Oyster/contactless website account services unavailable on May 15th.

[londonbridge]

I’ve just received the following email from TFL. Fares advice seems the most appropriate place for this, haven’t checked the other forums so if it’s already been posted elsewhere then mods please move/delete as appropriate.

From 14:00 on Monday 15 May, Oyster and contactless services via the web and mobile app will be unavailable to make improvements to our service. This work is due to be completed by the morning of Tuesday 16 May. Check our website for any changes and updates.

Oyster and contactless customer services centres will also be unavailable during these works.

We advise that if you need to access your account to top up your Oyster card, ensure your contactless card is approved for travel, apply for a refund or view journey history, that you do this before Monday 15 May.

The improvements taking place are to launch Multi-Factor Authentication (MFA) to TfL Oyster and contactless accounts to help ensure that your account and personal details are kept safe.

Further information about the introduction of MFA can be found on our website.

​

​

Protecting your Oyster and contactless accounts​

We've been working on an even more secure way to sign in to your Oyster and contactless accounts.

• Details of the change
• Getting ready for the change
• What you need to do
• Forgotten details/error
• From outside the UK and Europe
• Why we're using SMS authentication

To strengthen the existing security measures for your account, we're introducing multi-factor authentication (MFA) from Tuesday 16 May 2023. After that, we'll ask you to set up MFA by providing a mobile phone number the next time you sign in to or create an Oyster or contactless account.
While the upgrade is taking place you will not be able to access your Oyster or contactless account. It will start at 14:00 on Monday 15 May 2023 and run overnight.

Details of the change​

If you do not have access to a mobile phone, we can still support you. Call us on 0343 222 1234 (TfL call charges) for any questions about Oyster and contactless.

MFA​

• You will enter your username and password as before, but you will also need a one-time code to sign in to your account. This will be sent by SMS (text message) to a registered mobile phone
• MFA adds an extra layer of security to the sign-in process. It helps to confirm you are who you say you are when signing in to your TfL account, providing additional protection for your personal information
• You will need to have your registered mobile phone available every time you sign in to your account

TfL website​

• As part of this update, we have redesigned parts of our website. Some screens will look a little different, including the personal details dashboard for Oyster and contactless accounts

Your mobile phone​

• We need a mobile phone number to verify your identity and set up MFA on your account
• You will need this phone to receive text messages (SMS) from us every time you sign in to your Oyster or contactless account online or on the TfL Oyster and contactless app
• All SMS messages with the one-time code will show 'TfL' as the sender
• We will not use your mobile number for any purpose other than to text you codes so you can use your account (unless you have provided us with the same number when contacting us for another reason)
• You can use a non-UK mobile number to authenticate your account. When adding your mobile number select the appropriate country code from the drop-down list

Getting ready for the change​

• Download the latest versions of the TfL Oyster and contactless app and web browsers on your devices
• Use a secure, strong password made up of different characters and numbers, ensuring it doesn't include any personal information
• Use separate passwords for your accounts
• Remember to sign out of your account, especially if using a shared or public device

What you need to do​

Signing in to an existing account​

1. You'll be prompted to set up MFA the first time you sign in after the upgrade - we'll email you a one-time code to verify you own the account you're trying to sign in to
2. When you next sign in, enter your email address and password as you do now - we'll then send a 6-digit code to your registered mobile phone
3. You will need to enter the code texted to your registered mobile phone every time you sign in
4. You may be asked to authenticate again when accessing personal information

Creating a new account​

1. To create a new account, you will enter an email address - the email address must have fewer than 100 characters
2. You must have access to the email address to receive a one-time code for the initial set up
3. Once you have entered the correct one-time code, you will be asked to provide your personal details including a mobile number to set up MFA
4. When you first sign in to the account, we'll send a 6-digit code to your registered mobile phone. Enter the code in the sign in tool to confirm you are the account owner
5. You will need to enter the code texted to your registered mobile phone every time you sign in
6. You may be asked to authenticate again when accessing personal information

Make sure you sign in to or create your:

• Oyster account on the Oyster cards page
• Contactless account on the Contactless and Oyster page
• Oyster or contactless account on the TfL Oyster and contactless app

Update any saved bookmarks or favourites to ensure you're using the correct links to access your account.

Updating personal details​

You'll be able to update your personal details, including the mobile number you registered for MFA:

• Personal details: select 'Personal details' in the menu on the right-hand side of the screen and then select the personal details to update. The personal details dashboard has been updated
• Registered mobile number: select 'change mobile number' when you sign in. You will need to verify your old mobile number to change to your new mobile number. Make sure you can receive text messages on your old number first. If you don't have access to your old mobile phone number, call us on 0343 222 1234

Forgotten details/error​

Forgotten password​

If you forget your password you can reset it as you do now:

• App: Click 'reset password' before signing in to change your password. Enter your email address so that the reset password instructions can be sent to you
• Website: Click 'forgot password' before signing in to change your password. Enter your email address so that the reset password instructions can be sent to you

Forgotten email address​

Contact TfL Customer Services on 0343 222 1234 (TfL call charges)

• Contactless: 08:00-20:00 Monday to Friday (09:00-17:30 Saturday to Sunday)
• Oyster: 08:00-20:00 Monday to Sunday

Error messages​

If you receive an error message and can't sign in, try closing your browser. If that doesn't work, try again later.

From outside the UK and Europe​

Accessing Oyster and contactless services​

Protecting our customers' data is paramount and we want to ensure personal accounts remain safe. As part of this ongoing work, Oyster and contactless online accounts can only be accessed within Europe.
Customers from outside Europe can continue to contact us for help. In London you will still be able to travel using an Oyster or contactless card, as well as top up the cards at a ticket machine or an Oyster Ticket Stop.

Receiving SMS when you are outside the UK​

If you're trying to access your account from outside the UK you can still receive an SMS from us with a 6-digit one-time code, but the sender might not show as 'TfL'.
If you have any concerns, you can call us on +44 343 222 1234 (charges may apply - check with your operator).

Why we're using SMS authentication​

• SMS multi-factor authentication adds an accessible and commonly used layer of security to protect our online services
• We continue to review our security to find the best balance between protection and usability
• We may consider additional authentication methods in the future

 

[island]

Sigh. SMS-based two-factor authentication is both annoying and not especially secure.

 

[davews]

Yes, just an annoyance. With my new phone the SMS appears on the screen when the phone is in standby but by the time you have picked it up and started to type the code it then blanks and you have to unlock it and hunt in your messages to find it again. Once I managed to type in the code for a previous one since they all come threaded together from the same number. I hate the things and they achieve nothing as far as security is concerned.
With the introduction of SMS will the annoying Google captcha also go, that is just as annoying...

 

[PeterC]

Yes, just an annoyance. With my new phone the SMS appears on the screen when the phone is in standby but by the time you have picked it up and started to type the code it then blanks and you have to unlock it and hunt in your messages to find it again. Once I managed to type in the code for a previous one since they all come threaded together from the same number. I hate the things and they achieve nothing as far as security is concerned.
With the introduction of SMS will the annoying Google captcha also go, that is just as annoying...

Annoying but in my view far less annoying than the captcha. I just hope that it will be a replacement not an addition

 

[Adam Williams]

Sigh. SMS-based two-factor authentication is both annoying and not especially secure.

I'd expect nothing else from TfL.

Anyone with a brain designing this feature in 2023 would've considered TOTP/push-based approvals (they have an app!)/U2F... Why is this work happening in the middle of the day instead of OOH? Why is there even any downtime at all?

Much like the Oyster card itself nowadays though*, TfL is not really a shining beacon of technical innovation anymore. I'm sure someone will come along to blame this on central govt funding shortly.

* Which I can't top-up with contactless, cannot enable auto top-up for reasons which elude me, cannot top-up remotely unless I know my imminent travel plans, cannot assign a railcard discount to online

 

[Haywain]

Much like the Oyster card itself nowadays though*, TfL is not really a shining beacon of technical innovation anymore. I'm sure someone will come along to blame this on central govt funding shortly.

* Which I can't top-up with contactless, cannot enable auto top-up for reasons which elude me, cannot top-up remotely unless I know my imminent travel plans, cannot assign a railcard discount to online

I top up through the app, which is really easy and can be done when you know you need it. It doesn't take too much planning to know that you will be touching on a barrier 30+ minutes later.

 

[Adam Williams]

I top up through the app, which is really easy and can be done when you know you need it. It doesn't take too much planning to know that you will be touching on a barrier 30+ minutes later.

Invariably I'll get a push notification warning to tell me my Oyster balance is low when I'm leaving/have already left London. I've topped up at this point before on the app, and the top-up then invariably gets "lost" by the time I end up back in London again (why can't the gatelines check online if there is a top-up pending regardless as to when it was created?) and has to be refunded. It's terrible UX.

If I don't remember that it's low, then the next time I find myself heading to somewhere after Marylebone, I'll only find out about it at the gateline when the gate doesn't open - and then you may as well just use one of the POMs instead of the app. They'll also patronisingly tell you to use contactless instead of Oyster once your top-up is complete, which still doesn't support railcards.

Apparently my account is now broken in such a way that I can't set up the auto-top-up without phoning up Novacroft, which I really don't have any patience for:


There's no option to resubmit, and last time I tried to go through the auto top-up flow from the start, it failed. I just gave up with it.

 

[Haywain]

Invariably I'll get a push notification warning to tell me my Oyster balance is low when I'm leaving/have already left London.

I tend to keep mine at a level where I get the reminder when I touch in (I rarely add more than £10 at a time), which is more useful. Whilst the current system is a significant improvement (for me, at least), it still isn't perfect as your experience demonstrates. Before I had a railcard I only used contactless because topping up the Oyster card became so complicated, at the time of having to specify the station you'd be at within 48 hours.

 

[Adam Williams]

I tend to keep mine at a level where I get the reminder when I touch in (I rarely add more than £10 at a time), which is more useful

I'll give that a shot.

Whilst the current system is a significant improvement (for me, at least), it still isn't perfect as your experience demonstrates. Before I had a railcard I only used contactless because topping up the Oyster card became so complicated, at the time of having to specify the station you'd be at within 48 hours.

I'm not sure I've been regularly traveling into London for long enough to remember a time when it was that bad! Perhaps if I had I'd see what currently exists as a bit better..

 

[Haywain]

I'm not sure I've been regularly traveling into London for long enough to remember a time when it was that bad! Perhaps if I had I'd see what currently exists as a bit better..

Well, you are a youngster!

 

[Watershed]

Invariably I'll get a push notification warning to tell me my Oyster balance is low when I'm leaving/have already left London. I've topped up at this point before on the app, and the top-up then invariably gets "lost" by the time I end up back in London again (why can't the gatelines check online if there is a top-up pending regardless as to when it was created?) and has to be refunded. It's terrible UX.

If I don't remember that it's low, then the next time I find myself heading to somewhere after Marylebone, I'll only find out about it at the gateline when the gate doesn't open - and then you may as well just use one of the POMs instead of the app. They'll also patronisingly tell you to use contactless once your top-up is complete, which still doesn't support railcards.

I have auto top-up enabled on my Oyster card, but it was a right faff to set up - you have to wait at least 30 minutes for the auto top-up set-up instruction to propogate to all gatelines/readers; yet you can't wait more than 3 days to 'collect' it. You also can't collect it without making a journey, otherwise you'll be charged a maximum fare. Really not very user-friendly as someone who doesn't visit London often; you have to have the foresight to do it at least 30 minutes before you arrive in London.

On top of it all, TfL insists on topping up as soon as the card balance drops below £20 - rather convenient for them that they're sitting on such a large pile of effectively 'unusable' Oyster balances.

As you say, with such rubbish and outdated technology and still no support for Railcards on contactless (a mere 10 years after contactless began being accepted!) it's ludicrous to propose withdrawing Day Travelcards.

 

[Adam Williams]

I have auto top-up enabled on my Oyster card, but it was a right faff to set up - you have to wait at least 30 minutes for the auto top-up set-up instruction to propogate to all gatelines/readers; yet you can't wait more than 3 days to 'collect' it. You also can't collect it without making a journey, otherwise you'll be charged a maximum fare. Really not very user-friendly as someone who doesn't visit London often; you have to have the foresight to do it at least 30 minutes before you arrive in London.

On top of it all, TfL insists on topping up as soon as the card balance drops below £20 - rather convenient for them that they're sitting on such a large pile of effectively 'unusable' Oyster balances.

As you say, with such rubbish and outdated technology and still no support for Railcards on contactless (a mere 10 years after contactless began being accepted!) it's ludicrous to propose withdrawing Day Travelcards.

100% agree with all of this. Of course, who knows if the intention all along was to actually withdraw the travelcards or just negotiate for more money from the rail industry and then backtrack...