KrisFlyer to introduce OTPs effective 29 June 2018

KrisFlyer will start using OTPs for high-risk transactions by the end of June.

Exactly one month ago, I wrote about the case of Sherie Low, a KrisFlyer member who lost 76,000 miles after an account breach (she was later reimbursed by the airline). I noted that regardless of how the breach actually happened, a properly-designed system would have made the theft much more difficult. One of my key concerns was the extremely insecure 6 digit PIN that the system used, coupled with the lack of any OTP for high-risk transactions like redemptions or adding new redemption nominees.

I was therefore pleased to get an email earlier today from KrisFlyer membership services informing me that the program would be implementing a 2FA system from 29 June 2018. I strongly encourage everyone to ensure their contact details with Singapore Airlines are up to date so they can start taking advantage of the improved security as soon as possible. Here’s the gist of the email:

With 2FA, you’ll be asked to enter a one-time password (OTP) each time for certain identified KrisFlyer transactions (e.g. when you access your profile or make changes to your redemption group nominees). As a default, the OTP will be sent to your registered mobile number to validate your identity. Should a mobile number not be available, the OTP will be sent to your registered email address as an alternative.

In preparation for the implementation of 2FA, please ensure the mobile number and email address indicated in your KrisFlyer profile belongs to you, is up-to-date, and actively used.

To pre-empt some possible concerns: I see no reason why the implementation of 2FA should lead to more complicated award searching or anything of that manner- if done right, the OTP will only be requested when you want to redeem an award, or conduct other transactions like changing personal details or adding a new award redemption nominee.

Update your account details if you haven’t already done so. Secure your account, secure your miles.

Aaron Wong
Aaron Wong
Aaron founded The Milelion to help people travel better for less and impress chiobu. He was 50% successful.

Similar Articles



Notify of

Inline Feedbacks
View all comments

another time when the milelion forces a big corporation to act

Aaron Wong

Ha. This was probably months in the planning, to be fair


I posted my question via ‘CONTACT US’ but haven’t got a reply, so I’m dumping it here I guess. First of all, any idea if Citi Premiermiles earns miles on Cardup? I’ve always been a cashback guy because I’m not into travelling (gasp), but Cardup has piqued my interest as a means to get some value back from my insurance and tax payments. Since I pay my premiums annually, that big lump sum exceeds the cashback cap of any >3% cashback card out there, so I have no choice but to dip my toes into the miles game. Citi Premiermiles… Read more »


Maybe the reason you did not get a reply is that this information is easily available on the cardup website? Which appears to indicate that a yearly spend of 4100 on insurance and tax will cost 107 in fees and earn 5052 miles. Return economy to Bali is 15k and return Bangkok is 20k. The website will give you equivalent cashback as well.


Thanks for the info. However, cardup website only tells me where I can go on biz or first class which is obviously not what I’m looking for, so thank you again for the info on return economy. What I meant by equivalent cashback is this: Assume a 5% cashback card with no cap. I pay $1k premium via cardup = $26 in fees. 5% cashback on $1026 will give me $51.30, which offsets the $26 fees and essentially gives me $25.30 discount off the premium. Now in the example above, 5052 miles per year means I can redeem a Bali… Read more »




Yeah, I would only bother with cardup if you were already collecting miles for biz or first flights.



Asian Miler

A bit surprised to receive the news in my inbox, too, but it’s way overdue anyway. Secure miles means happy flier.


Now that the 2FA has been implemented, i tried a login to see HOW exactly it was implemented and what exactly was protected in my KF account. This is the most sucky 2FA implementation i have ever seen to date. The 2FA protection should be applied to the entire main dashboard landing page, not just to the profile tab and certain other pages. As of right now (12 July 2018), anyone who can guess the PIN can modify people’s existing bookings because the 2FA is NOT implemented for that tab based on my observation when i logged into my account.… Read more »

[…] redeeming credit card points may involve iBanking access and 2FA tokens (to be fair, SQ has added 2FA for high risk transactions so transferring ownership of your FFP account may not be so straightforward going […]



Featured Deals


Follow us