1

Hi There,

Does Flightaware support 2FA for logging into your account on the web portal? I don’t see anywhere that you can do it

Thanks

David

1 Like
2

I have half of your problem. I have FlightAware set up with an authenticator app but can’t for the life of me find where this is set or how to change it?

2 Likes
3

I searched the entire FlightAware site and couldn’t find 2FA or even how to change an existing password. The FAQ says to use the Account Management pagebut there is nothing on it about 2FA or passwords.

3 Likes
4

I received a popup inviting me to enable 2FA when logging in. I declinedand looked for it laterand cannot find anything at all. However it looks like it’s 2FA to your phonenot TOTP or hardware key. Can anyone confirm a) what kind it is and b) how to access the settings for it?

Alsois there a blog post or anything advising on this new method of logging in? FlightAware have moved the security of my account from my password manager to that of my emailby using this emailed code instead of a password. But in my case that has reduced my security and I’d like to return to using a password if that is possible.

5

The security is indeed moved from your local device to a mail address and an external validation.

I’m using the options listed when logging in.

There are 3 optionsusing google as an authenticatorusing email and a third one (that I don’t use).
When using google this will function as an authenticator and will enable you to login with a username and password (of your google account).
Using the email option will send you an authentication code to your email that you can use to login.
When using mobile devices that is sometimes a hassle (from my expierence).

6

Thanks for the explanation. I dislike this change because I won’t always have access to my email when I want to log in to FlightAwareand it is less secure or reliable than using a password in my case.

FlightAware (ping @obj) – is it possible for an account to return to using a password?

It looks like this was done to avoid storing authentication dataat the cost of introducing unknown external parties into the authentication flow.

1 Like
7

where exactly are these options? I can’t find it anywhere.

8

Hi,

FA does have Google Authenticator type 2FA OTP (6-digit PIN)but it only can be set up when offered.

When FA switched to e-mail authenticationI was hoping for true 2FA OTP. A few weeks laterI had a login popup offering 2FAbut it was not a convenient time for me to set that upso I declined. LaterI looked for the settingbut could not find it.

About a month later the 2FA OTP offer again appeared on login. This time I used it. It is the typical “scan a code” or manually enter the code option for Google AuthenticatorAuthyor any of the other OTP apps.

Howeverthen things get a bit strange. Logging in now does not offer a direct link to the 2FA OTP login methodso you still have to use e-mail. Then after the e-mail loginthe 2FA OTP prompt is displayed and used.

I’m not sure if is a Firefox issueor possibly LastPass corrupting the 2FA entry fieldsbut it displays as 6 boxes with up/down arrowsand you have to click up/down to enter the digits. Even worseall but the far left side of the digits is hidden by the up/down interfaceso you have to carefully click and count. The last digit is even stranger. There is no “enter” functionso each time you click on the last digitit “fails” with a bad codebut then lets you click again and try the next digit. Very strange. It’s either Firefox or LastPassand I haven’t bothered troubleshooting yet. The short-termless secure method is simply to not clear FA cookies automatically on each shutdown so login remains for the 30 or so days.

The help and FAQ is definitely outdated. Most of the text there refers to the old original mobile phone text method (text or SMS?)not e-mailed codes. The option on the account page to change password or configure security options have not been there for years I believe.

To be clearthe “Sign in with Google” optionwhich is one of the three methods (GoogleAppleor e-mail)is NOT a way to directly sign in using a “Google Authenticator” or Authy type 2FA OTP 6-diggit PIN. That seems to be just a way of signing in by linking your FA account to a Google accountwhich is definitely not a very secure option. I prefer to keep things separate.

I am hoping FA eventually gets this all streamlined a bit! Like manyI would prefer a FA user/password login option that works directly with the already created 2FA OTP codes.

Regards,
-Dan

2 Likes
9

Probably the easiest option for FA would be to offer a fourth login option.

Current options:

  1. Google (which requires linking to a Google account)
  2. Apple
  3. E-mail (current system that uses user/pass and e-mailed codeand 2FA code if created)

New option:
4. Login with user/pass and 2FA 6-digit PIN

The new option would allow user/pass login without having to still go through the #3 e-mailed method before the 2FA entry box appears.

Regards,
-Dan

1 Like
10

When logging in to Flightaware I get the following screen presented

afbeelding
afbeelding601×551 11.5 KB

Needless to say that if you keep your session going this screen won’t be visible for the duration of the login.
I always log out when leaving Flightaware so I get it every time I go to the website.

1 Like
11

That matched my experience thensince I’ve not been offered it since and I cannot find anywhere to set it up.

Those sound like annoying UI bugs with the authentication being partly ‘bolted on’ to the usual layout. I hope they can be tidied up.

That would be much appreciatedalong with some tidying up and re-thinking of the options available. However it does appear to be a FA threat response which allows FA to reduce their exposure at their back-endat the unknowable expense of the user’s security at the front-end.

12

IndeedI saw that screen logging inalong with periodic Cloudflare interventions and a different UI again for the forum vs the main account login.

13

FA supports some method of Single sign-on from the main site to the discussions site. Here’s my technique.

  1. Log in to main siteusing whatever technique you like.

  2. Then from the top menuselect “Community… All discussions…”. That link as shown below uses SSOand uses your current login status when going to the discussions site. You will not have to manually log in.

https://discussions.flightaware.com/session/sso

Using the 12 technique keeps me from ever being prompted to login to the discussions site. If I ever forget to do #2 (no jokes please!)then instead of logging in to discussions when promptedI just visit the main site and select the “All discussions” link.

It’s a bit clumsybut it works.

Regards,
-Dan

1 Like
14

Ayethis is what I do now tooit avoids the different workflowswhich ideally should be made consistent for the cleanest user experience.

15

My unsolicited opintion on this -

Wellwith the amount of hoops FA now requires to log inyou would think one is accessing one’s tax reporting or payroll site… Not having direct login via 2-factor authentication using either a key or a TOTP software vault puts enough obstacles into the process that significantly de-motivates one from participating in a community forumfrom my perspective.

Besideslet’s dissect what’s at risk here. Is it the GPS location of ones feeders? Hardly so as all those are public information when accessing the FA coverage information links (no login required).

Then let’s look at the login methods.

Using an e-mail code is ridiculous since 1) it does not seem to expire (TOTP has a 30 second lifetime) and 2) e-mail is plain text since the endpoint (server) is not guarateed to be encrypted.

Solet’s say one does sign up for the 2FA - now you need to either tie in your Google/Apple identity to FA (nothing like separating thatis it?!) or e-mail to the 2FA. So then it’s adding yet another step (entering the 2FA TOTP code) ‘just’ to participate in the community forum. Interesting way of attracting participation and discussion - let’s put up some more barriers for the illusion of security. And let’s top all that off with no clear way of recovering one’s account access since there is no longer just a password option.

The fourth login option proposed by @MC130E would certainly be welcome in overcoming the perceived barriers.

I’ll now crawl off to my hole and join the other mushrooms in retirement…

16

I set my browser to NOT delete FA cookies. I logged in a long time agothat’s it. I never log out amd I’m never prompted to log in. That being saidmy computer is biometrically secure so that no one else can wake it up or use it.

1 Like
17

Also having this issue with Firefox and the 2nd MFA prompt. Eventually get past itbut it’s annoying. The requirement of the email alphabetic ode is one thing - but not being able to manage the TOTP setup once it’s been created is an issue.

18

I’ve had the same issue on Firefox / Librewolfbut found that ignoring the up/down selection arrows and simply typing the relevant digits in the boxes worked. I don’t get any such issue on Chromeand can either use the arrows or enter the digits directly.

As it isI now just preserve the cookies for FA (as well as ADS-B Exchange and 360Radar) on all three browsers so only occasionally have to go through the rigmarole of logging in.

19

I was able to change my authenticator app at https://login.flightaware.com/mfa/update

I switched from Authy to Step Two.

3 Likes
20

I’m having issues using the FA appI login via the email and I’m sent a code but it refuses to login with “Invalid codeplease try again”.