Multifactor Authentication and international travel

I have been bumping up against this issue that last couple of times I travelled overseas.

Multifactor authentication can be a very useful security feature. However, this is usually (always?) linked to your mobile phone number.

My experience is that, although the associated number can be modified, it requires simultaneous access to both old and the new numbers to authenticate the change. If you don’t have a phone that accepts dual SIMs (I don’t!), this is difficult and anxiety-producing (“will I be able to change the SIM quickly enough to meet the response time requirement?”)

I therefore prefer to retain my usual number – both because of MFA but also so I don’t have to advise of the phone number change to friends and family. Usually when overseas, I have little need to make or receive phone calls or texts and don’t use it for internet browsing (as I stay with family or friends and therefore use their WiFi for such activities.)

However, I have been unable to find an international roaming add on which provides what I actually need (maybe 1-2 phone calls every couple of days and perhaps a few more texts) for any sort of a reasonable cost.

My old Virgin account had an international roaming add-on which (from memory) charged a small fee for each call and text – my additional cost in 2019 for over a month overseas (my invoice shows many individual calls and data charges) was $53.23. (This is the main reason I picked Virgin Mobile at the time!) However, the plan I am currently on charges $5 for every 24 period in which you called or texted at least 1 time.

My most recent trip in 2023 (for pretty much for the same number of days overseas as in 2019), keeping my regular SIM resulted in charges of over $140, plus endless anxiety about whether any particular text or call was going to trigger a new day’s charge (as I couldn’t figure out what the start time was for a ‘24 hour period’ – it certainly wasn’t based on the time of the ‘trigger’ call or text).

So, this post is partly a rant about international roaming costs, but also a query about how are others addressing multifactor authentication, international travel and mobile phone plans?

2 Likes

Sorry, no it’s $10 per each 24 hour period, not $5

1 Like

The first question is why do you need it and what for?

When we travel overseas (up to about 5-6 weeks), we check what bills might be arriving and arrange prepayment. We also don’t do online banking or carry out any online access that needs MFA. I could see if I was travelling for work, MFA may be required for remote login, but, this would be up to the business to provide/resolve.

Shedding light on why MFA during overseas travels would be useful. Often it is possible to turn off MFA but this has risks, especially when travelling away from home.

For longer trips (multi-month), we use Power of Attorneys for someone back in Australia to be able to execute actions on our behalf. Downside, is this can usually be only done in person at an office/agency of those we need to interact with. It can be a time and cost impost on others.

1 Like

Yes, it’s useful. But although it is often linked to a mobile phone number by default, that isn’t always the only option.

My first step would be to find out whether there are alternative methods of MFA for the sorts of things you might need to do while overseas.

You might be able to use an authentication app like Google Authenticator or Apple’s 2FA code generator on your phone to generate the code instead of having it sent to your mobile.

Most banks can issue hardware security keys that generate the codes you’ll need.

Or you might be able to choose to have codes sent to either an email address or to a phone number. If that is an option, it would make it easier for you to change the SMS code phone number to a travel SIM number, too. If you’ll have wifi access everywhere, you can receive emails (probably) just as quickly as you would at home.

2 Likes

To be honest, I think turning MFA off while traveling would be a solution possibly worse than the problem. The primary trigger is usually bank accounts. (For instance, I am treasurer for a community group and have had instances where a new payee needed to be created to pay an unanticipated bill, but creating a new payee requires MFA.) I am also finding that the more I use MFA, the more activities are impacted - the mobile phone account, the ISP account, even my airline loyalty account (which may be needed while travelling). Most of my utilities accounts are also set up with MFA, although these are less likely to need attention while I am traveling. There isn’t really anyone I could lean on for a POA in Aus while I’m away.

2 Likes

Most telcos will send SMS to your number for free while OS and they usually only charge if you send one from OS for which you must have roaming enabled to send. Having a dual SIM capability means that a user could retain the Australian number as well as having an OS SIM. When interacting with any business that notifies by SMS for 2FA, then you put the code received on your Australian number, into the input box and you should be fine.

If not able to dual SIM, then an Authenticator as @isopeda suggested may be an alternative as many businesses who require or encourage 2FA will now often accept many Authentication apps as alternatives to SMS or emailed codes.

My phone accepts both a real SIM and an eSIM. I have used this dual SIM facility successfully while OS, dealing with my Banks.

I also use an Authenticator app for a few others and at least one of my financial institutions has moved to accepting the use of the app. Worth perhaps inquiring if your businesses will also allow the same usage.

1 Like

These might also include SMS activity updates for the primary CC. Especially useful when travelling to know if there is an issue with misuse when it occurs. On longer journeys including multiple flight bookings one also needs to provide a reliable contact number for each carrier. Flights do change.

We’ve previously relied on post paid mobile accounts and receiving SMS OS for free. Mobile data turned off, and not answering incoming calls. The unanswered call left message to text was a useful way to screen unknown numbers.

If one chooses to receive authentication codes via email, our success accessing one’s email from an over seas location varies. Gmail no problem. Others not always depending on how one connects at the time.

To note one of our banks is transitioning from a hardware key to Authenticator App tied to the mobile number. The other relies on issuing transaction verification codes via SMS. One does not want to find access to one’s account has been lost while away. Dropping into the local branch to remedy not an option. It has happened.

1 Like

Was in Vietnam for about 1 month returning a couple of days ago.
Used a Latitude 28 card everywhere with no troubles. NFC was patchy but the card worked anywhere that took cards (95% of places) including major taxi brands.
Having used this 28 card, with no overseas charges, I discovered, for the first time, their 2 authentication process included a tick box where one could have & use a code sent through the Latitude app.
WONDERFUL if using to purchase tours etc. online.
Also used the ING debit card to get cash (not used much) again no overseas charges & any ATM charges refunded. They DO NOT have the app thing the 28 card did BUT should!

I alway purchase a local SIM card when travelling, worked out <$1 a day unlimited, & remove the OZ one, (I’m not paying $5 Vodafone or $10 Telstra a day) BUT do remember to cancel the VN SIM subscription when leaving the country, otherwise may be difficult to do once home.

Hope this info is helpful.

2 Likes

I used to be the same but the group set up delegations for two individuals, the treasurer and a backup. The backup was to ensure continuity should the treasurer (me) be unavailable or incapacitated. We had to stipulate that joint approvals weren’t required on the account and each person had full authority to action banking transactions. This is a relatively easy workaround for community groups and works well.

Most MFA can have workarounds when travelling. It just takes some forethought and planning. Whether it is prepaying bills, deferring payments, setting up alternatives etc.

1 Like

Getting ready for a trip myself I have 5 financial institutions to deal with, the 5 is ‘just in case’. Each of the 5 has its own protocols and procedures. Examples-

One card does not accept advisories and will disable the card if there is a suspected fraudulent charge, and send an app notice to ‘clear’ it. I cannot get the app (US issuer) in any case (geoblocked) - so they will send an email with a link to ‘OK’ it. Their process thus requires email access on the spot; trying the charge again after it being declined and after responding. An alternative is being able to ring their fraud department (100% of the time they are experiencing a higher than normal call volume, no comment on that) and go through their process.

Another only allows an advisory to be set from their app, not from their web site. It is for a maximum of 30 days from when the advisory is given not from the departure date. Something to be mindful of since for a trip more than 30 days it will have to be done more than once, including while travelling.

Another wants a list of countries and dates to enable international use.

Another will only allow 2 weeks at a time travel notices from their web site, but ringing them and anything is possible.

How does any of that work in practice while travelling? It might be fully transparent, problem free, and a non-issue but with the wondrous and inconsistent opportunities for cards to get blocked it does not surprise me that many travellers get serious angst at the potential for being in a far off land unable to pay because of 2FA issues.

3 Likes

I think MFA that uses mobile text messaging is weak. Many instance where telco has been tricked into reissues a SIM only to have somebody’s bank account emptied. Best to use Authenticator apps or key fob or yubico key or something like that if possible.
Most MFA systems I use seem to offer Authenticator app.

1 Like

My bank sends a message if I am making a payment to a new company to verify that it is me making the payment. Because I have occasionally needed to make such payments while overseas, and I use a prepaid SIM while away, I have arranged for the MFA be sent to me via my email address. I don’t have access to my Australian number while away. But I do have access to my emails.

2 Likes

I’m with Amaysim and they have cheap prepaid international roaming plans that meet my needs. If you don’t need data, for $20 you get 100 minutes of voice and 100 SMS and this lasts for 365 days. Alternatively you can pay $25 for 50 minutes voice, 30 SMS & 2GB of data for 365 days. Personally, I fid it useful to have all three because sometimes you get or make an unexpected call or text, or have the convenience of data for navigation, book tickets or simply look something up while you’re out and about. They have other international roaming offers, and competitive rates on their Australian plans too.

1 Like

I just lie and tell them that I don’t have a mobile phone. That mostly forces them to provide a better alternative.

Assuming that you haven’t done that, in some cases it may work to configure so that SMSs are received as emails.

If you make these trips as frequently as it seems, then you may be better off buying a cheap phone for making calls and text overseas (as an alternate to upgrading your usual phone to one that accepts dual SIMs) and buying a prepaid SIM in the destination country for each trip. When I visited the UK and Europe earlier this year, I simply bought a 10GBP pre-paid SIM with 30-day duration that included European roaming. Then you can leave your Aussie SIM in your existing phone for the MFA texts.

3 Likes

The other risk is some financial institutions (and I expect others) track IPs when logging in. There is a risk access is blocked if overseas IPs are detected through login process when these aren’t typical for the account holder in question. One should confirm with any business, where an account is held and access when overseas is likely, access to the account is possible. No differently to notifying financial institutions of places overseas where cards may be used.

Edit: MFA sent to an Australian mobile number on an Australian carrier with a foreign IP address is likely to be flagged as suspicious. It might suggest a scam, this combination may suggest unauthorised access to an account.

2 Likes

And the challenge here is that by law, the bank has no idea where your phone is. (I am not suggesting for one moment that that law should change. The reality is that you should tell your bank where you are going if you are going overseas, and when you are going, and then the foreign IP address shouldn’t be suspicious.)

1 Like

I use ALDImobile’s international roaming on my mobile and keep my local number. The costs vary a bit according to country but aren’t too high. In general I don’t answer incoming calls unless it’s an emergency as there is a fee to receive calls as well as send them. I call back using WhatsApp when I have good wifi. WhatsApp is good for texts and sending photos too. I keep data turned off though may occasionally turn it on if I get lost and need Google maps. I usually end up paying no more that $20 during a 4 week trip.

2 Likes

This seems to be the solution the OP is looking for. Coles mobile has a similar roaming package - not as good value as the credit expires after a month, but the main service costs less.

2 Likes

It appears Amaysim may be the way to go. I’m usually away for more than 30 days, so the 365 days duration suits me way better.

1 Like