Skip navigation

Join the Vacation Rentals Conversation!

Get answers to all of your questions from fellow owners and travelers.

Join the CommunityX

CommunitySeek, Ask, and Share in the Vacation Rentals Community
146441 Views 672 Replies Latest reply: Apr 11, 2014 4:05 PM by swmarketing RSS Go to original post 1 ... 12 13 14 15 16 ... 46 Previous Next
  • swiss-house Contributor 260 posts since
    Jul 6, 2011

    Doing the Two-Step


    I'll wade into the conversation again - hopefully the rocks thrown at me won't have too many sharp edges...


    It's been mentioned before, but I think it needs to be brought up again: The solution HA is suggesting is based on requiring us to go through a two-step authentication system to prove our identity before we can log in.  Two-step authentication is what is lacking in nearly all email systems, including desktop based software like Outlook or Thunderbird.


    For most of us, to log on to your email, all you need is your email address and your password.  If anyone manages to steal these from you, they can read your email and do things like forward it to another address and delete it from your inbox, or all sorts of evil, nasty things.  And they can do it from anywhere with a PC with a browser, even countries off the Gulf of Guinea .


    But with two-step authentication, you need the logon ID, plus two forms of proof.  The first is still a password.  But the second is usually something unique to you, something an imposter couldn't get access to.


    I'll save you the history lesson of RSA key fobs and other stuff, because these days the easiest was to provide that second form of proof is via your mobile phone's SMS / text message system.  There are other ways such as embedded browser helper programs that identify a specific "safe" login machine, etc. - but the most widely used is the SMS / Text Message.


    It costs a lot for a company to do this, because they have to pay 5 to 50 cents per text message they send, but the way it works is simple:

    When you log in, you enter your user ID and your password.  You then receive a text message on your mobile phone - it will only send the message to the phone (or phones) in your profile (it might even be a different one than the one in your HomeAway listing).  It includes a 4 or 6 digit code that you then type in.  NOW it will let you in.

    And you can STAY logged in on that computer, so that if you get inquiries through the course of the day, you don't have to keep going through the routine of logging in. It doesn't have to be a hassle.


    There are other ways to accomplish something similar, including keeping track of IP addresses.  A security system can be made smart enough to know that if it sees you do a proper two-step log in from the same IP address 3 or 4 times in a row, then it can trust that IP address is really you, and it can stop sending the text message portion of the login process - or only require it every 3rd or 4th log in. 


    And if you want to reset your password because you forgot it?  Yes, you must have your mobile phone to receive a code (and it will only use the phone numbers in your profile) to prove you really have that phone in your physical possession.


    No system is perfect - and I don't know if this is how HA will do it.  If they do, I'm sure they'll have back up processes in case you lose your phone, or whatever other physical confirmation vehicle they end up implementing. 


    But the key is that a two-step process can do what most email security systems can't - it can require that someone not only steal a password, but also steal something physical like a phone, or break into you house to use your physical PC.  And that's about the only way to provide a reliable shield around your conversations.


    BTW: Google Gmail DOES offer two-step authentication for its users, although you aren't forced to use it.  You can read more about THEIR approach at:

  • anja Senior Contributor 1,555 posts since
    Aug 9, 2011

    Hi msdebj,

    Responding to your post #171....


    Precisely my view...and already my practice.  I have been using an *interim*  response  that I crafted some time ago for all those "incomplete", vague inquiries {mostly generated from my pet peeve...the "bulk mail"}.  I've been very annoyed by the blunt style like my favorite:  "JJ.  need availability.  price." So many other favorite, equally vague examples in  my inbox apply.


    I answer them all with my *interim* to  FISH {not phish} OUT more specifics from the I can decide whether I WANT to pursue their business - or not.  So, I've already implemented my own "extra step" to prompt more details from "the vague" inquirer.   Maybe, that's why I haven't been very bugged by the nature of the "extra step" HA is communicating to us about "verify info with each other first before transacting".  I think I've been self imposing this's my own "pre-vetting"..... --- sans the HA log in --- albeit it's one sided - from the owner's perspective. I'm not certain, yet,  whether what HA will offer as their solution  will be  satisfactory {for me}. Will I get enough detail?  That's the question. For years, my email address has been *exposed* whether I replied from my own email client, or from within the HA Dashboard since  it's introduction!  That will end, we've been told. The Dashboard will be the vehicle through which I will FISH to decide  whether I want to continue communicating...HA will keep my {owners'}  email address private -they've stated this-...until I feel I want to share it.

    I like that aspect....I've been on the record here asking HA to stop revealing email addresses when using their "Reply" button  in the Dashboard.


    If the new HA proposed "secure inquiry" system does not provide me with at least,  full name, location [city/State/country], email address  {but, the more I think about it, I'd love a phone, more than email}.... then I will just continue to respond with my *interim* reply to FISH for more personal that I can "Google"  it.  find out more about the person.


    My current *interim* reply to all "vague" inquirers that I have been using, to date, starts with:


    Thank you for your inquiry. At the time of this writing, your proposed dates are still available...we might be able to welcome you ....blah blah.... {...and  I complete the message accordingly -- depending upon  what more I need to much I want to reveal, first....}. enable us to help you.   I tweak the *interim* message as needed.


    I have always gotten responses to my *interim* one, and they sometimes revealed an "unsuited" traveler for my place - because of one thing or another (no. of guests, a feature I don't offer, a demand for price)....or their response presented a  "red flag" ....and I lost  interest in the pursuit. perfect "targeted" prospect.

  • Active Contributor 540 posts since
    Aug 25, 2011

    Swisshouse, you're right, I missed this point that it'll become a 2-step auth -- sorry about that.  


    So HA is proposing using an even bigger hammer that I'd originally thought to beef up security to address a problem that has not been proven to be statisitically significant and that will make interacting with guests in a timely manner just about impossible for some of us.  (and for which there may be aanother solution that achieves 99% of the same goal without the impact on our operations)


    FlipKey, here I come!


    (Well, I'll wait to see what they actually roll out... I'm still holding out hope that it doesn't make me log into the site.)


    [ Note: please don't tell me it'll be easy, just stay logged in, not a big deal, takes a only a second etc, etc.. that is simply not realistic for some of us -- especially where we work full-time, travel, use multiple computers (tablets, cell phones, computers) &/or use physically unsecure machines and it breaks my central database of communications that I currently keep in e-mail -- in other words, unacceptable. ]).



  • anja Senior Contributor 1,555 posts since
    Aug 9, 2011

    Hi enlasrocas...  Have you news to share about the status of your problem?  Has HA responded to your request for help?  Is your advertising online?

  • swiss-house Contributor 260 posts since
    Jul 6, 2011

    P.  You're right - it all comes down to the implementation.



    [ Note: please don't tell me it'll be easy, just stay logged in, not a big deal, takes a only a second etc, etc.. that is simply not realistic for some of us -- especially where we work full-time, travel, use multiple computers (tablets, cell phones, computers) &/or use physically unsecure machines and it breaks my central database of communications that I currently keep in e-mail -- in other words, unacceptable. ]).



    I've been thinking of it purely in terms as a second email client that I would keep open, just like I do my Gmail account.  When I'm at my desk, it's one of the first things I open when I start up my PC, and it stays open until I log off.  As long as I get a text message on my phone when a new inquiry comes in so I know to take a peak in "the other" email system, I think it will work for me. 


    Heck, I could even modify my hourly routine to include it as a matter of routine: Check personal email account, check business 1 email account, check business 2 email account, check Facebook, check Facebook, check Facebook (Hey! get back to work!), and now, check HA dashboard.  Yeah, I guess I could do that.




    What will be interesting is how they implement the mobile versions.  If they can validate the physical phone once as a "trusted device" and then let me access this "second email client" without the whole two-step thing when I'm on a mobile device, then I don't see it as all that different than using my mobile email client either.




    When on the Ambassador call last week with the HA rep, I was pretty vocal about asking for all the things I depend on in my email client - rich text, folders (with colors if possible), threaded conversations, and a bunch of other tools we all depend on in our email-based filing systems.  For me, if they can come pretty close that mark, I can modify my processes a bit to make use of it.

  • anja Senior Contributor 1,555 posts since
    Aug 9, 2011

    Hi again Peter.... wrote:


    (Well, I'll wait to see what they actually roll out... I'm still holding out hope that it doesn't make me log into the site.)



    It appears that HA intends to mandate a Dashboard login to view the "initial" inquiry...and respond to it via the Dashboard".  That's precisely what was published in their notice....{extract is at the top of this thread}. They will send an SMS text, as well as an email "notice" to our mail login in for an inquiry.


    Note:  During the second Webinar, when we had more time with HA staff  {they gave us 2.5 hours to speak with them}...the idea for a responsive mobile experience via various devices was touched upon:   iphones,  ipads,  tablets, etc.. we and travelers are  'on the move'  and work in and from various venues.  I think that most of the Ambs/owners agreed that this would be important. 


    We really have been trying to cover issues, concerns, complaints that we've  all been sharing in the Community for months, now.


    I hope, too, that your related concern expressed here will be met.

  • New Member 5 posts since
    Jun 20, 2012

    Yes they finally called me after 2 days but the process was very cumbersome - here is why


    A) HA sent a mail to my full list of inquiries informing them that my email is scammed and that they should verify the autencity

    B) the above created much commotion and needed to write tons of emails and make ibtl. Phone calls to appease the travellers that all is fine

    C) HA de-activated my site without letting me know - needed to change emails and call intl to activate account again

    D) all of this took close to a 5 days and many expensive intl phone calls to HA

    E) HA customer service on phone lines is another 10-15 minute waiting line - expensive when you call from overseas....


    Definitely not a nice experience on behalf of a paying sorry, no extra credit or any other compensation for what said disappointing especially when you know how Apple for example treats clients when experiencing problems...


    Problem solved and hope HA verifies travellers better before notifying us owners in the it is through HA that these people obtain our emails and then start engaging into un-lawful activities...


    Thank you for your help,



  • Contributor 86 posts since
    Oct 31, 2011

    So what about our guests?  Are they going to have to setup a travel account and log into something to read our emails to them and to respond to us?  It is still not clear to me if all correspondance form owner and guest is going to go thru HA.  If only the first email, what have we gained?  If all emails, what a pain in the donkey!


    With out changing too much they could just send us an email notifying us that we have an inquiry.  All of our inquiries are already available on-line.  I think that is an extrat stetp in our process that should not have to be done.  All though I do occasionally check the on-line inquiries.  A notification email or two has never made it to my email account from time to time.  HA's response when you don't get your notification - you should always check your inquiries on-line so you don't miss any.


    I don't want to add extra steps to my process.  I already have too many now, like deleting all that extra junk they put in the notification email before replying to guest.  I don't want HA/VRBO to have access to my emails between myself and my guests.


    I would like to see their proposal in writing.  Might clear up a lot for everyone.



  • Active Contributor 540 posts since
    Aug 25, 2011

    swiss-house wrote:


    I've been thinking of it purely in terms as a second email client that I would keep open, just like I do my Gmail account. 

    I simply do not have the time available to me to keep 2+ e-mail clients open, manage other accounts, log on to HA system, copy / paste messages from RA to my own filing system.  Imagine if FlipKey & VRBO and all the other sites where we advertise follow suit.  What a total mess this will become.


    Possibly not everyone knows this but if you are using a PC (probably a Mac too) with an e-mail client, you can use a unified view and see all your e-mail accounts in one single interface while keeping them actually independent


    I use Outlook on my work machine, Windows Live Mail on my home machine, BB unified e-mail on my Playbook and BB e-mail on my phone -- they all have exactly the same view of e-mail that shows all my accounts from gmail to yahoo to work to my condo management account to my personal e-mail.  When I reply to, delete, file, move or read an e-mail it deletes, files, moves or shows as read on all of the others.   I currently do not even need to open a browser to reply to inquiries.


    So, my current routine for all sites I currently advertise on is: check e-mail, reply.


    I don't want it to be: check e-mail, parse for VRBO inquiry, open browser, log on to VRBO to read it, respond via VRBO, cut and paste into my current filing system, check e-mail, parse for HomeAway inquiry, open browser, log on to HomeAway, respond via HomeAway, cut and paste into my current filing system, check e-mail, parse for inquiries, open browser, log on to, respond via, cut-and-paste into my own filing system, etc...



  • Active Contributor 295 posts since
    Jun 9, 2011

    I am offering an alternative solution. I apologize if this has been suggested already because I didn’t bother to read the entire thread. I confess when I first saw this topic, I thought the solution that Homeaway is contemplating by forcing Owner and Traveler to login is so absurd that I can’t bring myself to participate, but because so many has responded, I thought I should participate and provide my own alternative solution.


    First, I need to define Digital ID as that is what I am proposing. Digital IDs can be used to digitally sign emails and when used, informs the recipient that the email came from you.


    • I propose Homeaway issue a Digital ID to Owners upon purchasing an ad or renewal. It will have expiration but Homeaway has the ability to extend expiration base on Owner’s ad purchase or renewal. Owners use an email client (email program, not web browser) to load the Digital ID, and there are many email clients available free or otherwise.


    • Owner’s Inquiry response is coursed through Homeaway to authenticate Digital ID. If authenticated, it is sent to Inquirer (Traveler). This effectively prevent scammers to communicate with Inquirer (Traveler) even if scammer is able to phish Owner’s email credential because Scammer will not have Owner’s Digital ID.


    • Owner still has the option to reply to Inquiry by logging in to Dashboard if wishing to reply to Inquiry by way of web browser and not email client.


    • Owner still gets to see the email address of the Inquirer when receiving an Inquiry, to allow Owner to perform his/her own internet search base on email address, but it won’t appear in the From Field to allow anonymized reply.


    • Inquirer still gets to see the email address of the Owner which is provided elsewhere (or in the Owner’s signature), to allow Traveler to similarly perform his/her own internet search and for equal treatment, but won’t appear in the From Field to allow anonymized reply.


    • On subsequent communication, Owner and Traveler is not prevented in communicating directly and bypassing anonymized communication since both their individual email address is revealed to the other; however, Homeaway will have no liability in this instance. Homeowner and Traveler can simply copy previous anonymized email address and paste it to a To Field should they wish to revert back to anonymized email and under the umbrella of secure communication.
  • swiss-house Contributor 260 posts since
    Jul 6, 2011


    Mr. Crampit says:


    Look, I've been advertising my mountain cabin in the classifieds section of Mountain Life magazine for 10 years and it's done pretty well.  People call me, I tell them the rate, and they bring cash when they show up for the keys.  I don't want to hear anything about this Internet and email and all this other crap, because I have a system that works.


    Just 'cuz you magazine people want to start putting your magazine on the internet doesn't mean I want my cabin on there.  People will want to contact me by email, and that's something new that I'll have to do. 


    So if you start putting my advertisement in places where people are going to make me do things different, I'm just going to cancel my listing.  And then we'll see where you and your Internet thing end up then!



    OK - so this is a bit tongue in cheek, but the simple fact is:

    HA has determined that it's in their best interest to tackle a painful and

    expensive process like developing a whole email-like system with state of the art security to protect themselves and to a certain degree the industry from getting sidelined in the press and by local legislators. 

    They have the money from the IPO. 

    They're going to do it



    You can either prepare to get on the bus, learn a new interface and modify your processes - painful as they may be, or you can get ready to step off the bus and let it roll on without you by finding a different place to advertise.


    But chances are good that Flipkey and all the other major sites will be doing something similar within 18-24 months anyway.


    • Some of the folks here have been really good at organizing thoughts and posting them in ways that help HA understand not only what is important to us, but WHY.  I think that's what they were hoping for.



    20 years ago the industry hardly existed.  It was all printed magazines and phone calls.  Then it was a hodge-podge of hit or miss websites that were so poorly designed that few in their right mind would trust them.  Smart individuals figured out ways to use PayPal and custom web sites to bring professionalism and trust to the marketplace.  Small players got eaten up by big players (much to my own chagrin).  And each step of the way, we had to make changes to the way we do business - how we attract customers, take pictures, write copy, send email, arrange payment, even give out door codes instead of keys for door locks!  Our industry has changed, and the innovative, flexible, successful homeowners have changed with it.


    RE: the upcoming change to the way we correspond with customers - This isn't the first time most of you have had to change the way you handle business, and I'm sure it won't be the last change either.


    If you have something new that you want to make sure HA doesn't overlook, speak up.


    But if this is going to continue being a re-hash of the same old fears and complaints, I'm sure Home Away will just tune us out altogether.

  • swiss-house Contributor 260 posts since
    Jul 6, 2011

    @ tfv:



    I am offering an alternative solution...



    Some similar ideas have been bounced around already - although none have been thought out in quite a much detail or the same way as yours.  Some good ideas here.


    This may work IF the initial email with the initial inquiry is sent encrypted to the Homeowner's email box, and the Homeowner has a PC-based decryption program to open it and read it.  But this requires that the homeowner have a PC/MAC/Linux based email client that supports public key encryption.


    If that initial email, which everyone says MUST include the renter's real email address and phone number in the text field so they can cross-check them, is ever intercepted by a bad guy, they have everything they need to impersonate the real owner.


    So, there must be 100% confidence that the homeowner is using a secure device (not a web browser on a PC) to read their encrypted mail.  But there is no way to be sure of that - there are browser-based public key clients out there too.  And unless they have 2-step type authentication, they can be hijacked like all the other email clients - and that encrypted message will be visible to whoever has the email login info.


    MAKING someone use a special email client is as bad, if not worse than making them use a specific purpose dashboard to perform specific purpose communication.  And of course, it ties you to a specific machine - you CAN'T read and respond to inquiries if you're on the road.


    Unfortunately, this is just a different mallet pounding the same nail.  Whether it's a public-key email system or a two-step authentication purpose-specific email system, it's still going to force people to use a different set of tools for communicating with customers than they use for all their other online communication.  And most will likley rebel against it just as hardily.

1 ... 12 13 14 15 16 ... 46 Previous Next

Not a member?


Register Now


More Like This

  • Retrieving data ...

Bookmarked By (1)