Ask HN: Why no 2-factor authentication for web apps?
More and more I find myself keeping data on webapps (like gmail) that is really sensitive. I don't doubt that someone could successfully impersonate me or steal my identity if they shoulder surfed my password and had intent.
Why is there no open and easy to implement 2-factor authentication system? Is it just because nobody has built one and championed it?
Obviously this won't work on Gmail unless Google implemented it - but maybe this could be the killer app for OpenID (yeah right).
6 comments
[ 516 ms ] story [ 161 ms ] threadWhat if the "something you have" was your mobile phone?
Their reasoning for why it's supposed to be better than SMS:
a) you are not dependent on a third party (mobile phone operator), so that you couldn't access your account when there is no coverage, or your battery is dead, etc;
b) with SMS you get authorization once per session, with card reader each transaction gets unique authorization (you have to enter a transaction details twice - online and in the reader). So even if somebody "listens in" to your traffic, they would be just able to reply your actions exactly, not use your credentials to do their actions.
This layer of protection also exists for SMS solution, but it's limited as they use printed grid of codes for additional authorization of transactions. So that in principle if somebody hijacks your traffic for a long enough time, they would be able to reconstruct your static grid of codes. Or they could phish you to give your codes (it did happen, there is a big red warning on their homepage).