Request ID: FOI-1284-2223 Date published: 20 September 2022
You asked
Dear Transport for London,
My name is xxx and I live in London - I travel regularly using your services. I would like to use the Oyster and contactless mobile app (henceforth, "the app") to check my journey history on my phone. However, on both iPhone and Android the app has password manager detection - while the password can be saved to the phone's built-in password manager, attempting to fill from it results in the app deleting the entry automatically, making it difficult to log in; and implicitly encouraging the use of a password the user can remember (which is less secure).
Password managers are encouraged by the National Cyber Security Centre, you can find their guidance here:
https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/password-managers
Additionally, I have concerns that this may make the app less accessible, especially to users with memory or learning difficulties.
Thus, I would like to know:
1. Why do you block password managers from filling the password field in the Oyster app?
2. Are your developers aware of the security risks this creates for users (specifically, of the guidance linked above from the National Cyber Security Centre)?
3. What risk assessment was performed when making the decision to block password managers? Please include any meeting notes or internal communications you have from this decision-making process.
4. What accessibility impact assessment was conducted when making this decision? Again, please include any meeting notes or internal communications you have from this decision-making process.
5. What options would I, as a service user, have to request a review of this design decision?
Thank you very much in advance for your time.
We answered
TfL Ref: FOI-1284-2223
Thank you for your request received by Transport for London (TfL) on 23rd August 2022 asking for information about the Oyster app password manager.
Your request has been considered in accordance with the requirements of the Freedom of Information Act and our information access policy.
I can confirm that we hold the information you require. Your questions are answered in turn below:
Question 1. Why do you block password managers from filling the password field in the Oyster app?
Answer: The Oyster and Contactless app has supported password managers in the past. However, a more recent release has unintentionally impacted the use of password managers. We will reinstate this functionality as part of a future app release.
Question 2. Are your developers aware of the security risks this creates for users (specifically, of the guidance linked above from the National Cyber Security Centre)?
Answer: Our developers are focused on improving the security of customer data and following guidance from the NCSC. Future app releases will deliver continued security improvements, with the next significant security updates expected in January 2023.
Question 3. What risk assessment was performed when making the decision to block password managers? Please include any meeting notes or internal communications you have from this decision-making process.
Answer: We have not made a decision to block password managers, and therefore there are no meeting notes or internal communications to share. We have identified a bug following an earlier app release and are working to resolve this as soon as possible.
Question 4. What accessibility impact assessment was conducted when making this decision? Again, please include any meeting notes or internal communications you have from this decision-making process.
Answer: As above, no such decision was made, and so no impact assessment was conducted. The issue will be investigated and resolved as soon as possible.
Question 5. What options would I, as a service user, have to request a review of this design decision?
Answer: As this was not a decision made there is no review of the design required. However, we are keen to hear feedback from our customers on any functionality that would be beneficial. These requests can be made via TfL Customer Service (https://tfl.gov.uk/help-and-contact/). Customer feedback is continually reviewed and fed into development roadmap plans for delivery.
If this is not the information you are looking for please do not hesitate to contact me.
Please see the attached information sheet for details of your right to appeal as well as information on copyright and what to do if you would like to re-use any of the information we have disclosed.
Yours sincerely,
David Wells FOI Case Officer FOI Case Management Team General Counsel Transport for London
