Keep reading. There’s a verification process that you might not have completed.
1 Like
This! I went into my dvc profile yesterday and checked my phone number etc. 
2 Likes
I have been reading reports on Facebook that if you put in any password (even 000000) it sends you the text/email and unlocks your account. It seems like this is not how it should work?
1 Like
That seems right. If you forget your password (i.e., enter it wrong) it will use your email/texting to verify your identity to set a new password.
The idea is that only YOU would ever have your phone (or access to your email)…so it is important that your phone has some kind of security (fingerprint scan, facial recognition, pin entry, etc), and your main email to have a highly secure password, otherwise the entire security of pretty much any site or app you use falls apart.
Why wouldn’t it have a forgot password step?
How is it 2 factor if you don’t have your password/and the second confirmation? Isn’t it still just one confirmation?
4 Likes
The concern is that members believe the code should be the 2nd confirmation and you should need the correct log in first.
If any password works, it is basically a “reset password” step, without an account email saying the account was accessed by a link only.
2 Likes
It comes to the same end. But the point is valid…2FA isn’t really different from reset password, and offers minimal protection against someone who may have access to you email, etc.
I have been reading that too
And yes, that’s how TWO factor works. You (should) have to get the first factor correct and then you’re offered a second factor
False
It’s not
3 Likes
It doesn’t matter. It comes to the same end. In either case, you have to enter a code and verify. That’s what I mean by it being the same. If you enter a password incorrectly, many systems automatically inform the owner of the account of the incorrect login immediately, even for one failed attempt.
Now, automatically providing a code is eliminating a step, but it is no less (or more) secure.
I think it really does- especially when you tell everyone this annoying thing is being done to secure your personal information. And suddenly it’s not working as expected.
This is where the frustration is IMO nothing recently is working as expected
3 Likes
I am only talking about the actual security aspect. It is no more or less secure doing it this way. But yes, I can see why you would say it matters from an understanding perspective. I agree that Disney hasn’t communicated that part well at all.
The security aspect and what the public perception is are too totally different animals…
It is accessing your account through a new passcode each log in time (without the “someone logged into your account/changed your password email). If this is more secure than a log in/password, why have passwords at all? Why aren’t all companies doing this? Xfinity is often sending me a code but that is because I use so many devices, not as a substitution to a password. This does not seem to be 2 factor authorization , since you only need the code.
1 Like
I wonder how much of this has to do with the big rental companies…vs the gift card account hacking
Few years back we had booked a room for family that bailed last minute…
I initially contacted them to rent the reservation but balked when they said they wanted my access to my account and password…Thankfully we are on semi driving distance so we just took an unscheduled trip.
You are actually quite correct. But it applies to most uses of 2FA. If I don’t know my password, I can tell it that I want to reset it. This results in effectively the same 2FA process…that is, utilizing a second method to authenticate. So the 2 factor part isn’t that you have to use two different means, but that it is a second means.
In both cases your account is only as secure as your second means (email or texting). The main way this protects, though, is to prevent random hackers from accessing your account since they wouldn’t also have access via the secondary means.
Having a password serves more as a convenience at that point. If the user has authenticated on this device by a successful login and 2FA, then the 2FA becomes unnecessary unless and until the user enters the password incorrectly or they simply forgot the password. (Or…in some systems…if a certain amount of time has passed since the last 2FA attempt, whatever that may be configured to be.)
So are you saying that this 2FA is avoidable on the DVC website-
I missed that how did you authenticate your device so it stops this nonsense
You may not be able to with Disney. I am speaking a bit more generically. Some sites will make you use 2FA once every month. Some every single time you login. Some only if you login from a new device, or change your password.
I haven’t paid attention to if Disney requires it every single time, or just once per day, etc. I will try to pay attention today, and login, wait until that login session times out, and then login again.
It does appear Disney requires using 2FA every single login…which is an annoying overkill, frankly. I can’t think of any other system I use with 2FA that makes you do it every single time.
My remote login from work
My tax program at work requires 2FA every time. For obvious reasons.
1 Like