Oyster Account accessed by other method of authentication than SMS
Request ID: FOI-3555-2324 Date published: 24 January 2024
You asked
The decision of making 2FA/MFA was made to add more security to the system (based on the document F1457 A1.
My question are:
1) Why only SMS method was added? As it's one of the least secure methods out there?
Yes, I read the document and concerns about people without access to the smartphones, but the same argument can be made for the lack of signal.
2) Are there plans to implement other methods like TOTP or FIDO? And if so, what would be the time-frame that such option would be given to the user?
TOTP is far more secure option than SMS (e.g. is not prone for spoofing/SIM cloning), works even if you don't have mobile signal.
(Please don't implement "email-based MFA" as suggested in the document, as it would be step backwards from security perspective)
3) Were the decision/implementation consulted/checked by any security expert? As for which method is the best, most secure, easy to implement.
We answered
TfL Ref: FOI-3555-2324
Thank you for your request received by Transport for London (TfL) on 5th January 2024 asking for information about Oyster account access authentication. Your request has been considered in accordance with the requirements of the Freedom of Information Act and our information access policy.
I can confirm that we hold the information you require. Your questions are answered in turn below:
Question 1) Why only SMS method was added? As it's one of the least secure methods out there? Yes, I read the document and concerns about people without access to the smartphones, but the same argument can be made for the lack of signal.
Answer: We considered options for MFA implementation carefully and ensured that the service introduced is accessible to as many customers as possible by not implementing solutions that restricts access to smartphone users. Any UK or international mobile phone will be able to receive one time passcodes. Whilst SMS is not the most secure type of MFA, it still offers huge advantages over not using any MFA at all, whilst remaining the most accessible authentication method for our customers.
Question 2) Are there plans to implement other methods like TOTP or FIDO? And if so, what would be the time-frame that such option would be given to the user? TOTP is far more secure option than SMS (e.g. is not prone for spoofing/SIM cloning), works even if you don't have mobile signal. (Please don't implement "email-based MFA" as suggested in the document, as it would be step backwards from security perspective).
Answer: We are committed to future enhancements to our online services and as part of this we will be considering whether additional authentication methods are introduced. We are at the early stages of this feasibility work at present so we cannot confirm the timeframe for delivery.
Question 3) Were the decision/implementation consulted/checked by any security expert? As for which method is the best, most secure, easy to implement.
Answer: TfL’s dedicated cyber security team were involved in the delivery of SMS based MFA and will continue to be involved in future enhancements planned.
If this is not the information you are looking for please do not hesitate to contact me.
Please see the attached information sheet for details of your right to appeal as well as information on copyright and what to do if you would like to re-use any of the information we have disclosed.
Yours sincerely,
David Wells FOI Case Officer FOI Case Management Team General Counsel Transport for London
