Hi There,
Does Flightaware support 2FA for logging into your account on the web portal? I don’t see anywhere that you can do it
Thanks
David
1 Like
I have half of your problem. I have FlightAware set up with an authenticator app but can’t for the life of me find where this is set or how to change it?
1 Like
I searched the entire FlightAware site and couldn’t find 2FA or even how to change an existing password. The FAQ says to use the Account Management page, but there is nothing on it about 2FA or passwords.
2 Likes
I received a popup inviting me to enable 2FA when logging in. I declined, and looked for it later, and cannot find anything at all. However it looks like it’s 2FA to your phone, not TOTP or hardware key. Can anyone confirm a) what kind it is and b) how to access the settings for it?
Also, is there a blog post or anything advising on this new method of logging in? FlightAware have moved the security of my account from my password manager to that of my email, by using this emailed code instead of a password. But in my case that has reduced my security and I’d like to return to using a password if that is possible.
The security is indeed moved from your local device to a mail address and an external validation.
I’m using the options listed when logging in.
There are 3 options, using google as an authenticator, using email and a third one (that I don’t use).
When using google this will function as an authenticator and will enable you to login with a username and password (of your google account).
Using the email option will send you an authentication code to your email that you can use to login.
When using mobile devices that is sometimes a hassle (from my expierence).
Thanks for the explanation. I dislike this change because I won’t always have access to my email when I want to log in to FlightAware, and it is less secure or reliable than using a password in my case.
FlightAware (ping @obj) – is it possible for an account to return to using a password?
It looks like this was done to avoid storing authentication data, at the cost of introducing unknown external parties into the authentication flow.
1 Like
where exactly are these options? I can’t find it anywhere.
Hi,
FA does have Google Authenticator type 2FA OTP (6-digit PIN), but it only can be set up when offered.
When FA switched to e-mail authentication, I was hoping for true 2FA OTP. A few weeks later, I had a login popup offering 2FA, but it was not a convenient time for me to set that up, so I declined. Later, I looked for the setting, but could not find it.
About a month later the 2FA OTP offer again appeared on login. This time I used it. It is the typical “scan a code” or manually enter the code option for Google Authenticator, Authy, or any of the other OTP apps.
However, then things get a bit strange. Logging in now does not offer a direct link to the 2FA OTP login method, so you still have to use e-mail. Then after the e-mail login, the 2FA OTP prompt is displayed and used.
I’m not sure if is a Firefox issue, or possibly LastPass corrupting the 2FA entry fields, but it displays as 6 boxes with up/down arrows, and you have to click up/down to enter the digits. Even worse, all but the far left side of the digits is hidden by the up/down interface, so you have to carefully click and count. The last digit is even stranger. There is no “enter” function, so each time you click on the last digit, it “fails” with a bad code, but then lets you click again and try the next digit. Very strange. It’s either Firefox or LastPass, and I haven’t bothered troubleshooting yet. The short-term, less secure method is simply to not clear FA cookies automatically on each shutdown so login remains for the 30 or so days.
The help and FAQ is definitely outdated. Most of the text there refers to the old original mobile phone text method (text or SMS?), not e-mailed codes. The option on the account page to change password or configure security options have not been there for years I believe.
To be clear, the “Sign in with Google” option, which is one of the three methods (Google, Apple, or e-mail), is NOT a way to directly sign in using a “Google Authenticator” or Authy type 2FA OTP 6-diggit PIN. That seems to be just a way of signing in by linking your FA account to a Google account, which is definitely not a very secure option. I prefer to keep things separate.
I am hoping FA eventually gets this all streamlined a bit! Like many, I would prefer a FA user/password login option that works directly with the already created 2FA OTP codes.
Regards,
-Dan
2 Likes
Probably the easiest option for FA would be to offer a fourth login option.
Current options:
- Google (which requires linking to a Google account)
- Apple
- E-mail (current system that uses user/pass and e-mailed code, and 2FA code if created)
New option:
4. Login with user/pass and 2FA 6-digit PIN
The new option would allow user/pass login without having to still go through the #3 e-mailed method before the 2FA entry box appears.
Regards,
-Dan
1 Like
When logging in to Flightaware I get the following screen presented
Needless to say that if you keep your session going this screen won’t be visible for the duration of the login.
I always log out when leaving Flightaware so I get it every time I go to the website.
1 Like
That matched my experience then, since I’ve not been offered it since and I cannot find anywhere to set it up.
Those sound like annoying UI bugs with the authentication being partly ‘bolted on’ to the usual layout. I hope they can be tidied up.
That would be much appreciated, along with some tidying up and re-thinking of the options available. However it does appear to be a FA threat response which allows FA to reduce their exposure at their back-end, at the unknowable expense of the user’s security at the front-end.
Indeed, I saw that screen logging in, along with periodic Cloudflare interventions and a different UI again for the forum vs the main account login.
FA supports some method of Single sign-on from the main site to the discussions site. Here’s my technique.
-
Log in to main site, using whatever technique you like.
-
Then from the top menu, select “Community… All discussions…”. That link as shown below uses SSO, and uses your current login status when going to the discussions site. You will not have to manually log in.
https://discussions.flightaware.com/session/sso
Using the 1, 2 technique keeps me from ever being prompted to login to the discussions site. If I ever forget to do #2 (no jokes please!), then instead of logging in to discussions when prompted, I just visit the main site and select the “All discussions” link.
It’s a bit clumsy, but it works.
Regards,
-Dan
1 Like
Aye, this is what I do now too, it avoids the different workflows, which ideally should be made consistent for the cleanest user experience.
My unsolicited opintion on this -
Well, with the amount of hoops FA now requires to log in, you would think one is accessing one’s tax reporting or payroll site… Not having direct login via 2-factor authentication using either a key or a TOTP software vault puts enough obstacles into the process that significantly de-motivates one from participating in a community forum, from my perspective.
Besides, let’s dissect what’s at risk here. Is it the GPS location of ones feeders? Hardly so as all those are public information when accessing the FA coverage information links (no login required).
Then let’s look at the login methods.
Using an e-mail code is ridiculous since 1) it does not seem to expire (TOTP has a 30 second lifetime) and 2) e-mail is plain text since the endpoint (server) is not guarateed to be encrypted.
So, let’s say one does sign up for the 2FA - now you need to either tie in your Google/Apple identity to FA (nothing like separating that, is it?!) or e-mail to the 2FA. So then it’s adding yet another step (entering the 2FA TOTP code) ‘just’ to participate in the community forum. Interesting way of attracting participation and discussion - let’s put up some more barriers for the illusion of security. And let’s top all that off with no clear way of recovering one’s account access since there is no longer just a password option.
The fourth login option proposed by @MC130E would certainly be welcome in overcoming the perceived barriers.
I’ll now crawl off to my hole and join the other mushrooms in retirement…
I set my browser to NOT delete FA cookies. I logged in a long time ago, that’s it. I never log out amd I’m never prompted to log in. That being said, my computer is biometrically secure so that no one else can wake it up or use it.
1 Like
Also having this issue with Firefox and the 2nd MFA prompt. Eventually get past it, but it’s annoying. The requirement of the email alphabetic ode is one thing - but not being able to manage the TOTP setup once it’s been created is an issue.
I’ve had the same issue on Firefox / Librewolf, but found that ignoring the up/down selection arrows and simply typing the relevant digits in the boxes worked. I don’t get any such issue on Chrome, and can either use the arrows or enter the digits directly.
As it is, I now just preserve the cookies for FA (as well as ADS-B Exchange and 360Radar) on all three browsers so only occasionally have to go through the rigmarole of logging in.
I was able to change my authenticator app at https://login.flightaware.com/mfa/update
I switched from Authy to Step Two.
3 Likes
I’m having issues using the FA app, I login via the email and I’m sent a code but it refuses to login with “Invalid code, please try again”.