Freedom Mobile implements two-factor authentication on desktop, mobile sites

The security update comes months after a hacker uncovered a Freedom Mobile customer login vulnerability

Freedom Mobile

Freedom Mobile has confirmed that it has implemented two-factor authentication on both its desktop and mobile sites.

“We are always looking at ways to improve safety and security for our customers and can confirm that two-factor authentication has been enabled for Freedom Mobile customers,” said a Freedom Mobile spokesperson in an email to MobileSyrup.

Reports from customers emerged earlier this week on Reddit and Twitter that Freedom Mobile’s website now requires subscribers to login into their accounts using two-factor authentication.

“I should mention, it forced me to set it up after login with no option to skip it,” said Ivan Z, in an April 24th, 2018 tweet.

Ivan Z also said they were given the choice to receive a security code through email or text message.

Reddit user Voyager98 said that once users select a method to receive a security code, they’re prompted to input the full details of the phone number or email that’s selected.

“You get a text immediately and you can log on,” wrote Voyager98, in an April 23rd, 2018 comment.

Voyager98 said that subscribers are also able to enable trusted devices.

It should be mentioned that while Voyager98 said that they received a security code immediately, other users like Taliosfalcon said that it took “over 20 minutes to an SMS [with] a code.”

Freedom Mobile’s implementation of two-factor authentication comes months after hacker NullHumanity uncovered a login vulnerability that allowed malicious actors to brute force their way past the website’s phone number/PIN number login mechanism.

“A phone number is predictable and a 4-digit PIN isn’t’ secure,” said NullHumanity, in a previous email interview with MobileSyrup. “Figuring out matching sets can be automated easily.”

Two-factor authentication is intended to serve as an added layer of security beyond the classic username/password combination.

Since two-factor authentication requires users to submit a uniquely generated passkey during every login attempt, it’s also difficult to spoof security keys.

Source: Reddit, Twitter