Decisions about logging into Oyster Account using 2FA and Captcha
Request ID: FOI-0871-2324 Date published: 18 July 2023
You asked
Dear Transport for London,
1) Why have TfL still kept a Captcha login system in place on the online Oyster accounts, now that the multi factor authentication [2FA] is in place? Surely it is no longer needed as a mobile number is needed to complete login.
2) Please provide a copy of any written decisions that were made to continue using the Captcha even once the 2FA was in place
3) Please provide a copy of any written decisions that were made to only allow 2FA by mobile phone and not by using an authenticator app.
4) If points 2 and 3 above do not produce any written decisions, please provide a copy of any emails sent by TfL staff that contain the words "captcha"
Please treat each point as a separate FOI request,
We answered
TfL Ref: 0871-2324
Thank you for your request received by Transport for London (TfL) on 20 June 2023 asking for information about Oyster account login.
Your request has been considered in accordance with the requirements of the Freedom of Information Act and our information access policy. I can confirm that we hold the information you require. Your questions and our replies are as follows:
Why have TfL still kept a Captcha login system in place on the online Oyster accounts, now that the multi factor authentication [2FA] is in place? Surely it is no longer needed as a mobile number is needed to complete login.
Following the implementation of Multi Factor Authentication (MFA) on 15 May, TfL will be removing the Captcha solution established in 2019. We are continuing to encourage our customers to update their accounts. Captcha is being retained whilst the new service beds in and that we expect to remove it by 31 August 2023 provided that the service continues to work well.
Please provide a copy of any written decisions that were made to continue using the Captcha even once the 2FA was in place
Please see attached two emails on the lead up to launch of MFA and through the early life support period until project closure (expected end of July). We will review the number of customers that have updated their accounts to use MFA as part of a decision to remove Captcha.
Please provide a copy of any written decisions that were made to only allow 2FA by mobile phone and not by using an authenticator app.
Please see attached the Equality Impact Assessment completed which outlines our rationale for SMS.
Please note that in accordance with TfL’s obligations under Data Protection legislation some personal data has been removed, as required by section 40(2) of the FOI Act. This is because disclosure of this personal data would be a breach of the legislation, specifically the first principle which requires all processing of personal data to be fair and lawful. It would not be fair to disclose this personal information when the individuals have no expectation it would be disclosed and TfL has not satisfied one of the conditions which would make the processing ‘fair’.
If points 2 and 3 above do not produce any written decisions, please provide a copy of any emails sent by TfL staff that contain the words "captcha"
We consider that we have covered the questions you asked in points 2 and 3 with the attachments provided.. Please note that it is likely that in order for us to also answer point 4 of your requestmay exceed the cost limit under FOI. The broad nature of this question and the lack of any timeframe means any attempt to find the information within the scope of your request would need to cover the entirety of TfL’s existence, and any information held in relation to our predecessor bodies.
If this is not the information you are looking for, or if you are unable to access it for any reason, please do not hesitate to contact me.
Please see the attached information sheet for details of your right to appeal as well as information on copyright and what to do if you would like to re-use any of the information we have disclosed.
Yours sincerely
Sara Thomas FOI Case Management Team General Counsel Transport for London
