Anyone else had sonic automatically opt you into 2FA and fail to verify it?

Internet access discussion, including Fusion, IP Broadband, and Gigabit Fiber!
7 posts Page 1 of 1
by ojhunt » Wed Aug 14, 2024 2:52 am
Just got email saying my CC was expiring, and I had to sign in in order to update it.

So I went to do so, only to discover sonic had enabled 2FA on my account without doing, you know, basic verification that it works.

As a result I can't sign in to my own account, because of a poorly implemented security feature.

I have never encountered a situation where any organization thought that it was acceptable to enable 2FA without verification, and the idea that something like a service provider would do so is appalling, especially when they don't offer a 24 hour phone line I can call and provide answers to the standard easily google-able and repeatedly leaked information that every other company asks.

In what world is "I am literally replying to the billing email you sent me as the account owner" a less accurate indicator of my identity than "what is your dog's name? what is your spouse's name? what is a pile of other things that literally everyone can find at this point?".

Also to add to the absolute idiocy of this: I was able to sign into the forums with my non-trivial random password without a problem.
by jerrielm » Wed Aug 14, 2024 7:36 am
Hello!

I am sorry if you were not expecting the 2FA when signing into member tools. Sadly, due to security concerns, 2FA needed to be added without giving our customers an update about this.

I am not sure what you mean by we failed to get verification. Any verification we have already done before this point, and if the information was incorrect, there was not much we could do about that without customer interaction.

While we can not offer 24-hour support, we do offer support during our regular business hours. You can reach them at 1-855-394-0100 8am-10pm 7 days a week.

Let me know if you have any other questions.

Best Wishes!
by hanlond » Wed Oct 09, 2024 11:20 am
.
by joeyyung911 » Wed Oct 09, 2024 1:38 pm
I checked my two Sonic accounts, don't remember if it was automatically enabled or not, but I was able to get in with my phone number on one of my accounts. The other, text was the only option. The text wasn't received immediately, so I clicked to send multiple times. The 3rd text has the same code as the first, WTF!!
Excelsior, Sonic Fiber
by drew.phillips » Thu Oct 10, 2024 1:11 pm
joeyyung911 wrote: Wed Oct 09, 2024 1:38 pm I checked my two Sonic accounts, don't remember if it was automatically enabled or not, but I was able to get in with my phone number on one of my accounts. The other, text was the only option. The text wasn't received immediately, so I clicked to send multiple times. The 3rd text has the same code as the first, WTF!!
Hi,

Thanks for bringing that up. The behavior you observed there was that Member Tools would resend the same code for SMS if you had already requested one in that login session instead of generating a new one. The codes sent are only usable within your browser session and cannot be used by someone else.

To avoid confusion and any security issues, this has been changed. Now, if you request another SMS code, it'll generate a new one every time.
Drew Phillips
Programmer / System Operations, Sonic.net
by ngufra » Fri Oct 11, 2024 9:06 am
See viewtopic.php?t=18023 for some background on the topic.
by oddhack » Mon Oct 21, 2024 3:40 am
ojhunt wrote: Wed Aug 14, 2024 2:52 am In what world is "I am literally replying to the billing email you sent me as the account owner" a less accurate indicator of my identity than "what is your dog's name? what is your spouse's name? what is a pile of other things that literally everyone can find at this point?".
Don't treat them as queries for actual information about you. Treat them as weird prompts for secondary passwords you generate.
7 posts Page 1 of 1

Who is online

In total there are 3 users online :: 1 registered, 0 hidden and 2 guests (based on users active over the past 5 minutes)
Most users ever online was 2877 on Wed Sep 25, 2024 9:53 pm

Users browsing this forum: Ahrefs [Bot] and 2 guests