extremely poor.

TelZone
Novice

Totally agree with jcp. This should not be mandatory and absolutely needs other forms of verification, due to the poor record of IT at Visible in addition to the issue with a temporarily disconnected number. Often, I pay for a family member's account when they are not currently at my office or at home. It's a pain and sometimes impossible to reach them to verify a code.

 

Get you act together, Visible. This may be a deal breaker for many.

jonnwarne
Novice

Thanks for sharing it,