Dear Transport for London,

My name is Alex and I live in London - I travel regularly using your services. I would like to use the Oyster and contactless mobile app (henceforth, "the app") to check my journey history on my phone. However, on both iPhone and Android the app has password manager detection - while the password can be saved to the phone's built-in password manager, attempting to fill from it results in the app deleting the entry automatically, making it difficult to log in; and implicitly encouraging the use of a password the user can remember (which is less secure).

Password managers are encouraged by the National Cyber Security Centre, you can find their guidance here:

https://www.ncsc.gov.uk/collection/top-t...

Additionally, I have concerns that this may make the app less accessible, especially to users with memory or learning difficulties.

Thus, I would like to know:

1. Why do you block password managers from filling the password field in the Oyster app?
2. Are your developers aware of the security risks this creates for users (specifically, of the guidance linked above from the National Cyber Security Centre)?
3. What risk assessment was performed when making the decision to block password managers? Please include any meeting notes or internal communications you have from this decision-making process.
4. What accessibility impact assessment was conducted when making this decision? Again, please include any meeting notes or internal communications you have from this decision-making process.
5. What options would I, as a service user, have to request a review of this design decision?

Thank you very much in advance for your time.

Yours faithfully,

Alex Uhde

FOI, Transport for London

Dear Mr Uhde,

 

TfL Ref: FOI-1284-2223

 

Thank you for your request received by Transport for London (TfL) on 23^rd
August 2022 asking for information about the Oyster app password manager.

 

Your request will be processed in accordance with the requirements of the
Freedom of Information Act and our information access policy. 

 

A response will be sent to you by 20^th September 2022.

 

We will publish anonymised versions of requests and responses on the
[1]www.tfl.gov.uk website. We will not publish your name and we will send
a copy of the response to you before it is published on our website.

 

In the meantime, if you would like to discuss this matter further, please
do not hesitate to contact me.

 

Yours sincerely,

 

David Wells

FOI Case Officer

FOI Case Management Team

General Counsel

Transport for London

 

 

 

show quoted sections

Hi David,

As on my other request, I'd like to know why you addressed me as "Mr" when I have a gender-neutral name? Male shouldn't be the default assumption for people where you don't have a gender and who have gender neutral names.

Thank you for your acknowledgement I look forward to your response to my request.

Yours sincerely,

Alex Uhde

FOI, Transport for London

1 Attachment

Dear Alex Uhde,

 

TfL Ref: FOI-1284-2223

 

Thank you for your request received by Transport for London (TfL) on 23^rd
August 2022 asking for information about the Oyster app password manager.

Your request has been considered in accordance with the requirements of
the Freedom of Information Act and our information access policy. 

 

I can confirm that we hold the information you require. Your questions are
answered in turn below:

 

Question 1. Why do you block password managers from filling the password
field in the Oyster app?

 

Answer: The Oyster and Contactless app has supported password managers in
the past. However, a more recent release has unintentionally impacted the
use of password managers.  We will reinstate this functionality as part of
a future app release.   

 

Question 2. Are your developers aware of the security risks this creates
for users (specifically, of the guidance linked above from the National
Cyber Security Centre)?

 

Answer: Our developers are focused on improving the security of customer
data and following guidance from the NCSC.  Future app releases will
deliver continued security improvements, with the next significant
security updates expected in January 2023. 

 

Question 3. What risk assessment was performed when making the decision to
block password managers? Please include any meeting notes or internal
communications you have from this decision-making process.

 

Answer: We have not made a decision to block password managers, and
therefore there are no meeting notes or internal communications to share. 
We have identified a bug following an earlier app release and are working
to resolve this as soon as possible. 

 

Question 4. What accessibility impact assessment was conducted when making
this decision? Again, please include any meeting notes or internal
communications you have from this decision-making process.

 

Answer: As above, no such decision was made, and so no impact assessment
was conducted.  The issue will be investigated and resolved as soon as
possible. 

 

Question 5. What options would I, as a service user, have to request a
review of this design decision?

 

Answer: As this was not a decision made there is no review of the design
required.  However, we are keen to hear feedback from our customers on any
functionality that would be beneficial.  These requests can be made via
TfL Customer Service ([1]https://tfl.gov.uk/help-and-contact/).  Customer
feedback is continually reviewed and fed into development roadmap plans
for delivery. 

 

If this is not the information you are looking for please do not hesitate
to contact me.

 

Please see the attached information sheet for details of your right to
appeal as well as information on copyright and what to do if you would
like to re-use any of the information we have disclosed.

 

Yours sincerely,

 

David Wells

FOI Case Officer

FOI Case Management Team

General Counsel

Transport for London

 

 

show quoted sections

Hi David,

Thank you so much! That answers all my questions, and I'm glad to hear this is being addressed! I apologise that I didn't recognise this is a possible bug - the fact the password manager entry was successful, then the app deleted it, felt very much like intentional detection code.

Have a wonderful day!

Yours sincerely,

Alex Uhde