Community Forum

Enabling two factor authentication hassle

Highlighted
Regular Visitor

Enabling two factor authentication hassle

I want to enable 2FA on my account for the obvious reason that my primary Xfinity email acct. is tied to various other important accounts.  Gain control of my primary email and a bad actor will have an easier time changing passwords on those other accounts.  When I go into Xfinity to setup 2FA, the process requests a verified personal email address in addition to a mobile #.  My mobile number is attached already.  When I try and enter my primary Xfinity email address I get an error "This email address is already associated with an Xfinity account".  No Duh.  I only have the primary email address and other sub addresses but they are all @comcast.net adresses.  I could set up a Gmail email but  I don't want to run 2FA through Gmail or an outside 3rd party email.  Why isn't my mobile number sufficient for 2FA?  My bank does it that way as well as other critical services I use.  I don't want to use my sub primary @comcast email accounts because they were intended for use with non-important stuff and they are more exposed as a result.

Highlighted
Official Employee

Re: Enabling two factor authentication hassle

Hi @movingon70. We're working on lowering the 2FA (aka "Two-Step Verification") enrollment criteria to only mobile, these are in discussions with Security, Legal and othe teams, and as you accurately cited, other organizations are doing the same thing. 

 

Right now though, adding your @comcast.net secondary user address wouldn't make sense. Assuming you're the primary, and you are also your secondary users via the emails which you as the primary manage. Those secondary @comcast.net emails don't represent another unique authentication factor. If someone takes over your secondary email (especially with a weak secret question and answer recovery method) and that email is used in 2FA they've defeated 2FA, and are then able to get into your primary email.

 

I'd recommend for now at least adding your gmail, which if it has it's own two-step verification, makes it much harder for anyone to ever access your primary Xfinity ID.

 


@movingon70 wrote:

I want to enable 2FA on my account for the obvious reason that my primary Xfinity email acct. is tied to various other important accounts.  Gain control of my primary email and a bad actor will have an easier time changing passwords on those other accounts.  When I go into Xfinity to setup 2FA, the process requests a verified personal email address in addition to a mobile #.  My mobile number is attached already.  When I try and enter my primary Xfinity email address I get an error "This email address is already associated with an Xfinity account".  No Duh.  I only have the primary email address and other sub addresses but they are all @comcast.net adresses.  I could set up a Gmail email but  I don't want to run 2FA through Gmail or an outside 3rd party email.  Why isn't my mobile number sufficient for 2FA?  My bank does it that way as well as other critical services I use.  I don't want to use my sub primary @comcast email accounts because they were intended for use with non-important stuff and they are more exposed as a result.


 


I am an Official Comcast Employee on the Identity Product Team at HQ.
Official Employees are from multiple teams within Comcast: CARE, Product, Leadership. We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark the post as Best Answer!
Highlighted
Regular Visitor

Re: Enabling two factor authentication hassle

Thanks for the response. I was thinking of using my wife's work email address.  I had a question though.  Does the 2FA system send a notification to both the listed email and the mobile number at the same time?  If so then that set up will work for me since I will be able to pull the code from my phone.

Highlighted
Official Employee

Re: Enabling two factor authentication hassle

No problem! That would work. the 2FA system sends a text by default so it won't do both at the same time, so you'll be set.

 

We've got good documentation here as well.

https://www.xfinity.com/support/articles/enroll-2-step-verification

 


@movingon70 wrote:

Thanks for the response. I was thinking of using my wife's work email address.  I had a question though.  Does the 2FA system send a notification to both the listed email and the mobile number at the same time?  If so then that set up will work for me since I will be able to pull the code from my phone.


 


I am an Official Comcast Employee on the Identity Product Team at HQ.
Official Employees are from multiple teams within Comcast: CARE, Product, Leadership. We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark the post as Best Answer!