Bad Implementation of Two Factor Authentication?

The current implementation of 2FA seems to be seriously flawed.

If I am logged out of the app I do not receive notifications so cannot log in to the website.

I am also then unable to login to the app to get the notifications because the app wants to send a notification to my “other mobile phone phone” which I don’t actually have, so haven’t set up!

Yes, I have enabled all the notification permissions, so there should be no reason for this failure.

Do you need to log out of the App on your phone? What is the downside in just closing the App? You Will then still get the notifications when you log on via the web.

My point is that it should not matter if I log out of the app or the site on any device.

I am (for whatever reason, it should not matter) logged out of the app and I am now locked out of my account entirely. I cannot log into the website because it needs authentication from my phone, but the app requires me to be permanently logged in to recognise the authentication notification.

However, I also cannot log in to the app because, even though I have fingerprint ID configured, it will not authenticate my login without, apparently, checking with a second phone that I do not have!

No other service I use is as badly designed as this one.

Ah I see what you mean. I’ve just looked to log out of the App and seen the message that tells you that you will not be able to access your account unless you are logged onto the App on another device. Given this I didn’t complete the log out. So yes this seems a bit odd.

Aye, very odd indeed!

To be honest I don’t recall seeing the message about not being able to access the account but even so I don’t think it gets close to explaining the impact of logging out, totally preventing any attempt to log back in.

It’s utterly bizarre and counter-intuitive. Or … maybe … they just don’t want us to use two factor authentication?

I tend to have my apps on one phone and my registered number on another phone. (For security reasons in case one gets lost or stolen).

The 2FA on IE concerned me as well. Right or wrong, I just turned it off as an interim measure !

It does look as if they haven’t properly thought out how 2FA works.

And unless there is some small print somewhere in the setup process that I overlooked (and it should not be small print) they do not explain the potential risks of complete loss of access just by being a normal cautious phone user.

Hi all,

First of all, apologies if you’re experiencing issues/frustrations with two-factor authentication (2FA). Just to give a bit of background we had/have planned for a 2-stage rollout of 2FA.

Initial implementation - with app-based notifications.
Version 2 - Linking accounts to registered mobile devices and enabling SMS notifications.

The plans had been to release version 2 very shortly after the initial release (1 development sprint later ~2weeks). However, this was pushed back slightly. It’s now scheduled for development in mid-May.

I think some of the pop-up texts mentioning “other mobile phone” could also be better. We’re looking at getting this updated.

We’ll try and keep you posted on the version 2 SMS-2FA plans. As with everything that requires development things can get delayed, so please bear with us if it takes a little longer.


Thank you for the communication. :slightly_smiling_face:

Thanks for the response Tom.

Thankfully the support team restored my access pretty quickly (with working day operations) but it would be good to get clearer communication on the app to help avoid such inadvertent access issues in the first place.

In the meantime I look forward to hearing more on the update to make 2FA properly functional.