Amtrak website now requires 'multi-factor authentication' for 'some' members - 'why me?'

Help Support Amtrak Unlimited Discussion Forum:

20th Century Rider

Conductor
Joined
Jan 26, 2020
Messages
1,784
Location
Oregon Coast
I signed in today and got the immediate response that my password must be changed; nothing about 2Fa but when I changed it, I got the notice about the verification code. I did it, and it was fine. Many sites use this now, my credit union account uses 2Fa, you don't have a choice. I don't find it burdensome, just my .02 though.
Uh - huh! When I called again today I got another know-it-all agent with a raspy voice who told me that if's required by Amtrak then use it.

Amtrak doesn't do technology well at all. Uh - huh!
 

20th Century Rider

Conductor
Joined
Jan 26, 2020
Messages
1,784
Location
Oregon Coast
Here is an update on the 2FA dilemma and problems so many are having.

I just spoke with a very senior and astute Amtrak agent who indicated that since they implemented a 'new system' there have been an avalanche of complaints and issues. I was told that Amtrak is well aware of the problems and are working to fix it.

Anyway... at least now there's hope as so many are effected and Amtrak is giving it top priority.
 

bratkinson

OBS Chief
Joined
Aug 7, 2004
Messages
948
Location
QB 101
Disclaimer: author is NOT responsible for physical, logical, or consequential damages (perceived or actual) including but not limited to: computer reboot failure, missing missing, lost passwords and and/or form data, throwing computer across the room, punching the screen, and hitting it with a sledgehammer; that may arise from using the procedures described below. They are the steps I would follow on my own computers, but there is no guarantee they will work on your computers.


Here's five possible solutions -

PLAN A
Create a 'new user' in Windows! Use whatever username you choose. Then 'switch users' to the newly created user and logon to Amtrak. Alternatively, use an already extant user on your computer to log onto Amtrak using your AGR number/email plus password.

==>IF<==
the problem is related to files and/or information on your computer for you, then signing on to Amtrak as another Windows user will solve the problem as all history and tracking info is individually maintained by user.

PLAN A1
(I just thought of it after typing PLAN A which I did as the last thing creating this lengthy how-to list) Sign on to Amtrak from a computer other than your own. If that works (ie, toggle the 2FA switch), that narrows it down to YOUR computer, not an Amtrak site issue.

PLAN B
Similar to Plan A and A1, sign on to Amtrak using your cell phone and change it there, successfully log off (end task), then shut down (not sleep) and re-boot (not kick) your computer and see how that works. I'd give it a 50% chance of solving the problem.

PLAN C
Perhaps it's several data, screen, and cookie caches that's causing the problem. An unfortunate reality is that all browsers maintain caches of data and screens to speed up their response times. It's quite likely that information from the Amtrak site is kept in one of them that's causing the grief. It may be something as simple as 'cookies' causing the problem.

If you're afraid to adjust browser settings, then go to plan D.

I'm a Firefox user but I'll describe things as generically as possible. Somewhere in your browser, it should have a drop down window that offers various things such as bookmarks, downloads, passwords, etc. In particular, look for 'settings'. If no settings, then look for 'tools' or 'options' or something like that and it should offer some kind of 'settings' there. In Firefox, the settings screen has multiple sub-screens that I usually end up stepping through one at a time to find what I'm looking for.

On my computers, I've restricted the number of 'shortcuts' it remembers to 1. Doing so slows things down just a tad by having to get every 'new' site other than the most recent one 'from scratch' on the web. Doing so forces it to not use a 'saved' version of the site you previously visited. I'm guessing that something more than the URL is saved in the 'shortcuts', so maybe that's the problem as Amtrak site info is stored there.

Still in 'settings', the Firefox 'Cookies and privacy' sub-screen (left side index of sub-screens) has a 'cookies & site data' option with 'clear data', which I clicked - it will cause whatever site you're browsing to be temporarily disconnected. There's another option to 'delete site data and cookies when Firefox is closed' which I've checked as well. Hopefully, other browsers have similar options. One Catch-22...do NOT change settings you don't fully understand or else you may have to reinstall your browser. Then close your browser, and reboot the computer. (Note: I've made similar 'settings' adjustments in Thunderbird, the companion email app to Firefox)

If that fails to remedy the problem, keep reading.


PLAN D
Before embarking on PLAN C, PLEASE do the following: (I don't want anyone to 'hunt me down' in case something goes wrong following these directions)

In the WIndows 'search box' on the left side of the bottom toolbar, enter 'create' and click. It will come up with 'create a restore point'. Click that and CREATE a restore point. If things go wrong for you with PLAN D, come back to the same screen searching for 'create' or 'restore' and click 'Restore'.

Even though most of the cached browser data will be cleared automatically in PLAN C, there's STILL some data 'hanging around' in hidden files. If they were easily seen, users could cause enough 'damage' to apps to make them stop working or to Windows to require a full reinstallation. Some of them are so deeply hidden that techies like me spend a lot of time finding them, oftentimes 5 or more sub directories deep!

MOST of the caches used by Windows and the full gambit of browsers and email apps can be cleaned out by free downloadable software. The free versions of these 'speed up' programs will usually perform 70-80% of what needs to be done. To get the full capability, it's necessary to buy a one year subscription for a reasonable price.

My favorite program right now is CCleaner which I have paid for. (no, I am not a shill for them...only a satisfied customer). I used to use a competitive product but about 2 years ago then came up with a new version that essentially 'castrated' the Windows registry selective repair features I used monthly. So, out with the old and in with the new...CCleaner.

I should note that CCleaner has a significant number of file and folder delete capabilities in addition to strong registry options that could cause Windows problems if not judiciously used. For non-techies, I strongly recommend NOT using its registry features.

When it first comes up, choose the 'custom clean' option. That comes up with lists of folders for Microsoft Edge, Edge Chromium, Internet Explorer, Windows Explorer, System, and Advanced, all of which are built into Windows. UN-check Session, Set Aside Tabs, Saved Form Information, Saved Passwords, Network passwords, Desktop Shortcuts, Menu Order Cache, Tray Notifications Cache. Deleting passwords will require you to enter your password the first time you enter sites requiring them. As a 'security freak', I intentionally tell it to delete all passwords except for my email. I did that once and I had to re-signin to my email provider -and- tell Thunderbird to 'remember password' again.

Clicking the Applications tab brings up the non-Windows builtins including Firefox and Thunderbird plus Applications, Multimedia, Utilities, and Windows. I have everything is checked except the session, site preferences and saved passwords for email.

Now click 'Analyze' and wait for it to come up with its results. Review the list of folders that are about to be cleaned out and uncheck those with stuff you want saved. Then click 'Run Cleaner' and the folders 'checked' will be cleared out. For safety, I recommend you do NOT choose the 'registry', 'tools' and 'options' features.

Shut down CCleaner normally and reboot. Hopefully THAT will clear the 'Amtrak' site problem.

PLAN E:
There's STILL a number of well-buried browser and email folders as well as Windows and Adobe that CCleaner does NOT clean out! Among them is 'history' that Firefox keeps and 'startup cache' folders in Firefox and Thunderbird. There's also a couple of Edge files to clean out as well.

IF you're comfortable with viewing hidden folders and chasing down multiple levels, PM me, I'll give you a list of what to go after for Mozilla, Microsoft, and Adobe to clean out.
 

20th Century Rider

Conductor
Joined
Jan 26, 2020
Messages
1,784
Location
Oregon Coast
Disclaimer: author is NOT responsible for physical, logical, or consequential damages (perceived or actual) including but not limited to: computer reboot failure, missing missing, lost passwords and and/or form data, throwing computer across the room, punching the screen, and hitting it with a sledgehammer; that may arise from using the procedures described below. They are the steps I would follow on my own computers, but there is no guarantee they will work on your computers.


Here's five possible solutions -

PLAN A
Create a 'new user' in Windows! Use whatever username you choose. Then 'switch users' to the newly created user and logon to Amtrak. Alternatively, use an already extant user on your computer to log onto Amtrak using your AGR number/email plus password.

==>IF<==
the problem is related to files and/or information on your computer for you, then signing on to Amtrak as another Windows user will solve the problem as all history and tracking info is individually maintained by user.

PLAN A1
(I just thought of it after typing PLAN A which I did as the last thing creating this lengthy how-to list) Sign on to Amtrak from a computer other than your own. If that works (ie, toggle the 2FA switch), that narrows it down to YOUR computer, not an Amtrak site issue.

PLAN B
Similar to Plan A and A1, sign on to Amtrak using your cell phone and change it there, successfully log off (end task), then shut down (not sleep) and re-boot (not kick) your computer and see how that works. I'd give it a 50% chance of solving the problem.

PLAN C
Perhaps it's several data, screen, and cookie caches that's causing the problem. An unfortunate reality is that all browsers maintain caches of data and screens to speed up their response times. It's quite likely that information from the Amtrak site is kept in one of them that's causing the grief. It may be something as simple as 'cookies' causing the problem.

If you're afraid to adjust browser settings, then go to plan D.

I'm a Firefox user but I'll describe things as generically as possible. Somewhere in your browser, it should have a drop down window that offers various things such as bookmarks, downloads, passwords, etc. In particular, look for 'settings'. If no settings, then look for 'tools' or 'options' or something like that and it should offer some kind of 'settings' there. In Firefox, the settings screen has multiple sub-screens that I usually end up stepping through one at a time to find what I'm looking for.

On my computers, I've restricted the number of 'shortcuts' it remembers to 1. Doing so slows things down just a tad by having to get every 'new' site other than the most recent one 'from scratch' on the web. Doing so forces it to not use a 'saved' version of the site you previously visited. I'm guessing that something more than the URL is saved in the 'shortcuts', so maybe that's the problem as Amtrak site info is stored there.

Still in 'settings', the Firefox 'Cookies and privacy' sub-screen (left side index of sub-screens) has a 'cookies & site data' option with 'clear data', which I clicked - it will cause whatever site you're browsing to be temporarily disconnected. There's another option to 'delete site data and cookies when Firefox is closed' which I've checked as well. Hopefully, other browsers have similar options. One Catch-22...do NOT change settings you don't fully understand or else you may have to reinstall your browser. Then close your browser, and reboot the computer. (Note: I've made similar 'settings' adjustments in Thunderbird, the companion email app to Firefox)

If that fails to remedy the problem, keep reading.


PLAN D
Before embarking on PLAN C, PLEASE do the following: (I don't want anyone to 'hunt me down' in case something goes wrong following these directions)

In the WIndows 'search box' on the left side of the bottom toolbar, enter 'create' and click. It will come up with 'create a restore point'. Click that and CREATE a restore point. If things go wrong for you with PLAN D, come back to the same screen searching for 'create' or 'restore' and click 'Restore'.

Even though most of the cached browser data will be cleared automatically in PLAN C, there's STILL some data 'hanging around' in hidden files. If they were easily seen, users could cause enough 'damage' to apps to make them stop working or to Windows to require a full reinstallation. Some of them are so deeply hidden that techies like me spend a lot of time finding them, oftentimes 5 or more sub directories deep!

MOST of the caches used by Windows and the full gambit of browsers and email apps can be cleaned out by free downloadable software. The free versions of these 'speed up' programs will usually perform 70-80% of what needs to be done. To get the full capability, it's necessary to buy a one year subscription for a reasonable price.

My favorite program right now is CCleaner which I have paid for. (no, I am not a shill for them...only a satisfied customer). I used to use a competitive product but about 2 years ago then came up with a new version that essentially 'castrated' the Windows registry selective repair features I used monthly. So, out with the old and in with the new...CCleaner.

I should note that CCleaner has a significant number of file and folder delete capabilities in addition to strong registry options that could cause Windows problems if not judiciously used. For non-techies, I strongly recommend NOT using its registry features.

When it first comes up, choose the 'custom clean' option. That comes up with lists of folders for Microsoft Edge, Edge Chromium, Internet Explorer, Windows Explorer, System, and Advanced, all of which are built into Windows. UN-check Session, Set Aside Tabs, Saved Form Information, Saved Passwords, Network passwords, Desktop Shortcuts, Menu Order Cache, Tray Notifications Cache. Deleting passwords will require you to enter your password the first time you enter sites requiring them. As a 'security freak', I intentionally tell it to delete all passwords except for my email. I did that once and I had to re-signin to my email provider -and- tell Thunderbird to 'remember password' again.

Clicking the Applications tab brings up the non-Windows builtins including Firefox and Thunderbird plus Applications, Multimedia, Utilities, and Windows. I have everything is checked except the session, site preferences and saved passwords for email.

Now click 'Analyze' and wait for it to come up with its results. Review the list of folders that are about to be cleaned out and uncheck those with stuff you want saved. Then click 'Run Cleaner' and the folders 'checked' will be cleared out. For safety, I recommend you do NOT choose the 'registry', 'tools' and 'options' features.

Shut down CCleaner normally and reboot. Hopefully THAT will clear the 'Amtrak' site problem.

PLAN E:
There's STILL a number of well-buried browser and email folders as well as Windows and Adobe that CCleaner does NOT clean out! Among them is 'history' that Firefox keeps and 'startup cache' folders in Firefox and Thunderbird. There's also a couple of Edge files to clean out as well.

IF you're comfortable with viewing hidden folders and chasing down multiple levels, PM me, I'll give you a list of what to go after for Mozilla, Microsoft, and Adobe to clean out.
The problem is at Amtrak's... they have verified that. Hopefully they will fix the problem at their end.
 

fdaley

Lead Service Attendant
Joined
Jan 25, 2020
Messages
316
Here is an update on the 2FA dilemma and problems so many are having.

I just spoke with a very senior and astute Amtrak agent who indicated that since they implemented a 'new system' there have been an avalanche of complaints and issues. I was told that Amtrak is well aware of the problems and are working to fix it.

Anyway... at least now there's hope as so many are effected and Amtrak is giving it top priority.
The agent I spoke with also said, "Believe me, you're not the only one having problems." But then she said it was on me to set up a new email address and then call back to switch my AGR account to that email. And since my wife and son also have email accounts at the same domain name that Amtrak now dislikes, we'd have to set up new addresses for them and change their AGR accounts as well. It sounds like a good way to waste part of a day, so haven't bothered to do anything yet, and I'm kind of waiting to see if complaints prompt Amtrak to come up with something better. In the meantime, I can always call, though I never seem to be able to get through to a live person at the AGR line after 6 p.m. ET.
 

denmarks

Train Travel Enthusiast
Joined
Sep 21, 2003
Messages
548
Location
Chico, CA
They are currently having problems with the verification code system. I tried a few times earlier until it locked me out. I finally got all the codes at once after an hour. I then tried again and the new code arrived within a minute and worked.
 

20th Century Rider

Conductor
Joined
Jan 26, 2020
Messages
1,784
Location
Oregon Coast
The agent I spoke with also said, "Believe me, you're not the only one having problems." But then she said it was on me to set up a new email address and then call back to switch my AGR account to that email. And since my wife and son also have email accounts at the same domain name that Amtrak now dislikes, we'd have to set up new addresses for them and change their AGR accounts as well. It sounds like a good way to waste part of a day, so haven't bothered to do anything yet, and I'm kind of waiting to see if complaints prompt Amtrak to come up with something better. In the meantime, I can always call, though I never seem to be able to get through to a live person at the AGR line after 6 p.m. ET.
No No No... the mistake is 'on Amtrak' and they need to fix the glitch that is causing problems for so many. You most certainly should NOT need to set up a new email address and disrupt your life... and no... hundreds will simply refuse to do that as well. Let Amtrak shoulder the responsibility... you're the customer!
 

20th Century Rider

Conductor
Joined
Jan 26, 2020
Messages
1,784
Location
Oregon Coast
They are currently having problems with the verification code system. I tried a few times earlier until it locked me out. I finally got all the codes at once after an hour. I then tried again and the new code arrived within a minute and worked.
And the exact same happened to me. It's on Amtrak to fix this... and they do know they have a website problem!
 

me_little_me

Engineer
AU Lifetime Supporter
Joined
Jul 16, 2010
Messages
4,369
Amtrak? Problems? Nah! Can't happen. Next you'll be saying that flex dining is no good. Think of the fun you'll have if you ever get on a train with real food? That is, if you can logon to your account and actually make a reservation.
 

Devil's Advocate

It's just a scratch.
Joined
May 24, 2010
Messages
12,628
Location
Siding of Excellence
Here is an update on the 2FA dilemma and problems so many are having. I just spoke with a very senior and astute Amtrak agent who indicated that since they implemented a 'new system' there have been an avalanche of complaints and issues. I was told that Amtrak is well aware of the problems and are working to fix it. Anyway... at least now there's hope as so many are effected and Amtrak is giving it top priority.
Personally I'm a fan of MFA but this seems to be one of the most clumsy and confusing implementations I've ever seen. I cannot comprehend why users are having to change email addresses just to login to the website under the new rules.
 

JayPea

Engineer
AU Supporter
Joined
Sep 9, 2006
Messages
4,117
Location
Colfax, WA (CFX)
Interesting. I changed my password that I'd had for a long time (I know, I know, I should change them more often!) and, after having to change the password AGAIN (said it was the wrong one even though I had it written down in front of me) I kept getting the code request and kept saying it was the wrong one. Checking my email it turned out they had sent about half a dozen codes in rapid succession. Used the latest one they sent and all was well. Over the next few days each subsequent attempt to log in resulted in getting the code request. Just now, after a couple of days, I went to log in to AGR and no code request needed. I should add that I've always had the code request disabled in my settings. Maybe things are getting back to normal, at least as normal as the Amtrak IT system allows.🙄
 

20th Century Rider

Conductor
Joined
Jan 26, 2020
Messages
1,784
Location
Oregon Coast
More bad news from Amtrak It. Very bad news!

According to their website... which I had to sign in with 2FA, they now require an additional PIN number when using points for free travel. So I placed in a 4 digit PIN # but it didn't take. Tried again but it didn't take. So now I do not have the required PIN number to use those Amtrak points.

Do this means that there will be more hoops to jump through when using points?

And does means there is yet another glitch in this newly imposed layer of website security?
 

willem

Maintenance
Joined
Aug 17, 2014
Messages
1,144
Location
in the depths
Interesting. I changed my password that I'd had for a long time (I know, I know, I should change them more often!) [...]
I have heard this many times, but I've never received a satisfactory answer to the question "Why?" I can envision only two scenarios where changing my password routinely is a useful anti-hacking technique. One scenario is that the hackers are trying to brute force break into my account and I'm lucky enough to change the password from something they haven't tried yet (but will soon) to something they have tried already (and won't try again). It seems like I would be just as likely to change it to something they will try sooner rather than later. The other scenario is that the hackers have already breached my account but I haven't noticed yet, and the hackers have left my password intact. This seems unlikely. What have I missed?
 

alanh

OBS Chief
Joined
Aug 5, 2009
Messages
602
Location
PHX
If you have a good password (long, random, not used on any other sites ever), nothing. The main issue is reused passwords; if another site you used the password on is hacked, that password may eventually be used to get into your Amtrak account.

Anyway, I'm getting the two-factor prompt too, even though it's "off". I've been away for several years, but I'm back to planning another trip. I did change my password but that didn't help.
 

20th Century Rider

Conductor
Joined
Jan 26, 2020
Messages
1,784
Location
Oregon Coast
If you have a good password (long, random, not used on any other sites ever), nothing. The main issue is reused passwords; if another site you used the password on is hacked, that password may eventually be used to get into your Amtrak account.

Anyway, I'm getting the two-factor prompt too, even though it's "off". I've been away for several years, but I'm back to planning another trip. I did change my password but that didn't help.
Same here... and I've tried everything imaginable... changed passwords, etc. Stuck!
 

jebr

Enthusiastic Transit Rider
Staff member
Administator
Moderator
Joined
Jan 23, 2012
Messages
4,422
Location
"The Last Great City of the East," St. Paul, MN
I have heard this many times, but I've never received a satisfactory answer to the question "Why?" I can envision only two scenarios where changing my password routinely is a useful anti-hacking technique. One scenario is that the hackers are trying to brute force break into my account and I'm lucky enough to change the password from something they haven't tried yet (but will soon) to something they have tried already (and won't try again). It seems like I would be just as likely to change it to something they will try sooner rather than later. The other scenario is that the hackers have already breached my account but I haven't noticed yet, and the hackers have left my password intact. This seems unlikely. What have I missed?
The biggest issue is reusing a password on multiple sites - if one of them is breached, then the hacker could get into any websites with the same password. The old-school theory was with regular changes people wouldn't keep the same password across different sites. However, it's been found that periodic changes don't actually help much, if at all, and they often result in weaker passwords. Thus, the NIST has updated their guidance to advise against requiring password changes unless the password is compromised. A quote from 5.1.1.2 of the updated guidance:

Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
Personally, I use a password manager which randomly generates passwords and then auto-fills them into the site. That way if one account is breached ideally that won't be used anywhere else, and I only have to remember the one (long and unique) password/passphrase to get into my password manager.
 

Devil's Advocate

It's just a scratch.
Joined
May 24, 2010
Messages
12,628
Location
Siding of Excellence
I changed my password that I'd had for a long time (I know, I know, I should change them more often!)
I have heard this many times, but I've never received a satisfactory answer to the question "Why?"
If you have a good password (long, random, not used on any other sites ever), nothing.
Online services are being hacked from all directions on a regular basis but the providers often wait weeks, months, or years to inform users about having been compromised. The longer you go without changing anything the longer the window where your login remains wide open to a nefarious surrogate. Multi-factor authentication helps protect against this but since that adds a tiny bit of effort most people hate it and want to go back to 1970's security.
 

willem

Maintenance
Joined
Aug 17, 2014
Messages
1,144
Location
in the depths
The biggest issue is reusing a password on multiple sites [...] Thus, the NIST has updated their guidance to advise against requiring password changes unless the password is compromised.
Not me; apparently I'm good to go. Or not...
The longer you go without changing anything the longer the window where your login remains wide open to a nefarious surrogate.
I thought the accepted practice was a service would only store hashed passwords and never the passwords themselves. I understand that accepted practice might not be followed (and is probably more likely to be ignored by the same service that would refrain from notifying users of a breach) and so what you say is valid, but am I correct that a responsible service will not store passwords in a format that could be hacked usefully?
 

Devil's Advocate

It's just a scratch.
Joined
May 24, 2010
Messages
12,628
Location
Siding of Excellence
I thought the accepted practice was a service would only store hashed passwords and never the passwords themselves. I understand that accepted practice might not be followed (and is probably more likely to be ignored by the same service that would refrain from notifying users of a breach) and so what you say is valid, but am I correct that a responsible service will not store passwords in a format that could be hacked usefully?
So far as I can tell the number of services that follow best practices, resolve new and evolving threats, and alert unsuspecting users as soon as a breach is detected is small. Not to mention what was best practices last year may only be the bare minimum today. In my experience the really secure sites barely do anything useful while the really useful sites are barely secure. Maybe we should build a new Internet: Secure Edition for the important stuff but that ship has probably sailed.
 
Last edited:

zephyr17

Engineer
Joined
Jul 22, 2009
Messages
5,160
Location
Washington State
Not me; apparently I'm good to go. Or not...

I thought the accepted practice was a service would only store hashed passwords and never the passwords themselves. I understand that accepted practice might not be followed (and is probably more likely to be ignored by the same service that would refrain from notifying users of a breach) and so what you say is valid, but am I correct that a responsible service will not store passwords in a format that could be hacked usefully?
That is the best practice. And probably applies to most big players. Smaller companies, ?.
 

Tlcooper93

Lead Service Attendant
AU Supporter
Joined
Jan 9, 2021
Messages
442
Location
Boston
Just an update.
I was seemingly avoiding all of this until about 2 weeks ago. yesterday I decided to call and complain, and haven't had to log in with MFA since. I called AGR, and then got tranfered twice, eventually getting a tech agent. Maybe it worked...
 
Top