1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Two-factor/two-step authentication

Discussion in 'Tech Talk - Gadgets, Gizmos and Technology' started by Mark Holtz, Feb 20, 2012.

  1. Mark Holtz

    Mark Holtz Day Sleeper DBSTalk Club

    10,492
    85
    Mar 23, 2002
    Sacramento, CA
    Anyone starting to use two-factor authentication? Two factor authentication is when, in order to authenticate an account, you not only enter in a password but also a code from a device that you hold such as your smartphone. I know that it was previously was used by some financial institutions where you had a keychain FOB to authenticate access, and it has also been used by some online MMORPG such as Battle.net (for World of Warcraft and Starcraft) and Star Wars: The Old Republic. A few months ago, the Google Authenticator application was introduced as well, and I have locked down both my LastPass account as well as my Google Accounts. Yahoo, however, implements a SMS message that gets sent to your cell phone as part of the log in process.

    Thoughts on this? Will Google Authenticator be implemented as a security feature now with web forum software such as vBulletin?
     
  2. Kevin F

    Kevin F Hall Of Fame

    1,128
    1
    May 9, 2010
    I've used it before but turned it off as it was overkill for me. For mobile devices Google Authenticator gives you a really long password to enter so you don't have to fuss around with it's settings all the time.

    Kevin
     
  3. dpeters11

    dpeters11 Hall Of Fame

    16,322
    500
    May 30, 2007
    Cincinnati
    I use two factor, but only on computers that aren't recognized. I use LastPass for everything, and its setup so that if I log into it from a computer it doesn't recognize, it requires my Yubikey. Mobile devices require me to login from a computer to authorize. Google Authenticator is similar I guess, but I figured Yubikey was more secure but I don't need it often.

    I don't use Google Authenticator anymore. My Gmail password is impossible in a realistic sense to brute force, knowing that the primary email address password is one of the most important aspects of a good password policy overall.
     
  4. spartanstew

    spartanstew Dry as a bone DBSTalk Club

    12,564
    61
    Nov 16, 2005
    Wylie, Texas
    Would be overkill for me too. If someone learns/gets my passwords, shame on me. I hate having to go through hoops to log on to places.

    I'd like to be able to log on to my laptop with a single password and every site I go to after that gets logged on automatically.
     
  5. RasputinAXP

    RasputinAXP Kwisatz Haderach of Cordcuttery

    3,145
    12
    Jan 23, 2008
    I use two-factor on my Google accounts.
     
  6. The Merg

    The Merg 1*

    10,289
    35
    Jun 24, 2007
    Northern VA
    I had a key fob for accessing my work network from home. I would have to enter my logos and password. After that I had to enter in my PIN plus a 6-digit code on the key fob, which changed every 6 minutes. Now, I have that code e-mailed to me after I first login. The code e-mailed to me is good for 60 minutes. There is also a work-related website that I use where they e-mail me a 6 character PIN after I login that needs to be entered.

    I find it kinda annoying.

    - Merg
     
  7. Mark Holtz

    Mark Holtz Day Sleeper DBSTalk Club

    10,492
    85
    Mar 23, 2002
    Sacramento, CA
    The way I work is that all my passwords are stored with KeePass where the master file is on a USB drive on my keychain and backed up to my hard drive using FreeFileSync and copied over to my Dropbox folder. Needless to say, I have very complex passwords.

    Since I work across multiple computers (and virtualizations) and multiple browsers, I use LastPass and Xmarks to synchronize my bookmarks and passwords. However, the LastPass list is much shorter than my KeePass list. And, yes, I have secured it with the Google Authenticator.

    What frustrates me is when financial institutions have weaker password limits than web forums.
     
  8. SayWhat?

    SayWhat? Know Nothing

    6,259
    133
    Jun 6, 2009
    I wouldn't suggest giving Google any personal information at all nor letting them 'authenticate' anything. They're about to get kicked in the head pretty hard over numerous privacy violations. The FTC has been asked to investigate their practices of hacking and bypassing privacy policies.

    I use them for a browser and NOTHING else.
     
  9. klang

    klang Hall Of Fame

    1,268
    2
    Oct 14, 2003
    Near...
    RSA SecureID makes the key fobs with the six digit codes most use.

    I used them with a previous employer for VPN access. Currently use one with the bank to access our commercial accounts via the web.

    I suspect we will see them used more frequently in the future for business but I see no need for my personal stuff.
     
  10. RasputinAXP

    RasputinAXP Kwisatz Haderach of Cordcuttery

    3,145
    12
    Jan 23, 2008
    [citation needed]
     
  11. SayWhat?

    SayWhat? Know Nothing

    6,259
    133
    Jun 6, 2009
    http://www.pcmag.com/article2/0,2817,2400453,00.asp

    http://arstechnica.com/tech-policy/...tm_source=rss&utm_medium=rss&utm_campaign=rss

    http://www.webmonkey.com/2012/02/go...-accepting-tracking-cookies-microsoft-claims/
     
  12. RasputinAXP

    RasputinAXP Kwisatz Haderach of Cordcuttery

    3,145
    12
    Jan 23, 2008
    Yeah. Except it's already a non-issue.

    http://www.engadget.com/2012/02/20/microsoft-finds-google-bypassed-internet-explorers-privacy-sett/

    Again, it's a non-issue. It has to do with Microsoft trying to force an IE-only web policy down peoples' throats.

    And if you want the same info regarding Safari, it's all here. Cookies are the least of your worries.
     
  13. The Merg

    The Merg 1*

    10,289
    35
    Jun 24, 2007
    Northern VA
    That's who my key fob was from.

    - Merg
     
  14. dpeters11

    dpeters11 Hall Of Fame

    16,322
    500
    May 30, 2007
    Cincinnati
    But after the security breach at RSA, did you get a new fob? Until the ones that were active at that point are replaced, the entire system is suspect.
     
  15. bobukcat

    bobukcat Hall Of Fame

    1,965
    2
    Dec 20, 2005
    I wondered about that breach myself as I use RSA Fobs for my work login (soft token on my laptop) and and for a couple customers who provide me with remote VPN access to their systems using keychain fobs. I've never received a replacement for any of them or even a new seed file for the soft token I use, therefore I suspect the breach did not warrant such replacement.
     
  16. dpeters11

    dpeters11 Hall Of Fame

    16,322
    500
    May 30, 2007
    Cincinnati
    I think they basically said to call them, but they might only replace them if they feel the company has higher risk. I'd call them and see about replacement.

    http://www.rsa.com/node.aspx?id=3891
     
  17. klang

    klang Hall Of Fame

    1,268
    2
    Oct 14, 2003
    Near...
    For the older one I left the company before the breach. The one from the bank was only issued a couple months ago. I should be clean. :D
     
  18. Mark Holtz

    Mark Holtz Day Sleeper DBSTalk Club

    10,492
    85
    Mar 23, 2002
    Sacramento, CA
    The Google Authenticator is specifically designed not to access the Internet. To read in the code, you scan in a QR code which then generates the token needed to log in.

    Remember, there are three ways to authenticate a user:
    • What the user knows - such as a password or PIN code
    • What the user has - such as a physical token
    • What the user is - fingerprint or facial biometrics
    Anything to better secure my accounts that either deal with money or allow me to receive "Forgot password" or bank statements is very important to me. Two-factor authentication on Facebook? Maybe. Two-factor authentication on dbstalk? Don't think so.
     
  19. dpeters11

    dpeters11 Hall Of Fame

    16,322
    500
    May 30, 2007
    Cincinnati
    Yeah certainly not needed for here. I figure I need the most security on systems that aren't mine, so that's where I have the most hoops. As long as I have my keys, it's all good.
     

Share This Page