System Updates

Minor updates and code changes occur every day. Only significant or noteworthy updates are shown here. Updates shown with a gold background are (or were at the time) only available to Advanced HOPS members.

Recent HOPS Updates Recent Retail System Updates Future Updates Search

Time Date	System Updates
Update 1162 29 April 2025	MULTI-FACTOR AUTHENTICATION HOPS will soon be offering Multi-Factor Authentication (MFA) on HOPS accounts. This is in response to feedback from several railways. Like most things this isn't a straightforward as just 'doing it', there are lots of wider effects to consider, technical, procedural, and human-factors, so here are our current plans: * There will be an initial trial with a small group of invited users. * After the trial MFA will be available (optional) to all. * Railways will be able to enforce MFA for specific users. * In the long term, MFA will become a requirement for users with certain permissions (eg permission to administer permissions (015), permission to admin-login (080), etc) - permissions that enable access to personal data. It is likely the permissions included in this list will increase over time, and bring more users within the requirement of MFA. We recognise this may not be welcome by some users, but the demands from railways for us to implement MFA are now overwhelming, and once MFA is available we don't feel it is defensible for HOPS to not require it where appropriate. * Railways will be able to enforce MFA for selected users who otherwise don't require it by means of a permission that will fall in the above list. The permission itself won't do anything, it will just be the thing that requires the user to set up MFA. This being a permission will make it easy for railways to 'fit and forget' the permission to appropriate Permission Groups, ensuring that any new users in those groups automatically obtain the 'Requires MFA' permission without the HOPS Admin needing to take any action. This will also cover the case of a user obtaining the permission by being added to a department (eg 'Directors Department', etc). * All the above will be implemented gradually over a period of several months, with notifications to affected users in advance. * MFA will become an alternative to 'Personal Questions' for password resets for users who have joined accounts. * MFA will require the user to use an authenticator app. Any TOTP-compliant authenticator app can be used: Google Authenticator and Microsoft Authenticator apps being the two most popular. Built-in and third-party Password Managers are also available for all major web browsers which have integrated authenticators. Note that a HOPS login applies to logging in to HOPS, rather than in to a specific railway. Once logged in to HOPS a user is free to jump between their railways. Therefore if a user's permissions at any one of their railways demand MFA then it is applied to their account and they will need to use MFA to log in, regardless of which railway they wish to view. --- Forgetting / Losing MFA details: A new button will soon be provided in the user profile page for managers to reset users' Personal Questions. This will remove the need for Admins to raise a support request to have questions reset. Currently, where a user works for more than one railway, their accounts are separated out before the Personal Questions are removed. This is to avoid a rogue Admin obtaining access to a user's account by means of changing their email address and obtaining a password reset, and then jumping to the user's other railways. By separating out the accounts, the rogue Admin can only obtain access to their own railway's data, which they had access to anyway. This is currently performed by HOPS HQ but the new button will enable Admins to manage this locally. When MFA is introduced, a similar button will be provided, which will separate out the user's accounts and then remove MFA on only the user's account for the requesting railway. This will prevent a rogue Admin being able to access another railway's data by illegally obtaining a password reset in the same way as described above. ---

Time Date

System Updates

Update 1162
29 April 2025

MULTI-FACTOR AUTHENTICATION

HOPS will soon be offering Multi-Factor Authentication (MFA) on HOPS accounts. This is in response to feedback from several railways.

Like most things this isn't a straightforward as just 'doing it', there are lots of wider effects to consider, technical, procedural, and human-factors, so here are our current plans:

* There will be an initial trial with a small group of invited users.

* After the trial MFA will be available (optional) to all.

* Railways will be able to enforce MFA for specific users.

* In the long term, MFA will become a requirement for users with certain permissions (eg permission to administer permissions (015), permission to admin-login (080), etc) - permissions that enable access to personal data. It is likely the permissions included in this list will increase over time, and bring more users within the requirement of MFA.

We recognise this may not be welcome by some users, but the demands from railways for us to implement MFA are now overwhelming, and once MFA is available we don't feel it is defensible for HOPS to not require it where appropriate.

* Railways will be able to enforce MFA for selected users who otherwise don't require it by means of a permission that will fall in the above list. The permission itself won't do anything, it will just be the thing that requires the user to set up MFA. This being a permission will make it easy for railways to 'fit and forget' the permission to appropriate Permission Groups, ensuring that any new users in those groups automatically obtain the 'Requires MFA' permission without the HOPS Admin needing to take any action. This will also cover the case of a user obtaining the permission by being added to a department (eg 'Directors Department', etc).

* All the above will be implemented gradually over a period of several months, with notifications to affected users in advance.

* MFA will become an alternative to 'Personal Questions' for password resets for users who have joined accounts.

* MFA will require the user to use an authenticator app. Any TOTP-compliant authenticator app can be used: Google Authenticator and Microsoft Authenticator apps being the two most popular. Built-in and third-party Password Managers are also available for all major web browsers which have integrated authenticators.

Note that a HOPS login applies to logging in to *HOPS*, rather than in to a specific railway. Once logged in to HOPS a user is free to jump between their railways. Therefore if a user's permissions at any one of their railways demand MFA then it is applied to their account and they will need to use MFA to log in, regardless of which railway they wish to view.

---

Forgetting / Losing MFA details:

A new button will soon be provided in the user profile page for managers to reset users' Personal Questions. This will remove the need for Admins to raise a support request to have questions reset.

Currently, where a user works for more than one railway, their accounts are separated out before the Personal Questions are removed. This is to avoid a rogue Admin obtaining access to a user's account by means of changing their email address and obtaining a password reset, and then jumping to the user's other railways. By separating out the accounts, the rogue Admin can only obtain access to their own railway's data, which they had access to anyway. This is currently performed by HOPS HQ but the new button will enable Admins to manage this locally.

When MFA is introduced, a similar button will be provided, which will separate out the user's accounts and then remove MFA on only the user's account for the requesting railway. This will prevent a rogue Admin being able to access another railway's data by illegally obtaining a password reset in the same way as described above.

---

Generated at 19:11:56, 21 May 2025