This is intended as a second piece of authentication to be used every time you log on, so it's not for resetting passwords at all. So it should always increase security.
I agree about bad password resets though. Developers need to consider a password reset mechanism as an alternative login method, and make it at least as secure.
I've thought about using this approach, my concern is that SMS is not always "instant". I've had messages take up to 30 minutes to get delivered; it probably does not happen often but it wouldn't take too many occurrences of having to wait for a message on my phone before i'd get irritated.
I work at an SMS aggregator, and I've never heard of such a thing. SMS are pretty speedy, unless something goes wrong and they get wedged, in which case priority messages wouldn't help you anyway.
> or generated on an application you can install on your Android, BlackBerry or iPhone device
It seems it's a bit like a RSA fob as an app.. Very cool, and a concept that could be expanded. Basically, you could sell whitelabel apps and the backend service to websites that wants two-factor.
Hey! I don't mean to "spam" you... but I'd be really interested in your opinion given your expertise and position regarding my original comment. Are keyloggers and the like blown out of proportion? Don't you feel being locked out of your account/domain is a pretty serious security issue for most small players/home users? Please share my proposal at Google! Best.
> Are keyloggers and the like blown out of proportion
Keyloggers and password reuse are a real-world security issue. Two-factor authentication provides an extra level of protection against them.
> being locked out of your account/domain .... for most small players/home users?
The final step of configuring two-factor verification provides you with a list of one-time codes you can print. This provides a back-up way of having codes in case your phone is lost. You can keep these printed codes some place safe like your wallet or safety deposit box.
OK, I've been meaning to ask the HN community about this. Please share your thoughts.
Wouldn't it make a lot of sense for Google (et al) to have this sort of authentication every time you want to change your Google Accounts password? Isn't this a pretty safe way to prevent being locked out should someone gain access to your account?
You may be thinking about costs, but this could easily be a premium service I would gladly pay for! For instance, I could charge $10 to my account, which should allow me plenty of password changes in the future. An intruder may "waste" at most one SMS, since he would not have it and until then Google should not send you any additional SMSs. Does it make sense? If it does, you Googlers in here, please pass it on!
While we're at it... how about extending this to domain registrars? This would be even more critical. I must say it, I'm pretty paranoid and by now it clearly shows. I don't know how you guys have launched successful websites and cope with this lack of safety features. I know I'm rambling, but please speak your mind on this issue.
PS: I realize things are not so bad as they could be, that probably keyloggers are rather hard to plant, etc. But it wouldn't hurt to have these features, and the companies involved would only profit, both financially and in terms of reliability.
With OpenID, I wonder whether people would appreciate the option to "outsource" their authentication. If places like domain registrars supported it then people could take the option most convenient for them.
Some people would just use OpenID to their email provider, others could pick providers who use two-factor auth of various kinds (and pay for the extra SMS costs there, without the site themselves having to support it).
The really paranoid could have SecurID-style keyfobs for every site if they wanted to.
Well, since two-factor authentification is required to login into your account to change password, I would think it already applies to password change?
I believe ez77 is saying to make it so that the 2 factor auth. comes every time you try to change your password whereas this seems to be designed to only be used the first time you use a computer with an account. I may be mistaken though.
24 comments
[ 3.6 ms ] story [ 73.0 ms ] threadI agree about bad password resets though. Developers need to consider a password reset mechanism as an alternative login method, and make it at least as secure.
It seems it's a bit like a RSA fob as an app.. Very cool, and a concept that could be expanded. Basically, you could sell whitelabel apps and the backend service to websites that wants two-factor.
(Disclaimer: This was my project at Google.)
(disclaimer: I work on the project.)
Keyloggers and password reuse are a real-world security issue. Two-factor authentication provides an extra level of protection against them.
> being locked out of your account/domain .... for most small players/home users?
The final step of configuring two-factor verification provides you with a list of one-time codes you can print. This provides a back-up way of having codes in case your phone is lost. You can keep these printed codes some place safe like your wallet or safety deposit box.
http://www.google.com/support/accounts/bin/answer.py?answer=...
Wouldn't it make a lot of sense for Google (et al) to have this sort of authentication every time you want to change your Google Accounts password? Isn't this a pretty safe way to prevent being locked out should someone gain access to your account?
You may be thinking about costs, but this could easily be a premium service I would gladly pay for! For instance, I could charge $10 to my account, which should allow me plenty of password changes in the future. An intruder may "waste" at most one SMS, since he would not have it and until then Google should not send you any additional SMSs. Does it make sense? If it does, you Googlers in here, please pass it on!
While we're at it... how about extending this to domain registrars? This would be even more critical. I must say it, I'm pretty paranoid and by now it clearly shows. I don't know how you guys have launched successful websites and cope with this lack of safety features. I know I'm rambling, but please speak your mind on this issue.
PS: I realize things are not so bad as they could be, that probably keyloggers are rather hard to plant, etc. But it wouldn't hurt to have these features, and the companies involved would only profit, both financially and in terms of reliability.
Some people would just use OpenID to their email provider, others could pick providers who use two-factor auth of various kinds (and pay for the extra SMS costs there, without the site themselves having to support it). The really paranoid could have SecurID-style keyfobs for every site if they wanted to.