Ask HN: Why no 2-factor authentication for web apps?

4 points by gstar ↗ HN
More and more I find myself keeping data on webapps (like gmail) that is really sensitive. I don't doubt that someone could successfully impersonate me or steal my identity if they shoulder surfed my password and had intent.

Why is there no open and easy to implement 2-factor authentication system? Is it just because nobody has built one and championed it?

Obviously this won't work on Gmail unless Google implemented it - but maybe this could be the killer app for OpenID (yeah right).

6 comments

[ 516 ms ] story [ 161 ms ] thread
Some banks -- mostly in Europe -- have started using two-factor authentication. But so far the biggest problem with "something you know and something you have" is an unavoidable one: "something you have" costs money.
Yes, I use Barclays and have one of their nifty chip and pin devices.

What if the "something you have" was your mobile phone?

My bank sends me SMS with a PIN code when I log in. But they are in the process of replacing the system with a card reader that reads your debit card (smartcard with a chip).
Are you supposed to use this card reader from your computer at home? The SMS with a PIN seems more secure AND more usable, and has the added benefit that you get notified if someone else tries to login to your account.
It's a small calculator-like device, more or less the size of the credit card.

Their reasoning for why it's supposed to be better than SMS:

a) you are not dependent on a third party (mobile phone operator), so that you couldn't access your account when there is no coverage, or your battery is dead, etc;

b) with SMS you get authorization once per session, with card reader each transaction gets unique authorization (you have to enter a transaction details twice - online and in the reader). So even if somebody "listens in" to your traffic, they would be just able to reply your actions exactly, not use your credentials to do their actions.

This layer of protection also exists for SMS solution, but it's limited as they use printed grid of codes for additional authorization of transactions. So that in principle if somebody hijacks your traffic for a long enough time, they would be able to reconstruct your static grid of codes. Or they could phish you to give your codes (it did happen, there is a big red warning on their homepage).

Yep, with OpenID you can choose to use stronger auth. Somebody from Vidoop said they want to give away tokens; I wonder how that's going.