[ChasingCoral]

No the only things on the account are the charge Station Pro I haven't used any third party service that required my Ford data

Very odd.

 

[PowercatNewt]

Very odd.

Yeah it is a pain for sure I called first thing this morning and they said someone would reach out in the next 1 to 5 days.

 

[PowercatNewt]

Ford has been doing great on support up until now I have been waiting for over two days for someone to unlock my account. I noticed today that my Blue Cruise is not working probably because I reset Ford Pass trying to fix this issue. The rep today said this is turning into a big problem in the last couple of days. I think mine is related to me using two phones with the same sign in. My work phone and my personal phone. @Ford Motor Company you need to reactivate all the accounts and shut off this API security tool until you fix it.

 

[CondorActual]

They told me a while back that Ford understands that this is a big problem, but it's not a simple fix. The APIs that allow remote start use the same SSO system to access data, use FordPass, etc. They can't just turn down the API protections without having a good solution in place. It was frustrating that the support folks at FordPass need to escalate this issue; once they call you back in 2-5 days (closer to 5), it will take 5 more days for them to fix your account give or take.

 

[PowercatNewt]

They told me a while back that Ford understands that this is a big problem, but it's not a simple fix. The APIs that allow remote start use the same SSO system to access data, use FordPass, etc. They can't just turn down the API protections without having a good solution in place. It was frustrating that the support folks at FordPass need to escalate this issue; once they call you back in 2-5 days (closer to 5), it will take 5 more days for them to fix your account give or take.

This is a simple fix just unlock the account when a customer calls in and verifies the issue. They need to give the help desk an unlock tool. Don't make it take 10 days I work at an airline I can't imagine telling our customers just wait 10 days and we will unlock your account. Second why would you code something so protected with something that you know will need to be shared. Third a company this large should have an API security tool and be using micro services to implement these APIs. If they haven't done this then the pace of development will be at a snails pace.

 

[ChasingCoral]

This is a simple fix just unlock the account when a customer calls in and verifies the issue. They need to give the help desk an unlock tool. Don't make it take 10 days I work at an airline I can't imagine telling our customers just wait 10 days and we will unlock your account. Second why would you code something so protected with something that you know will need to be shared. Third a company this large should have an API security tool and be using micro services to implement these APIs. If they haven't done this then the pace of development will be at a snails pace.

Most Help Desk folks have little to know IT training. Giving them the keys to open up security vulnerabilities is a very bad idea.

 

[PowercatNewt]

Now at 4 days and no contact

Most Help Desk folks have little to know IT training. Giving them the keys to open up security vulnerabilities is a very bad idea.

Not true at all almost all help desks can unlock an account, never seen one that can't. In fact at almost any other company you can unlock it yourself by answering some security questions. There is no security vulnerability here just bad developers. This can not be exploited unless you give someone your userid and password. Which I didn't do. And if you did you don't need an API to exploit it you can just download the App and login. Still waiting for a response from Ford on mine starting day 6 right now. I would be embarrassed if my IT team took this long to answer this many customers.
Love the product but it's usefulness has been reduced significantly by a bad technology

 

[CondorActual]

This problem is a bit more complicated at Ford as far as I can tell. There appear to be many application teams that do things at Ford from what I can see. The website, Ford Credit applications, Ford parts/accessories, dealership apps, and FordPass are what I can see as a customer. All of these apps seem to run on various platforms, and have app teams that handle customer support issues like any other company. What I'm guessing is happening here is that Ford is using a single provider for identity management. This means that even though there are lots of app teams and support folks, they all call back into someone (internal or external) who manage the user IDs and data for the users of these apps. It provides a sort of single sign-on capability for the company. My login for FordPass is the same as the login for Ford.com. The problem as I see it is that the various app teams don't have access to infrastructure level parts of their stack, and the IT team at Ford has a security group or team that controls what is and isn't a trigger to lock out the SSO user from the identity backend. During my attempt to get unlocked, the app team seemed to have no control over the SSO system, and had to reach out to the IT security people to review and unblock locked out SSO level accounts. FordPass can use the SSO system, but does not control it. My guess is that Ford does this for cost savings, unified user experience, and security. Security is key as these systems have access to credit data and other PII info for the users, as well as access to APIs that can physically start your vehicle (EV and non EV alike). I'm unsure what Ford needs to do to protect users from these painful lockouts, but they need to do something and have it integrate with their SSO solution. At the very least, the 'repair' of these lockouts can't take 2-4 weeks. It's bad for business and it's pissing off their EV customers. Likely the first customers that need access to these APIs for more than the occasional remote start.

 

[PowercatNewt]

Yeah I imagine you are right that is a very archaic IT execution model and design. You should never have PCI, PII and Critical Operations running on the same authorization like that. There is a difference between Authentication and Authorization. The SSO can be the same but you should only grant and block authorization at the micro service level. In this case if there is a breach of the data micro service you block that service. The others were not Authorized in the first place. In my case I tried to start the truck in a low service area and it didn't respond or time out then tried again from my work phone and still no response or time out. Then I signed out and back in and boom I am locked everywhere

 

[PowercatNewt]

After 6 days and one more call today with no solution but just wait, I got the following email with no explanation but I could log in again. 3 hours later a phone call from Ford Pass saying it is fixed and they don't know what happened. Never heard from any IT or security people.

 

[jerrydee24]

I am having the same issue. I have an ‘21 F-150 Powerstroke. The only third party app I am connected to is Homebridge. I called help desk and they never heard of this code. Waiting on the call back.

 

[ChasingCoral]

As posted above, I disconnected Recurrent back on November 20th. I just got locked out again. More to follow.

 

[jerrydee24]

As posted above, I disconnected Recurrent back on November 20th. I just got locked out again. More to follow.

Do you have a VPN?

 

[ChasingCoral]

Do you have a VPN?

No. Why would that matter for this issue?

 

[jerrydee24]

No. Why would that matter for this issue?

Not sure but when I called in that asked if i was using any third party clients or a VPN…

 

[ChasingCoral]

Not sure but when I called in that asked if i was using any third party clients or a VPN…

The low level Ford Guides don't have great information on this. They had me delete software that it turns out didn't matter at all.

 

[jerrydee24]

The low level Ford Guides don't have great information on this. They had me delete software that it turns out didn't matter at all.

Yeah I got nowhere until someone posted that phone number on here.

 

[PowercatNewt]

Curious do you have two phones using the same account? The other interesting thing on mine is I noticed the Ford Pro Power Station stopped syncing about 2 or 3 days before I was locked out. That is the only thing I authorized to access my account

 

[ChasingCoral]

Curious do you have two phones using the same account? The other interesting thing on mine is I noticed the Ford Pro Power Station stopped syncing about 2 or 3 days before I was locked out. That is the only thing I authorized to access my account

No. My wife and I have separate accounts with each phone on a different account.

 

[chillaban]

So I’ve never used another service and since last Wednesday my account has been locked with this error. I have tried calling Ford and chatting them, both say they opened a ticket and gave me the 3-5 day quote, but unfortunately I am still locked out. Does anyone know if there’s a better way to escalate this?