Multi-factor Fail

It’s 2020. Our world is high-tech, fast-paced and always on. Children know how to use an iPad, teenagers don’t know how to dial a phone and we’ve all come to accept that this is normal.

Nowadays, most everything can be done online, including most crimes. We’re all probably going to learn that the hard way, considering that the companies that have access to our lives—our banks, our hospitals, our schools—seem to think that their best line of defense is a text message.

Are you trying to access your online bank account? Please enter the code sent via SMS.

Want to make an appointment with your doctor? Click the link in the text.

Do you need to receive a copy of your university transcript? First let’s verify it’s you…via an SMS sent to the number on the account you just created.

I honestly cannot believe it—that the text message is the gold standard of security. My iPhone can scan my face, my rental car can be unlocked via fingerprint, an Amazon Echo that doesn’t even belong to me can recognize my voice, but banks are out still out here telling me 6487 is the best way to prove my identity? That is rich.

The thing about multi-factor authentication isn’t just that it seems remedial or that it’s an annoying extra step in the user experience—it’s that for a lot of people it just doesn’t work. And by a lot of people, I mean those of us who don’t have a U.S. cell phone number and therefore cannot receive automatically generated text notifications.

I know that sounds a little bit like a champagne problem but bear with me because service is service. Just because this problem doesn’t pertain to you doesn’t mean the concept doesn’t apply. My gripe isn’t about the text message, per se, but the brand promise. If a company represents itself as a global service provider, then they should provide global service. If they brag about how many markets they serve around the world, then they should be able to serve customers in those markets. And if texting internationally is some kind of regulatory issue, then they should come up with a good alternative—and not leave it to their customer support agents to solve on the fly. Because I have been through the call centers a few times now and the off-label solutions being floated by client services are downright hilarious.

A few months ago, I called my bank—a big, almost too big, if you ask me, financial institution that markets all kinds of accounts, products and services for international travelers. For years I had been happily swiping and withdrawing all over the world, not a blip to be had. And then, seemingly out of nowhere, they decided I needed to verify every online purchase with an SMS confirmation code. If I wanted to access my account from a laptop, I also needed a code. One would think that an international bank would have some kind of backup system, but they did not—unless you call pointing me to a 9-to-5 customer care line a solution.

When I finally got through to an agent and described the situation, she explained that even she didn’t have the option to add an international number to my account.

“So what should we do?” I asked. I know that this technically just sounds like a me problem, but it’s also an issue for the bank. They don’t make money on people who just let their money sit in an account earning interest. They want you to spend it, preferably in a transaction that earns them a 2% interchange fee.

“Well,” the woman suggested. “I can add the number of a family member to your account and they can get the text messages for you.”

“You want someone else to receive the text messages to verify my identity?” I asked, trying my hardest not to sound smug. “How is that secure?”

“It’s not,” she agreed. “But that’s what we’re telling people for now.”

“Can you just send me an email instead?” I asked. “You used to do that.”

“We stopped doing that because it’s not as secure,” she explained. I can hear in her voice that she knows sending the text message to another person is probably even less secure, but she can’t or won’t admit it.

“Can you turn the multi-factor identity features off on my account?” I ask.

“We can’t,” the agent tells me. “I’m sorry.”

The woman doesn’t sound sorry, but that’s to be expected. Besides it’s not her fault that her employer overpromised and underdelivered. Since I have no better option, I take her up on the workaround. “OK. You can add my sister-in-law’s number,” I offer.

“Your who?” the woman on the other end of the line asks. “Your sister?”

“Sure, my sister,” I agree. This is how I know my bank hasn’t invested enough in their data and analytics capabilities. Because if they really knew me as a customer, they would have not only suggested Saint Rena as my cell phone code receiver, but also given her power of attorney and made her the sole beneficiary on my investment accounts. She is the most shit-together woman I know, this despite having three jobs, two kids and a tendency for migraines. I feel bad adding more to her plate, but she usually just shrugs it off. “If you want something done, ask a busy person,” is what she once told me after agreeing to sign for an Amazon delivery while making a four-layer cake.

Realistically speaking, I think my sister-in-law agrees to help me with these administration issues because she understands my alternatives—which is to say she is married to my brother. Don’t get me wrong, he has a lot of great qualities, but reliability isn’t one of them. The last time I asked him to do me a favor, he managed to lose my debit card, credit card and deregistration paperwork issued by the federal republic of Germany in the mail. I’m not saying that one of several national postal systems between Philadelphia and Helsinki isn’t to blame for the disappearance of that package during a pandemic, but I not-so-secretly suspect that my brother mis-addressed the envelope—which is somewhat understandable considering that the name of my street is Hietalahdenkatu.

But that’s not fair and I know it. I shouldn’t be annoyed with my brother even if he did fudge up the envelope. I should direct my anger at the companies who take me as a customer and boast of global services but can’t accept the fact that I moved across the ocean. My brother should not be sending me my debit cards just as my sister-in-law should not be texting me account codes—my bank should be doing that. Shame on them for promoting themselves as a worldwide organization, taking customers who live internationally and then leaving their employees holding the bag.

If you think that the rogue customer service agent from my bank is an exception, please think again. Because while the first few years of my nomad life were fairly smooth, the last two have been a non-stop hassle.

About a month ago, I signed up for a QuickBooks account. Intuit let me create a profile, activate the account via email, add my bank details and pay for an annual subscription all in one go. Then, the next time I tried to log in, I got a message: Please update your account with a phone number to verify your identity. But would Intuit, a $6.8 billon multinational company, accept a German phone number? No. Of course not! This despite the fact that they offer the same product in Germany!

The workaround on this one was pretty unbelievable. I learned that if I just hit “Continue” enough times without entering a phone number, the system eventually gives up and lets me in—like some sort of desktop equivalent of staying silent during those automated answering menus to trick the robot into thinking you’re using a rotary phone. And really, at this point, I may as well be. My grandmother’s headset from the 1950s would be exactly the same amount of help an iPhone X with a German SIM.

I can only assume that this will improve over time—that these are just growing pains. Eventually, the multi-factor system will be refined not to include international text messages, but to actually be secure. Because honestly, how effective can these measures really be if I, a person who can’t turn on her own stereo equipment, can accidentally break through? There has to be a better way. I hope these big companies with the big budgets and the big ideas find one soon.

In the meantime, tell me: What’s your work around to the U.S. text conundrum?

14 comments to “Multi-factor Fail”
  1. Well I don’t live outside of United States but I rely on email notification because I get limited cell phone service where I live. I do have a land line and sometimes rely on a phone call to get my code. If they can’t text you because they cannot enter a German phone number, can they call you? Maybe this phone number field in their data collection allows for a German phone number? I’m assuming that this has already been discussed but you don’t mention in your blog post. Or maybe I missed it…I’m just now having coffee and my brain is still in neutral. Lol!

    • OK so thanks for sharing because while i was writing this I was trying to figure out how this might be a problem for other people and I couldn’t really think of a scenario. (I considered people who were visually impaired but 1. I bet they have some kind of audio/reading tool to translate texts and 2. not to be a jerk, but I don’t know how much companies even offer in terms of digital services for clients that have vision loss/impairment when they can’t even be bothered to send a text message to anything but a +1 number). Anyway – you’re right, not everyone has cell service. And while I never specifically asked if I could receive a call instead, I doubt that the system could support it… it’s a matter of the country code, which customer service tells me cannot be changed in their system.

      but my bigger point is just WHY a text? WHY a call? Anyone can pick up the phone or read a text, can they not? that isn’t verifying my identity. it’s just verifying that someone has my phone. Lots of fraud is committed by people in your household. If the bank really wanted to know it was me, they would use something more secure–like my face. i’m serious! my bank is out here using my mobile phone to verify my identity via text when it has biometrics built into it. scan my face, take my fingerprint, detect my voice! it’s 2020 figure out how to do it. make a deal with apple and get it together! also, not for nothing, if someone is logging onto an account from a computer, the first rule of experience design is that you keep them on that channel. you don’t make them find their phone or answer a call… you figure out a way to verify the identity with the technology that’s already in use. Just imagining things here – but why can’t they let me claim that code from a vault in the cloud? Why can’t the camera on my laptop use facial recognition? why can’t i speak my password and let voice recognition do the rest. Are those foolproof? Probably not. But surely they’d be better than a text.

      • Ok, I get it, with all this technology why are they only doing text messaging? The same reason they are not allowing text to foreign countries. The texting to your sister can time out and then you are starting over. Many times you only have 10 minutes and need to resubmit the request.

        • correct. the text is not the only option. and i don’t think it’s the best option either. but here we are. good look with your robo calls :) i too hope i find a solution. xx

  2. Right now, we have been waiting for 6 weeks for a check (5-digit sum) which probably got lost in the mail on its way from the US to Europe.
    Who still does banking business with antiquated checks!? Ah yes, US banks…😳

    • So what you’re saying is: My brother may not be to blame for my missing debit card?

      Jokes aside, I’m sorry to hear that. I sympathize, I really do. I cannot believe that in 2020 any business at all is done on paper. Anyone who insists on paying via check is just being willfully obtuse at this point. I know I don’t need to tell you, but in addition to just not getting the thing you need, now you also have to go through the hassle of replacing it AND trying to get it again.

      In any case, I REALLY hope your check shows up and soon.

  3. Can you sign up for a free google voice phone number, and have it automatically forwarded to your german phone number?

    I know that I can auto forward my google voice number to my US cell number – I haven’t tried forwarding it to an international number.

    You can also look into https://ifttt.com – they have people who have made little recipes to glue disparate pieces of technology together – so if google voice won’t auto forward texts, you can probably use something on this site, to do it.

    • Hey. So Google Voice does support text messages but not in this case:

      “Get a text message. You can get text messages from anywhere in the world. On your computer, go to voice.google.com. Blah blah blah. Note: To get text messages from websites, like a bank or subscription service, you need to use your mobile carrier number.”

      But thanks for the link. So cool all the things that are on there!! My search terms thus far have not found a solution, but I’ll dig around a little more. Either way, it’s a win to know that exists :) thank you!

    • I agree with the suggestion of a Google Voice #. I think it’s probably the easiest with no additional fees.

      https://voice.google.com/about

      You would have a 100% useable US phone number & you can use it via the app (so it works on your devices with a data plan or Wi-Fi). I do have it ‘connected’ to my mobile # (now US, but previously German). You don’t even need to forward it to your German Mobile #.

      I can get calls, texts, & voice mails with no issues. I haven’t tried actual bank texts, but I get other auto solicitation types as well as personal ones. I normally keep it in DND, as I sometimes use it to sign up for things I don’t want to give out my regular mobile # for.

      It will push notifications via the Google Voice app & it’s a 2nd phone line on your existing phone. I have had a $10 credit for 9 years, since I never use it to make outgoing calls & I don’t forward anything (since I’m living back in the US). It’s a nice option to have as a backup when I travel, since I can use it to make a phone call from a WiFi hotspot anywhere.

      I wouldn’t set up forwarding unless you aren’t going to have data access & would need to receive calls/texts, as you are charged per minute for those forwarded calls. Call rates to a German mobile are higher than to a landline. If you are only using it for access code texts, then the small $ might be worth the convenience of having all messages feed directly to your regular text messages.

      Years ago, I used Skype with a dedicated US phone number & forwarded it to my German Mobile (as a US phone number only – without texting) from 2006-2012, so my Grandma could call me without needing to dial an international number. If I was home when she called, I would just call her back from my landline (as I had unlimited calls to the US for 4€/month). Skype’s service got progressively more expensive though & I had to pay a yearly fee for a telephone # & then pay additional for calls. When I originally did this, they were one of the few options.

      There are other app based ‘2nd line’ phone numbers – Sideline (one of my friends used as his business line), Text Free, OpenPhone, MagicJack [Regular & For Business] (MJ was another popular option when I lived in Germany), etc.

      I would be glad to answer any questions about what I’ve used.

      • hey! thanks so much for all this info. I guess i will have to give google voice a try after all. i had considered that option as well, but saw this note on their website (Note: To get text messages from websites, like a bank or subscription service, you need to use your mobile carrier number.) so I figured it wouldn’t work. but i never actually tried. and if you say you’ve received auto-messages maybe it will. worth a shot! I’ll also look at Magic Jack.. I’ve definitely heard of that but never checked into it.

        as for all the other ideas – thanks! I use the phone less and less, but do have Skype. I also think and annual Zoom membership is worth it to create a standing meeting room and no time limit on video chats. I got one for work just to host conference calls but it started doing double duty during corona… and then it hosted our wedding reception lol.

        thanks again for your ideas! I’ll let you know if the bank texts actually come through via google voice

  4. Good god, I have a completely different issue. Whenever I end up locking myself out of an account, the site asks me to call a number… which I cannot do, because I’m deaf. This includes GOVERNMENT websites. UGH.

    I’ve had to get someone to call on my behalf, just to reset my password, but the agent refused So, the next time I got someone to call for me, they just pretended to be me, and I was able to access my account again. How the heck is the agent supposed to know it’s really me who’s talking, anyway?

    When I wanted to cancel*my internet service, the only option I was given to do so was to… call my ISP.

    WHAT? I CAN’T CANCEL MY INTERNET SERVICE… OVER THE INTERNET? Even when I visited their physical store, they couldn’t help me.

    I mailed them a handwritten note requesting that they cancel my internet: nope. Their solution was for me to fill out a form to give my partner Power of Attorney to cancel the internet on my behalf. So, they won’t accept a handwritten request, but they were good with creating a middleman (my partner). That’s wild.

    It’s bizarre how most of the world is able to carry on without considering accessibility. I know I am often the first deaf person someone has interacted with, but I’ve met thousands of deaf people.

    Anyway, for this reason, I’d choose authenticating via text than via voice, since the latter will never be accessible to me.

    • Hi – so, first of all, thank you for sharing your experience and I’m sorry to hear this is how companies treat you. It’s unacceptable. While writing this I was wondering how might people with vision problems use digital services and I figured they just couldn’t because no one makes them accessible. After reading your comment, I suspect that I am right… and for once I don’t want to be.

      I do understand that a majority of people will prefer the text, as it is the least invasive. For you, it is the most accessible. That makes perfect sense. I’m definitely not saying it shouldn’t be an option, just that it’s not the ONLY option. what’s more, i find it so frustrating that we give companies all this personal data and they don’t do anything useful with it. i mean, my bank should know where I live. it should know when i moved. it’s not unreasonable for me to think that they would not only have a system to help customers continue to bank overseas, but that they would proactively tell me about it. The companies you interact with should know that you’re deaf. They should be able to customize your interactions accordingly.

      I know people will roll their eyes at this and think it’s so futuristic and pie in the sky, but it’s honestly not. For years I’ve worked with companies who are sitting on piles of data and talking about how to make the customer experience better and what it often comes down to is ways to help them: recommending more products to buy, making ads more precise, denying service to someone that the algorithm thinks will default. it’s obnoxious.

      anyway thank you again for your perspective and the reminder about accessibility. here’s to hoping we get somewhere better & fast.

  5. My credit card company (that I’ve had for 6 years) has recently done the same. And given me the same lame answer. I can no longer access my account & have to call customer service each time I need to check anything. Their suggestion for a workaround? Get a Skype or google number. Guess what, you can’t sign up for those without a US number too! they then suggested that I add someone else’s number to my account so they could receive the texts but it took two weeks to have that go through because they needed to make sure it was legit. I’d laugh if it wasn’t so infuriating

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.