2 Factor Authentication

[Matty B13]

The codes were running a little slow this morning, I've been checking since we just sold a contract that just closed and wanted to see if it had been removed from our account. I think it was about a minute slow today, compared to almost instantaneously yesterday.

 

[js]

Where do I go to do this? I just tried logging in 5 times this morning and each verification code came to my email about 30 seconds later causing me to miss out on trying to book a room at the 8am mark. It worked just fine when I tested it earlier, but that's just how things go I guess.

Can we already be logged in with the code and play around on the site until 7 am and then book?

 

[gmi3804]

Can we already be logged in with the code and play around on the site until 7 am and then book?

Yes.

 

[Winston Wolf]

For the first time, I'm starting to side with the "DVC needs an app" folks. This would be a lot easier (and just as secure) with facial recognition through your phone.

 

[CarolMN]

They need to fix the website before they start introducing an app!

 

[BWV Dreamin]

Tim from DVC News posted excellent directions on how to change the authentication factor to a text message from email. Check out his website.

 

[Sammie]

Doing it every time logging in is a joke. Let us remember the device please!!!

I am not having to do it each time. I went in did it, and left the page and came back and it did not require it. I did not sign out, but did close the page.

 

[bumbershoot]

For the first time, I'm starting to side with the "DVC needs an app" folks. This would be a lot easier (and just as secure) with facial recognition through your phone.

Not everyone wants a phone with or wants to use facial recog.

 

[Winston Wolf]

Not everyone wants a phone with or wants to use facial recog.

OK so don't. It's never a requirement.

 

[ehh]

Really wish there were an option to "Trust this browser" so I wouldn't need to 2FA every single time. And this is from someone who uses Safari on a Mac with Text Message Forwarding enabled on my iPhone, which basically has Safari auto-fill the code for me.

Medical, financial, and photo/data storage websites all have this option and are significantly more sensitive. I just can't come up with a meaningful justification for this level of friction.

 

[tjkraz]

Really wish there were an option to "Trust this browser" so I wouldn't need to 2FA every single time. And this is from someone who uses Safari on a Mac with Text Message Forwarding enabled on my iPhone, which basically has Safari auto-fill the code for me.

Medical, financial, and photo/data storage websites all have this option and are significantly more sensitive. I just can't come up with a meaningful justification for this level of friction.

I cannot speak to Disney's exact motivation. However I'll point out two possibilities:

1) There are people who have built a business around securing and managing reservations using other owners' user credentials (with their permission).

2) There are people who have developed ways to scrape the DVC website for room availability data.

Not sure if 2FA represents a long term roadblock for either of those parties but it's certainly an irritant.

 

[TinkB278]

I cannot speak to Disney's exact motivation. However I'll point out two possibilities:

1) There are people who have built a business around securing and managing reservations using other owners' user credentials (with their permission).

2) There are people who have developed ways to scrape the DVC website for room availability data.

Not sure if 2FA represents a long term roadblock for either of those parties but it's certainly an irritant.

The thing is, I don’t really understand why Disney cares about people doing either of these things?

 

[tjkraz]

The thing is, I don’t really understand why Disney cares about people doing either of these things?

To the first point, for a long time DVC has shown some interest in limiting activity by brokers and other overly-active renters. There was a time when rental brokers had members add them as an associate to their contract, so they had the ability to make and manage reservations. DVC essentially put a stop to that.

There are a few entities who have access to / control of massive amounts of points, combined with the knowledge and wherewithal to use those resources to turn the greatest profit. That activity invariably disadvantages others.

Will 2FA stop them? probably not. But depending upon the exact business model, it stands to make some people's businesses considerably more difficult. Like when the associate designation was limited.

Yes, Disney has selfish motivations for changes like this. Rentals undoubtedly eat into their room revenue to some degree. If they make the entire rental process more cumbersome, especially for non-members, some will just decide to bite the bullet and pay Disney direct.

But I also think they want run-of-the-mill DVC owners like you and me to have a better (fairer?) shot at making room reservations. When members get frustrated over lack of availability, DVC has to deal with the complaints, owners selling, increased recommendations to not buy DVC in the first place...

As for the data mining, Disney is notoriously secretive about such things. Imagine how DVC point sales could be impacted--both direct and resale--if there was precise data available showing how hard it is to book AKV value rooms at 11 months or BCV rooms at 7 months. Imagine if owners knew exact booking trends for the Poly bungalows rather than just speculating about demand (or lack thereof).

 

[ehh]

I cannot speak to Disney's exact motivation. However I'll point out two possibilities:

1) There are people who have built a business around securing and managing reservations using other owners' user credentials (with their permission).

2) There are people who have developed ways to scrape the DVC website for room availability data.

Not sure if 2FA represents a long term roadblock for either of those parties but it's certainly an irritant.

#1 seems reasonable. Collusion fraud is extremely difficult to stop. And while this isn't fraud, it's more abuse/misuse, there are shared principles here. Didn't realize there was a business there or that it's remotely worth inconveniencing the other 99+% of users, but I could definitely see this being the motivation and a low-LOE, ham-fisted response.

#2 is something I'm familiar with professionally. It is plausible they're doing it as a misguided speedbump against scraping/booking bots, but it would be extremely misguided. There are significantly better ways to do this (some of which they already do). Adding 2FA for all sign-ins for all accounts is moronic if they're trying to curb scraping/booking bots as a motivated scripter/botter could integrate 2FA verification into their auth flow within a day, if not hours, considering how easy it is to scrape email/SMS. Heck, they probably already have because 2FA was already used to curtail this (see below). So then all you're left actually impacting are good accounts and 'casual' scripters (like people using page monitor-type browser extension, maybe).

I really hope they'd take more intelligent measures against scripts/bots.

The thing is, I don’t really understand why Disney cares about people doing either of these things?

@tjkraz made a very good case for stopping the booking farms. I know DVC definitely care about scripting/bots, too. During some particularly vigilant, non-automated stalking I've seen some of the friction they put up dynamically: 2FA (now for everyone), temporary IP bans, and something resembling a proof-of-work challenge-response (though Disney IT incompetence can also appear to look this way).

 

[ehh]

I just thought of an alternative, less-nefarious justification for why we have such comprehensive 2FA on this portal but no other Disney sites: DVC is the test group prior to larger roll out of OneID + 2FA.

Small-ish population compared to total daily sign-ons, we're motivated to report problems, probably enough diversity of account configurations, might have some secondary benefits related to what @tjkraz mentioned (plus maybe some mitigation of "unauthorized" account activity from household members), probably a high number of phone number attachment, and likely other positives about us as group, too.

 

[icydog]

I’ve been trying to make a reservation for a guest of mine for 3 hours. I can’t get past the verification process. I don’t know what to do.

 

[Sandisw]

I’ve been trying to make a reservation for a guest of mine for 3 hours. I can’t get past the verification process. I don’t know what to do.

Are you not getting the code? I just was in so it is working.

 

[icydog]

I finally called member svcs to make the reservation for me. When he finished with the reservation he reinstalled my service (or did something else—I have no idea) and now it’s working. It took 15 min or so to get it working— but now it is all done —thank goodness!

 

[Akck]

I saw a post on FB, that you can enter any password you want and it will bring up the authentication code page, which you can then get a code and enter it to get into your account. I’ve tried it a few times, entering random letters and have gotten in. Of course, with a text or email that goes to you, that is probably better security anyway.

 

[ehh]

I saw a post on FB, that you can enter any password you want and it will bring up the authentication code page, which you can then get a code and enter it to get into your account. I’ve tried it a few times, entering random letters and have gotten in. Of course, with a text or email that goes to you, that is probably better security anyway.

Confirmed working for me too.

This is still just single-factor authentication if passwords are moot, sigh. Not better, just different pros/cons--no longer forgettable (good), slightly more phishable (bad), less susceptible to reuse issues (good), easier to involuntarily lose access (lost device, lost access to email, changed phone number, etc.; bad), shifts load-bearing security onto email/SMS providers (not always good).