VIDEO: How one ISP discouraged users from enabling two-step verification

You want 2SV? You have to agree to receive our marketing messages too…


A reader got in touch with me last week, following the series of articles we have published describing how to enable two-step verification on online accounts to harden their security.

The reader, who has asked to remain anonymous, says that he logged into his account at ISP Frontier Communications, in order to change his password. While logged in, he saw he also had an option to enable two-step verification.

However, when he went to set up two-step verification he was greeted with a tick-box:

2sv consent

"I consent to receive account related and marketing calls and/or texts from or on behalf of Frontier Communications Corp. and its affiliates at the wireless telephone number provided above, including by use of autodialed/automated technology. I understand that consent is not a condition of purchasing or receiving service."

Perhaps understandably, the user wasn't prepared to offer consent for marketing guff to be spammed to his mobile phone number. So he clicked "I do not consent", fully expecting to still be able to enable two-step verification.

You can probably guess where this is going.

In our correspondent's own words:

"When choosing 'I do not consent', the field is the phone number field is reset and I’m not allowed to set up 2SV. This seems to be a high level of corporate BS by their marketing department but they’re basically asking me to ditch my privacy for added security."

When he contacted Frontier's helpdesk to ask if it was possible to enable two-step verification without giving approval for marketing messages to be pushed out to him, he received the following (somewhat unsatisfactory and ungrammatical reply):

Frontier reply

"Thank you for the information provided. I have reviewed your service location and currently our Technicians are working to resolve a service impaired it is affecting your area. We are asking you to bare [sic] with us. As we have this issue resolved."

If Frontier Communications wants its ISP customers to enable two-step verification then this seems a pretty sloppy way of going about things, and unlikely to encourage as many people as possible to take up the option.

Maybe Frontier's legal department said they needed some small print to cover the sending of SMS messages to the numbers customers gave them... but that doesn't mean they should also have to agree to marketing crud too!

Watch my latest video to see what I feel about this, and be sure to subscribe to my YouTube channel if you would like me to make more videos.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

2 Responses

  1. Bob

    May 23, 2016 at 4:00 pm #

    I've never even heard of Frontier Communications but having watched your video I'm assuming they're a US-based company. It doesn't surprise me when companies do this sort of stuff and it's very bad practice.

    I am surprised that companies like BT (in the UK) don't offer 2SV as somebody who could compromise your phone provider would be in a powerful position. I'm undecided how important 2SV is in protecting the account of your ISP (assuming it's different from your phone provider).

  2. Joe1

    May 24, 2016 at 4:21 pm #

    Frontier is not the only company doing this in the US. I am getting marketing calls on my cell phone since o signed for 2SV with Google and Apple.

Leave a Reply