Improve your account security with two-factor authentication

Enabling two-factor authentication (2FA) is definitely a smart move to secure your account. It's great that it makes receiving verification passcodes easier and more efficient.

Easy: With 2FA, suspicious login attempts trigger a passcode sent directly to you. If you don’t have 2FA set up, passcodes go to your email, but once enabled, you'll receive them instantly on your mobile, which is much more convenient.

Secure: Adding a verification phone number means anyone trying to access your account needs both your password and access to your phone. This extra layer of security ensures that even if someone knows your password, they can’t log in without your device.

Peace of mind: 2FA helps confirm that users are who they claim to be, giving you confidence that your account is protected from unauthorized access. It’s definitely worth setting up for the added security and peace of mind.

Thanks for the additional information, @rmb9 

I've sent you a private message. Please check your community inbox and get back to me when you have a moment.

James

I've noticed that the two-factor authentication set up on EE is using SMS only. So if my phone was stolen, I would not be able to log into my account. Why not give the option to send verification codes to my email as well? Or, as an alternative option to two-factor authentication, why not have a setting where I get a text everytime there is a log in to my account. So if there is anything suspicious happening I'll know about it. Also EE should make it that a verification code needs to be sent out before anyone can change my password etc, so a fraudster can't sign on and change things to lock me out. At the moment I will leave two-factor authentication disabled because of this.

I too would welcome a more robust implementation of MFA.

If only I could set up two-factor authentication to start with!  The problem still exists, when typing my mobile number in, I get to the penultimate digit and the system immediately moves on and does not let me enter the last digit of a regular UK 11-digit mobile number (including the leading 0).  I would have expected it to also access a number entered in the form of +447......... (ITU E.164 number format).

@James_B - everything went quiet in private messages after the @Katie_B passed the problem over to "the team".

BTW, I noticed that in the email notifications we receive for EE Community Subscriptions, the URL in the blue banner for "My EE" is my.ee.co.uk which results in an error as there is no DNS record for this FQDN.

Hi @rmb9,

Thanks for bringing this to our attention, I am sorry the issue is still happening. We are chasing our team for an update on this and will update you when we can.

Alex

Thank you for posting this @JordanTA  Yes, it's very wise to activate 2FA on all your accounts across the board.  I've done this where I can and the EE Community is the latest. 

However, I've just read an article where SMS 2FA isn't the best way of doing this and keep hearing it from other sources.  This is because it's breachable. 

Sadly there are some platforms like the EE Community that only offer SMS 2FA.  I have set it up but don't get prompted which I find odd.  I think it would be very prudent of EE to provide users with a choice of 2FA and even introduce Passkey which acts like a volt.  

I now suspect I have been a victim of a SIM swap as I tried, for example, to log onto my LinkedIn account.  When I was very new to 2FA I set up SMS and thought it would be ok.  Just the other day I tried to log on and was prompted with a field to enter a code.  No problem, that's how I set it up.  Unbeknown to me, emails were coming through from LinkedIn asking me to verify my account!  Meanwhile, I'm waiting for a number code to be sent to my phone.  I've reported this to LinkedIn who will hopefully get back to me soon.  I already lost my Insta account last year, not happy.

Please people, protect your accounts.  If the platform you're using offers more than SMS, take the other options!!  If it prompts you for a passkey security set-up, go for it!   Get onto YouTube to watch some amazing tutorials about passkeys

Stay safe.

I am also getting the problem where the mobile number entry doesn't let me enter the last digit on first entry, so I have to enter it again and second time is ok. I got the SMS but by then I have below error so I can't enter the code...

As my phone number is with EE so they know it, not sure why I have to enter manually in the first place and on settings I can't just select it without all the fuss.

I've tried several times, this is pretty bizarre behavior that implies something is really quite broken in the implementation. Am i eventually going to run out of login attempts or is that broken also? 2FA is important so this is frustrating.

Hi @bdb123 

Thanks for coming to the community. 

Have you tried using a different browser? 

If so and you get the same error message, please call us on 150 and the team will get the account looked into for you to see why this is happening and help you get 2FA set up. 

Leanne 🙂

The SMS to your phone is the weakest of all 2FA methods. Worst of all, EE set this without any warning, and will not remove it once set. The only option is to migrate away, which is what I will be doing.

@grahamn65 - I agree that SMS is the weakest of all 2FA methods - and I am still having problems entering a standard an 11-digit mobile number during the registration phase  (the EE system sends the SMS message after the 10th digital has been entered!).

However, my EE account is now secured using a Passkey.  EE's implementation of Passkeys still appears to be somewhat experimental (the pop-up says Fido2PasswordlessTest) but it does work.  I keep my Passkey in a password manager (Dashlane) so I only need one.  At some point I will test whether EE allows the creation of multiple Passkeys that can be associated with other Passkey vaults.

I would like to see EE's Passkey approach mature to the point where two other factor (e.g. SMS and email identity) are used in combination for account recovery.  A criminal would have to compromise both my email account as well as intercept the SMS message to threaten the security of my EE account.

It is a shame that we can't securely set up a divert in the network to have SMS messages delivered somewhere other than the device with the associated SIM.  Microsoft 365 has recently shifted away from using SMS where it identifies a WhatsApp account associated with the same phone number.  The SMS message informs the recipient to check their WhatsApp messages.  The (encrypted in transit)  WhatsApp message contains the one-time PIN.  For those that need to keep using OTP, this seems like a more secure compromise.