Security at QRZ Since 1993, QRZ has sought to provide the best technology available to our users. In the early days, before even Windows existed and at a time when dial-up modems were the primary connection to the outside world, QRZ was already serving callsign data online. A lot has happened in the past 24 years as computers, networks and operating systems have all gotten faster, more sophisticated, and more vulnerable at the same time. Similarly, crooks, criminals, and hackers have also become more sophisticated and expert at what they do. Security, once a "nice to have" option, has become an absolute necessity for even the simplest of websites. Today, QRZ is pleased to announce that we're making an extra level of security available to our users. To achieve this, our engineering team has implemented Two Factor Authentication (sometimes called 2FA) as a part of our overall security scheme. With 2FA, users are asked to supply a special one-time secret code, called a token, that is generated by an App on your device, or is sent to you via text messaging. This will happen whenever you change devices, browsers or location, and if nothing changes, is good for 30 days. This enhanced account protection mechanism is available to all users free of charge, including the token generating App known as Google Authenticator. Text Messaging Tokens You've probably seen this method used on banking websites or perhaps eBay or Amazon. You register your cell phone number with QRZ and when you attempt to login, we'll send you a text message containing your temporary six digit token. Since no hacker has physical access to your cell phone, the confirmation is secured. We want to make one thing absolutely clear: We will never call your phone and we will never disclose your number to any third party. Your phone number will remain absolutely private with us. App-based Token Generator An app-based token generator is a program (app) that runs on your phone, computer, or tablet device. Once the app has been loaded and registered with QRZ, it will generate a correct token code that you need to sign in to QRZ. The advantage to this method is that an active cellular connection is not needed. One of the best known apps for this is the free Google Authenticator, which is available for Android, iPhone, Blackberry and desktop systems. All versions work the same to provide valid security tokens. Things to Consider Note that once you are enrolled in 2FA you will be asked to provide a token upon your next login. Once logged in, QRZ uses a "cookie" to remember your device. Then, you will not be asked to provide another security token for that device, so long as you remain logged in on that device. If you use multiple devices, such as a phone, iPad, computer, etc., you will required to provide a security token when you login with each device. Logging into one device does not invalidate another device that is already registered. The security token doesn't replace having to use and remember a password. You will still need your regular QRZ password to login and will only be asked for a Security Token if the device or location you are logging in from is unrecognized. Which Method Should I Use? When it comes to getting your security tokens, you can use either method. If you register your cell phone number with us, you will have the greatest flexibility. When you also have the App on your phone, you will be able to login with or without a cellular connection. When you have the App loaded on your phone, you can use the token it generates to login from any device. For example, if you are using a library or public computer, you will be asked for a token. Then, you just open the app on your phone and type in the code that it gives to complete your login. Text messages work exactly the same way except that you must have cell coverage. Also note that if you are on a plan where you pay for individual texts, your phone company may charge you for the message. What if I Don't Use QRZ's 2FA? The use of Two Factor Authentication when logging into QRZ is completely optional. Existing QRZ members may ignore all of this and simply act as if nothing has changed. As time goes on, however, some features on QRZ may require that you are registered with 2FA and in particular we will be requiring its use in our Online Swap Meet forum. How does this Improve Security? Two factor authentication serves to make it impossible for your account to be hijacked. It requires that two pieces of information are given to complete a login (the token and the password), and one of those pieces of information is a unique, one-time code. With 2FA, your password, even if accidentally shared or disclosed to others, will not compromise your account because your second factor code (token) cannot be stolen. 2FA is one of the best and most accepted standards for login security.
The intent is that in the future, sellers will have to be registered with 2FA. There is no need for the browsing public to be authenticated. If/when 2FA becomes more commonplace among our members, we will look for other areas to make good use of it. One of those areas would be the Swap Meet.
Hi Fred - first off, thanks for all you've done for the ham community with QRZ.com - our hobby would be very different without it I just logged out then back in but didn't get presented the option.... I'm probably just blind and not seeing the "opt in" bit Dave W7UUU
As I already use Google Authenticator, this was easy! Done - enabled! FYI - you enable 2FA on the main QRZ page (not the forums) by clicking on your call sign on the right and selecting "my account". The option to turn on 2FA was right at the top for me...
Hi there, Dave. Good question. Once you are logged in, please go to "My Account." There you will see the option to enable 2 Factor Authentication at the top of your screen. 73 Jaime Jeffries, KF7WIS
Fred, have you considered implementing /using Log of the World P12 certificates? Heikki Hannikainen OH7LZB (aprs.fi guy) brought up the idea at the 2013 DCC It would seem like a no-brainer to truely verify as the ham they claim to be for swap listing etc. I hope you will look into this.
QRZ Introduces Advanced User Account Security What about us extras ? and the novices and the techs and the generals ....
Got the additional layer of security enabled ... was straight-forward and easy. What I did note was that I got a "checkbox" prompt that said it would remember the token sent for 30-days. Why only 30 days? My banks and such use the same method, but they are remembering my browser. I'll get a new prompt when I log in from a different browser or device. If I'm using one device and one browser why is it necessary to redo the token every 30 days? Did I miss something?
Well, that was easy. I cover almost all my website passwords with the Google Authenticator App. Thanks for doing this, QRZ staff.
I have not tried my logging software which uses the API calls for callsign lookups; I just learned of this new feature today! Will there be a capability for "App passwords" as well/if necessary for applications? [Ed. No, "App Passwords" aren't needed in this implementation. -fred]