A day before I get on my flight, the airline texts me with my boarding pass.
Well, no. They text me with a link to get my boarding pass. But to demonstrate that I’m really me (??? Or something?) I first have to get a code texted to me to prove that I’m myself (or something?) so I get this six-digit number texted to me which I must then memorize and (within 5 minutes because it will expire and then I’ll need to go through this process again) and enter it into my cel phone before I will be permitted to hit the box that opens my boarding pass.
BUT they obviously have my cel phone number to begin this process with. Doesn’t that prove I’m me? No one else has my cel phone number. The airline already knows I’m me.
This process was even longer than my summary makes it, because (foolishly?) I checked off the box asking if I wanted to go through this process as a member (which I am) of their points program, so I thought why not, only to find that I then had to input my membership number AND my password, so I had to look up what those things were, and THEN I had to input my password twice with a masking that hid the actual number from me (and of course I inputted one letter in lower-case rather than upper case so I had to do this twice as well. They set up the mechanism for taking off the password-masking so that I had to hold down on the ‘no-mask’ icon the whole time—otherwise it would revert to dots instead of numbers and letters. Mind you, this was to keep my password hidden from prying eyes even though I was alone in my house and had no need whatsoever for hiding my password.) The whole thing ended up taking about ten frustrating minutes to complete.
But as I stated above—they already had my cel phone number in order to begin the process. Why isn’t having my cel phone number all the security anyone would ever need? What, they think maybe someone has stolen my cel phone and I have no security on it and I didn’t report it stolen on the exact day I’m getting my boarding pass? So someone will steal my boarding pass, go to the airport to get on my flight, and if I show up at the airport to explain why I couldn’t get my boarding pass (because I just had my cel phone stolen), it will be an impossible quandary for them to straighten out whether I with my wallet full of ID am the real me and the cel-phone thief flying to my destination is not me?
Someone decided that Two-factor authentication was required. Financial institutions have been doing it for years. Scammers can fake the phone number they are calling from and make it look like they are calling from your phone.This practice is known as caller ID spoofing.
Okay, I can understand 2-factor authentication (sometimes–most of the time it makes no sense to me, as here) but in this particular application? This isn’t me (or a spoofer) calling them, it’s them calling me.
Specifically, to send me a boarding pass 24 hours before my flight leaves. What exactly are they preventing? Some spoofer who decides to steal my boarding pass to fly to Fuckbuck, North Dakota on 24 hours notice? It makes no sense to me. If I don’t get a boarding pass, I’m still going to show up early at the airline counter and ask them to print one up for me, and if they say someone has already checked in with my boarding pass I’m going to raise a stink which will probably get that person arrested for theft, no? What’s stopping the airline from simply emailing me the boarding pass right out of the box?
It’s just garden variety incompetence and lacks of fucks given. There’s probably one department or team that works on the boarding pass system, another that works on the website login, a third that works on the 2FA, a fourth that works on the notifications system… and nobody who bothered to integrate them all neatly, or had sufficient oversight of the whole process to say “this is annoying for our users”. It’s what happens in modern, assembly line style software development. You just do your part and pass it down the line and the rest isn’t your problem. It’s a hodgepodge of shoddy workmanship, so common in most software today.
FWIW, on the major American airlines, if you just download their app and turn off SMS notifications, usually your boarding pass will just be in the app. And notifications will go through it too and not require a bunch of additional sign ins.
There are a lot of rare, but possible reasons someone else gets that text:
the phone number in the system is incorrect
you changed phone numbers
someone else, for example a spouse, used your phone and saw the message
someone else has access to your messages, for example an ex-
the text was routed incorrectly in one of the 190 countries of the world
I imagine the first two cases affect some number of customers each week.
They want to authenticate you before giving out the boarding pass. It prevents all the cases above, and maybe satisfies some regulation, with little effort on their part. As said, it has the side effect of encouraging people to install their app.
I have the apps for most of the domestic carriers and, yes, you can check in and get the boarding pass in the app within 24 hours of the scheduled departure.
… or no one has metrics that indicate that this issue is costing them sales or retention. If it’s annoying but people keep coming back, then it can take a huge effort to convince anyone with $$ to change it.
So I’m on the laptop, using some site, and they want to send me a text with a code. Fine. The text comes in, on the laptop as well as the phone, and the laptop automatically transfers it to the website. I don’t have to type anything.
Isn’t that defeating 2FA? If someone stole my laptop, the 2FA does nothing. Seems like a security hole.
If your laptop is getting texts, it’s probably because of iMessage or a similar integration? In that case, you should report the laptop as lost/stolen with the relevant cloud provider so it can be locked down or wiped, and deregistered from your account so it doesn’t get your texts.
Normally 2FA is in addition to your password anyway. If someone has access to your 2FA codes but not your password, they still shouldn’t be able to log in to your account.
And if someone is stealing the laptop straight from your lap during the few minutes you’re trying to log in there… well, you have bigger issues Punch them or at least close the screen so it locks.
But in the OPs example, none of that is prevented. The only somewhat reasonable explanation for the entire “two texts to the same number thing” is if you are worried that an attacker could just make guesses what a valid link to a boarding pass is and systematically try them until he gets lucky.. Only in that case does it make sense to ask for a code sent by text.
Now, if the link to the boarding pass and the code were to be transmitted on separate channels - for example email and text - then it would make some sense as a form of identification.
At least it’s just an inconvenience. Think about how many software systems just don’t work at all. It’s considered acceptable for a major airline to lose millions of dollars in revenue because trying to book a ticket just leads to a mysterious error page for 60 minutes at a time.
Imagine if anything else worked the way software developer culture does. Oops, the wings fell off the plane. “Error: wings not found,” deal with it. No one will be fired or held accountable, keep paying us six-figure salaries…
Heh, they started at least one car company with that same philosophy. Then of course applied the same philosophy to the federal government. “Move fast and break things” is a standard religion now. And now the entire economy is on the verge of being swallowed by a whole bunch of “eh, it’s kinda crap, but let’s release it anyway and see what happens” chatbots.
Except now the salaries are probably seven figures… for the few humans left with jobs.
“If builders built buildings the way programmers write programs, the first woodpecker to come along would destroy civilization.”
I’ve seen very little during my 41+ years in IT to contradict the above. If not developer incompetence/carelessness, it’s pressure from above to get whatever it is out the door.
The link that they text you isn’t an authentication method. Yes, it’s sent to your phone. It’s probably also sent to your email. Maybe it’s just a static url + your confirmation number, mildly encoded. It never expires.
Someone having that link doesn’t mean anything. The code they text you is time sensitive, so that actually means something. It means you had your phone on you within 5 minutes of logging in.
The thing is, building software is HARD. Large software systems are by many orders of magnitude the most complex things ever built by humans. Engineering disciplines to build error-free software simply don’t exist. Civil engineering has had several centuries to mature, and sometimes mistakes still happen. Software engineering was in its infancy when I started working in the 1970s, and it’s still in its infancy today. It’s improving, but we can’t just stop writing software until we have better methods, nor can we delay releasing software until it’s provably error-free, which would result in every piece of software taking decades to produce. There are certainly cases of incompetence or even malice in producing software, but the vast majority of bugs and misdesigns are simply because tools for producing error-free systems of such staggering complexity just don’t exist.
Software doesn’t have to be perfect to be more user friendly, though. More often than not, it’s just a tradeoff that companies make. They prioritize cost, or the appearance of security, over the user experience and ease of use. That’s a choice, not an inherently unsolvable part of coding.
In this case, the boarding pass could definitely have been emailed directly (many carriers do that). The text message can embed a timed 2FA code in the URL, so that if the user opens the link within 15 minutes or whatever, it doesn’t ask for another code.
The membership / mileage association could happen after login. The password field could’ve been a static hide/show toggle instead of hold to see.
The simplest thing to do probably would’ve just been to text them “check your email for the boarding pass”. That email could contain both the boarding pass as a PDF and a magic link to their account, bypassing the password and 2FA if it’s opened relatively soon.
Those and other techniques for easing logins are entirely possible, they’re just very rarely prioritized. It’s not a revenue generator. It can be a security risk. It takes design work and testing. Therefore, it’s tradeoffs many companies don’t want to make…
Punch them or at least close the screen so it locks.