2FA Google Authenticator for EE log in

JustinUK · ‎27-03-2021

Just wondering if EE had plans to bring in 2FA through Google Authenticator or enable 3rd party hard tokens like Yubikeys - NOT SMS authentication.

Currently the weakest link, is our mobile account, which is open to sim number swap attacks.

Hope you can bring this in like most other companies/banks are doing at the moment.

Leanne_T · ‎27-03-2021

Hi there @JustinUK

Thanks for coming back to the community.

If there are any changes to the way you log into your My EE account we will let you know.

To order a replacement SIM card within your My EE account you would need a PIN code that is sent to the phone.

To stay safe online please see our Online security hints and tips, Help page.

Thanks.

Leanne.

JustinUK · ‎28-03-2021

Thanks for that but what if I was to say I lost my phone, or worse the misses calls up in a panic baby crying in the background and making out she lost her phone and needs the sim stopped urgently. Much like this demonstration at DEFCON

https://youtu.be/lc7scxvKQOo?t=33

Christopher_G · ‎28-03-2021

Hi @JustinUK

We have strict security measures to protect your information.

You can find more information on our privacy policy.

Chris

risicle · ‎28-08-2021

This is an extremely valid concern and the two replies received are completely unhelpful, suggesting that the respondents didn't properly understand the question.

My only hope is that perhaps corporate accounts have more serious measures in place.

JustinUK · ‎28-08-2021

I don't have corporate account but even so consider a personal account just as important when it comes to my own security.

Glitched · ‎30-08-2021

Not good enough. Mobile devices are primary attack vectors, via multiple routes. 2FA is extremely simple to implement (I am a professional web developer).

Many people have their text message pop up even when the phone is locked. As such PINs are visible even on a locked phone.

Implementing a 2FA requirement will prevent the side stepping as described above. My 2FA application also requires a PIN even when the phone is unlocked.

Looks like it's time to find a more secure provider.....

Glitched · ‎14-10-2021

So, it turns out that EE sending 2FA via SMS is proving to be even less secure that the examples I provided previously.

https://arstechnica.com/information-technology/2021/10/company-that-routes-sms-for-all-major-us-carr...

This hack cover 300 carriers worldwide, almost certainly covering EE.

Any comment EE?

Chris_B · ‎14-10-2021

@Glitched You do know you can inform customer services to only take calls from the phone numbers that are on your account, so another words if someone else phones them and that number is not on your account customer services will not deal with them.

you also password protect you account.

And does EE use 2FA by text ?

And did you read the update in your link ?

The part about personal data and no indication.

And does EE use 2FA.

Simply put NO

So EE isn’t certainly part of this 300 but why not just include like you have because they are phone network.

Glitched · ‎14-10-2021

EE does a challenge / response via text message to the mobile for verification for some account actions.

Logging into your EE customer portal requires no authentication other than a password. This is quite frankly insane. Brute forcing, social engineering, looking at hack dumps, website exploits, are just some of the methods to gain entry to an account, especially accounts of those who are not so tech savvy, such as the elderly.

Also Sim Swap attacks have rendered SMS based authentication pretty much useless. This attack vector is pretty much an industry standard.

Enabling 2FA via an authenticator app for account access and account changes is the more secure route. It should at least be an option, rather than outright ignored. Implementation of 2FA these days is fairly trivial.