topic Re: Multi factor authentication on Plusnet in Plusnet Feedback

Multi factor authentication on Plusnet

dgf — Mon, 10 Nov 2025 14:21:05 GMT

Dear Plusnet Support,
I’m writing to request that Plusnet consider implementing multi-factor authentication (MFA) for customer accounts, particularly for the Member Centre and Webmail services.
Given the increasing risks of password-only logins—including phishing, credential stuffing, and unauthorized access—MFA has become a standard security feature across most major service providers. Adding support for authenticator apps, SMS codes, or passkeys would significantly improve account protection and customer confidence.
As a new Plusnet customer, I value your service and would appreciate any updates on whether MFA is being considered or planned. If it’s already in development, I’d be grateful for any timeline or beta access information.
Thank you for your time and commitment to customer security.
Kind regards,

Re: Multi factor authentication on Plusnet

dgf — Mon, 10 Nov 2025 14:33:06 GMT

further to my post I am particularly concerned that Plusnet keep a copy of all account holders passwords online and ask for access to it confirm identity when you speak on the phone. This seems totally counterintuitive regarding security and it means that passwords are there to be hacked on Plusnet servers

Regards

Re: Multi factor authentication on Plusnet

jab1 — Mon, 10 Nov 2025 20:34:28 GMT

As a new customer, are you aware of any instances where Plusnet have suffered any of the issues you mention?

Re: Multi factor authentication on Plusnet

dgf — Tue, 11 Nov 2025 10:37:22 GMT

No, as a new customer I was very surprised to find that Plusnet agents ask you to verify part of your password. This means that Plusnet hold password records of all their account holders.

MFA is required by law in UK financial institutions.

The Information Commissioner’s Office (ICO) has warned that failure to implement MFA—especially for external access—could lead to fines if it results in a preventable data breach.

Furthermore the ICO considers MFA a “mature and expected” security control for protecting personal data.

Regards

Re: Multi factor authentication on Plusnet

jab1 — Tue, 11 Nov 2025 10:47:29 GMT

I have been here since 2012 and have never known ACCOUNT passwords to have been compromised. I don't know, obviously, how the requested elements of a password are presented to the agents, but I doubt they are presented in full. Plusnet, or any organisation, must hold the passwords somewhere, or how else do they get verified when you log in?

Plusnet is not a financial institution - it is an Internet Services Provider.

Re: Multi factor authentication on Plusnet

dgf — Tue, 11 Nov 2025 11:10:25 GMT

Hi again,

2FA is also available via many online providers. MFA is increasing as it is more secure. I would suggest that doubters should look at National Cyber Security website , GCHQ and Information Commissioners Office for qualified advice . I was so surprised regarding the password issue with Plusnet that I investigated these expert sites myself and realised that breaches are becoming more of an issue and the costs are massive - both in loss of personal information, compromising of other website information and massive fines to companies who have created a preventable data breach. Personal Information loss seems to be the basis of some Ransmoware attacks.

Regards

Re: Multi factor authentication on Plusnet

Ali_A — Tue, 11 Nov 2025 16:18:35 GMT

Hi @dgf

Great to hear you have joined us at Plusnet.

We take security extremely seriously and take all steps necessary to ensure customers data and passwords are kept secure. Plusnet use several methods of encryption on all customer passwords. This uses complex algorithms to scramble and de-scramble your passwords.

You can find out more about the passwords at Username and password security guide | Help | Plusnet

Learn how to stay safe online in 2025 and protect yourself from hackers, scams, and more with our helpful guide and expert tips.

Ali

Re: Multi factor authentication on Plusnet

dvorak — Tue, 11 Nov 2025 17:43:46 GMT

Moderators Note

This topic has been moved from Broadband to Plusnet Feedback

Re: Multi factor authentication on Plusnet

Niloc — Wed, 12 Nov 2025 00:36:01 GMT

"Hashing and encryption can keep sensitive data safe, but in almost all circumstances, passwords should be hashed, NOT encrypted.

Because hashing is a one-way function (i.e., it is impossible to "decrypt" a hash and obtain the original plaintext value), it is the most appropriate approach for password validation. Even if an attacker obtains the hashed password, they cannot use it to log in as the victim.

Since encryption is a two-way function, attackers can retrieve the original plaintext from the encrypted data. It can be used to store data such as a user's address since this data is displayed in plaintext on the user's profile. Hashing their address would result in a garbled mess."

Advice from the Open Worldwide Application Security Project (OWASP).

So even using complex algorithims to scramble and de-scramble your passwords is not ideal.

Re: Multi factor authentication on Plusnet

jab1 — Wed, 12 Nov 2025 07:48:53 GMT

@Niloc Note that the linked article is 'archived', so may not reflect current practice.

Re: Multi factor authentication on Plusnet

Protech — Wed, 12 Nov 2025 10:32:02 GMT

@Ali_A wrote:

Hi @dgf

Great to hear you have joined us at Plusnet.

We take security extremely seriously and take all steps necessary to ensure customers data and passwords are kept secure. Plusnet use several methods of encryption on all customer passwords. This uses complex algorithms to scramble and de-scramble your pasword

@Niloc

The ability for Customer services to see your partial password confirms that Plusnet are not using one way

Hashing for account passwords. How this would pass any security audit in 2025 should certainly be raising concerns imho.

FWIW I was implementing systems with one way salted hashes for user passwords over 25years ago!

Re: Multi factor authentication on Plusnet

Townman — Wed, 12 Nov 2025 10:55:47 GMT

Forcing 2FA would preclude many users from accessing their services...

Not everyone has a mobile phone
Not everyone who does, has adequate coverage where they would need it

In context this is a technical capability looking for a problem ... which does not exist

Much of this security fear is nonsense. If one fears the compromise of userID / password and thinks 2FA is the answer ... what happens when your credentials have been compromised AND your phone has been stolen (or cloned) ... what then 3FA?

Re: Multi factor authentication on Plusnet

dgf — Wed, 12 Nov 2025 21:36:45 GMT

Hi,

2FA does not require a mobile phone. It also has the option of emails! It is widely used for all online banking.

Multi Factor Authentication (MFA) which is the subject of this post is the most recent form of security, not 3FA.

Regards

Re: Multi factor authentication on Plusnet

jab1 — Wed, 12 Nov 2025 21:42:23 GMT

All yours, @Townman - my head hurts.

EDIT: Plusnet is an ISP,not a bank, @dgf

Re: Multi factor authentication on Plusnet

Townman — Thu, 13 Nov 2025 00:02:39 GMT

Three-factor authentication (3FA) is a security process that requires users to provide three different types of proof to verify their identity, combining elements of what they know, what they have, and what they are. It provides a higher level of security than two-factor authentication by using three distinct factors, such as a password, a mobile device, and a fingerprint, to prevent unauthorized access even if two factors are compromised.

Think that’s what I said…

Re: Multi factor authentication on Plusnet

Anonymous — Thu, 13 Nov 2025 01:07:16 GMT

RADIUS, innit?