1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

News GOG to enable two-step login as standard

Discussion in 'Article Discussion' started by Gareth Halfacree, 17 Oct 2016.

  1. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    12,401
    Likes Received:
    1,814
  2. azrael-

    azrael- I'm special...

    Joined:
    18 May 2008
    Posts:
    3,848
    Likes Received:
    124
    I hope it's not cookie-based like e.g. Humble Bundle. Everytime I try to log in I need to verify my browser. Very annoying.
     
  3. GeorgeStorm

    GeorgeStorm Aggressive PC Builder

    Joined:
    16 Dec 2008
    Posts:
    6,075
    Likes Received:
    257
    Can confirm I am a user daft enough to share passwords between accounts, I couldn't tell you which ones as normally I have to sit there cycling through a selection of passwords if it's something I haven't logged into for a while haha!

    In general a fan of moving to improving security, don't mind a bit more faff :)
     
  4. pbryanw

    pbryanw Member

    Joined:
    22 Jul 2009
    Posts:
    190
    Likes Received:
    4
    @GeorgeStorm - If you don't mind a bit more faff, sounds like a free password manager - like Lastpass or Keepass - would be worth looking into. Once you get past the initial difficulty of setting them up, they're quite easy to use.
     
  5. theshadow2001

    theshadow2001 [DELETE] means [DELETE]

    Joined:
    3 May 2012
    Posts:
    5,162
    Likes Received:
    141
    It would be nice if someone like Google or whatever internet giant would sell an authenticator key and allow third parties to use the associated authentication service. The whole texting the code thing has to be expensive and I do find it less than ideal.
     
  6. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    12,401
    Likes Received:
    1,814
    We'll, there's Google Authenticator, a time-based one-time password token which had seen pretty widespread adoption. It's most common to have it (or a third party implementation like Authy) installed on a smartphone, but you could build a hardware dongle to the same spec.

    There's also FIDO U2F: I've got a compatible USB dongle on my keyring, and you just plug it in when requested. Fantastically easy, but no bugger supports it and you need to use Google Chrome...
     
  7. theshadow2001

    theshadow2001 [DELETE] means [DELETE]

    Joined:
    3 May 2012
    Posts:
    5,162
    Likes Received:
    141
    Really a hardware dongle for google authenticator would be ideal. For me it would be more user friendly than accessing a text or applet based system.
     
  8. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    12,401
    Likes Received:
    1,814
    I think 'shadow was talking about a hardware token with a screen, rather than a traditional hang-off-the-back-of-a-port dongle - I know I was in my Google Authenticator paragraph.

    That said, though, there are fixes for true dongles and mobile devices: my FIDO U2F dongle connects happily to anything with a USB port, the Mooltipass works fine with smartphones and tablets using a USB OTG adapter, and the Yubikey Neo works over USB or NFC - so you don't even need an adaptor.
     
  9. theshadow2001

    theshadow2001 [DELETE] means [DELETE]

    Joined:
    3 May 2012
    Posts:
    5,162
    Likes Received:
    141
    Yes, that's correct.
     
  10. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    12,401
    Likes Received:
    1,814
    Fingerprints are a terrible authentication mechanism. Sure, they're fast and easy - but what other authentication mechanism can you think of which is impossible to revoke and you leave copies of on everything you touch? Hell, it's possible to reproduce a person's fingerprints from a photo of them waving - I wrote about it on 'ere a while back. Once your fingerprints are out there, you're screwed (and your fingerprints are already out there, should anyone care to find 'em) - whereas if you lose your authenticator token you just revoke it and get a new one.
     
  11. theshadow2001

    theshadow2001 [DELETE] means [DELETE]

    Joined:
    3 May 2012
    Posts:
    5,162
    Likes Received:
    141
    Well you could probably remove the risk associated with finger print as authentication problem by using it to only authenticate locally. Rather than transmit the finger print information to a remote server, use the finger print to activate a device to send a unique password to the remote server. In essence it would be a finger print activated, hardware based, password manager.

    Surely something like that exists already.
     
  12. Edwards

    Edwards Active Member

    Joined:
    8 Oct 2010
    Posts:
    796
    Likes Received:
    42
    Fingerprints are the equivalent of a username, not a password.

    Re: Google authenticator, it's great. Paired with my smartwatch, it's super easy logging in to anything with it.
     

Share This Page