Discussion in 'Article Discussion' started by Gareth Halfacree, 17 Oct 2016.
Aims to boost account security.
I hope it's not cookie-based like e.g. Humble Bundle. Everytime I try to log in I need to verify my browser. Very annoying.
Can confirm I am a user daft enough to share passwords between accounts, I couldn't tell you which ones as normally I have to sit there cycling through a selection of passwords if it's something I haven't logged into for a while haha!
In general a fan of moving to improving security, don't mind a bit more faff
@GeorgeStorm - If you don't mind a bit more faff, sounds like a free password manager - like Lastpass or Keepass - would be worth looking into. Once you get past the initial difficulty of setting them up, they're quite easy to use.
It would be nice if someone like Google or whatever internet giant would sell an authenticator key and allow third parties to use the associated authentication service. The whole texting the code thing has to be expensive and I do find it less than ideal.
We'll, there's Google Authenticator, a time-based one-time password token which had seen pretty widespread adoption. It's most common to have it (or a third party implementation like Authy) installed on a smartphone, but you could build a hardware dongle to the same spec.
There's also FIDO U2F: I've got a compatible USB dongle on my keyring, and you just plug it in when requested. Fantastically easy, but no bugger supports it and you need to use Google Chrome...
Really a hardware dongle for google authenticator would be ideal. For me it would be more user friendly than accessing a text or applet based system.
I think 'shadow was talking about a hardware token with a screen, rather than a traditional hang-off-the-back-of-a-port dongle - I know I was in my Google Authenticator paragraph.
That said, though, there are fixes for true dongles and mobile devices: my FIDO U2F dongle connects happily to anything with a USB port, the Mooltipass works fine with smartphones and tablets using a USB OTG adapter, and the Yubikey Neo works over USB or NFC - so you don't even need an adaptor.
Yes, that's correct.
Fingerprints are a terrible authentication mechanism. Sure, they're fast and easy - but what other authentication mechanism can you think of which is impossible to revoke and you leave copies of on everything you touch? Hell, it's possible to reproduce a person's fingerprints from a photo of them waving - I wrote about it on 'ere a while back. Once your fingerprints are out there, you're screwed (and your fingerprints are already out there, should anyone care to find 'em) - whereas if you lose your authenticator token you just revoke it and get a new one.
Well you could probably remove the risk associated with finger print as authentication problem by using it to only authenticate locally. Rather than transmit the finger print information to a remote server, use the finger print to activate a device to send a unique password to the remote server. In essence it would be a finger print activated, hardware based, password manager.
Surely something like that exists already.
Fingerprints are the equivalent of a username, not a password.
Re: Google authenticator, it's great. Paired with my smartwatch, it's super easy logging in to anything with it.
Separate names with a comma.