Starting November 2021, we implement two-factor authentication on all CrewLounge AERO apps.



What is 2FA?


Two-Factor authentication (2FA) refers to a login process that requires more than just a user name with a password. If your password is compromised somehow, 2FA can prevent an attacker from logging into your account by requiring a second form of verification.



Why do we implement 2FA?


Usernames are often easy to discover, especially when you use your company email address to create an account with CrewLounge AERO. In this scenario, the only real protection you have against someone logging in to your account, is the strength of your password.


There are different ways that bad guys can get your password. The first way is to simply guess your password... Too many crew members use simple passwords like anna1972 (year of birth) or john12345 (the non-worried guy).


Hackers may get access to your password, because it was stored in an unsafe location on your phone, on the internet, or in your email inbox.  This is especially dangerous when you reuse a single password across different services, like online shopping, your company crew roster or social media channels.  Passwords can also be stolen when inserted on non-secure websites.


Worst case scenario, an attacker gets access to the CrewLounge AERO cloud server and steals the login credentials of all users.  As per GDPR regulations, we would have the obligation to notify you about such data breach.  As a side note, we do not store any credit card or other financial data about you in our system - all payments are handled by external parties (read our Terms of Use - Privacy Policy - Data Collection - How do we collect this data?).


2FA is an extra layer of protection against the human frailty of creating weak passwords and reusing them across services. It also protects against account data being stolen. 2FA requires an extra PIN number to login in addition to your password. This PIN number is different every time and can only be used once. Therefore, a bad person managing to get your password won’t be able to log into your account, unless he or she also managed to obtain your current 2FA PIN number.



How does it work?


CrewLounge AERO
 requires entering a PIN number when logging in from a new device (phone, tablet, computer). 


Note:

Notice the difference between PIN code and PIN number. PIN code is a fixed number (usually 4 digits) that you choose yourself and reuse every time again. PIN number is an ever-changing number (usually 6 digits) that is generated randomly.  In the context of 2FA, we use a PIN number!



Launching a CrewLounge AERO App


This is how it works:

  1. launch the app on your phone / tablet / computer
  2. insert you login credentials (username and password)
  3. you receive an email with a PIN number
  4. insert the PIN number in the app


When completed, your device is automatically listed as "Trusted Device". You will no longer be challenged for a PIN number when connecting to CrewLounge AERO from this device.  You will still be challenged for your login credentials, if you did not use the device for more than 7 days.


In case you run multiple CrewLounge AERO apps on the same device, you are challenged for 2FA when launching the first app.  Once the device is trusted, you can use all other CrewLounge AERO apps without additional 2FA.  



Login to My CrewLounge from a web browser


The login process is identical to launching an app. However, web browsers do not automatically become a trusted device after successful login. This is to avoid that a browser is being added when you login to My CrewLounge from a computer that is not yours.


You must select the "Trust this browser" checkbox during the login process to mark the browser as "Trusted Device".  You will no longer be challenged for 2FA once the browser is trusted. You must accept website cookies in order to recognize and trust the browser.



Trusted Devices


A device can be any hardware (phone/tablet/computer) on which you run any of the CrewLounge AERO apps, or any web browser through which you access the CrewLounge AERO web portal.  You can manage the list with devices (trusted and non-trusted) from the My Account panel in My CrewLounge (here).  


Devices that are not used for more than 7 days and that are not trusted, are automatically removed from the list.



How to turn-off 2FA?


Two-factor authentication is an extra step in the login process, and usually comes together with the hassle of initial registration.  You may therefore be inclined to turn-off 2FA.  
Yes, two-factor authentication is cumbersome.  But take it from us, cleaning-up the mess after an attack on your account, is worse! 


CrewLounge AERO takes your privacy and data protecting very seriously.  We recommend to not turn-off 2FA.  Notice that 2FA is needed one time only per device, while it elevates your security more than double (1+1 = 3).


Should you still want to dis 2FA on your account, you can do so from the My Account panel in My CrewLounge (here).