Jump to content



Photo

What are your thoughts on two-factor authentication?


  • Please log in to reply
38 replies to this topic

Poll: What are your thoughts on two-factor authentication?

This is a public poll. Other members will be able to see which options you chose

What are your thoughts on two-factor authentication?

You cannot see the results of the poll until you have voted. Please login and cast your vote to see the results of this poll.

If two-factor authentication was available on a particular service would you use it?

You cannot see the results of the poll until you have voted. Please login and cast your vote to see the results of this poll.
Vote Guests cannot vote

#16 xendrome

xendrome

    In God We Trust; All Others We Monitor

  • 7,328 posts
  • Joined: 05-December 01
  • OS: Windows 8.1 Pro x64

Posted 09 April 2013 - 23:14

I have been 'hacked' before in a game I used to play that ironically had two-factor authentication (A 'Pin-code' system). That's the only thing of mine that has ever been exploited and it turns out they got a SQL dump with non-salted passwords, likely got the un-hashed pass in minutes and brute-forced my pin as the game seems to have zero brute-force recognition. I later got my character back and all of it's stuff as there was an obvious roll-back.


A pin code system that send's to an e-mail address is insufficient, when someone get's into your one single e-mail account anything linked to that account is as risk. Using a true 2 factor authentication method includes some type of external hardware, be it your phone, code card, usb keyfob, or keychain token.


#17 Detection

Detection

    Detecting stuff...

  • 8,369 posts
  • Joined: 30-October 10
  • Location: UK
  • OS: 7 SP1 x64

Posted 09 April 2013 - 23:21

At the end of the day, who doesn't have a phone? Yes you can argue that some people don't, but that's BS, everyone has a phone. if you have the net, you can afford a £10 phone.

2 factor auth to a phone should be mandatory.

#18 SierraSonic

SierraSonic

    SierraSonic

  • 1,042 posts
  • Joined: 28-September 04
  • Location: Chicago
  • OS: Windows 8.1

Posted 09 April 2013 - 23:23

I say optional, be as secure as you want, just deal with all associated fees if you don't use the more secure option.

#19 Detection

Detection

    Detecting stuff...

  • 8,369 posts
  • Joined: 30-October 10
  • Location: UK
  • OS: 7 SP1 x64

Posted 09 April 2013 - 23:31

I say optional, be as secure as you want, just deal with all associated fees if you don't use the more secure option.


Optional to 'sign out' of the security would be my say, leave it enabled as default

#20 theyarecomingforyou

theyarecomingforyou

    Tiger Trainer

  • 16,446 posts
  • Joined: 07-August 03
  • Location: Terra Prime Profession: Jaded Sceptic
  • OS: Windows 8.1
  • Phone: Galaxy Note 3 with Galaxy Gear

Posted 09 April 2013 - 23:34

I use two-factor authentication with numerous services (Steam, Google, Blizzard) and very much appreciate the extra security. When I read the front page article I was surprised to see so many comments critical of it. Then again, it's like the people who maintain there is no need for anti-virus software because they're so knowledgeable about computers and the risks.

#21 astropheed

astropheed

    astropheed

  • 1,741 posts
  • Joined: 08-December 11
  • Location: Sydney, AU

Posted 09 April 2013 - 23:57

. . .true 2 factor authentication method includes some type of external hardware, be it your phone, code card, usb keyfob, or keychain token.


No, true two-factor authentication is being authenticated with two differing pieces of identification. I think you mean to use the word 'good' or 'better'.

Edit: I'm wrong.

Edited by astropheed, 10 April 2013 - 00:04.


#22 xendrome

xendrome

    In God We Trust; All Others We Monitor

  • 7,328 posts
  • Joined: 05-December 01
  • OS: Windows 8.1 Pro x64

Posted 10 April 2013 - 00:00

No, true two-factor authentication is being authenticated with two differing pieces of identification. I think you mean to use the word 'good' or 'better'.


Incorrect, the definition of two or multi-factor authentication, includes "something the user knows" example, password..... and "something the user has" like a keyfob, usb dongle, phone, code card. etc. Or replacing "something the user has" would be "something the user is" like a fingerprint, retina scan

Having a pin go to your e-mail isn't "something the user has"

#23 astropheed

astropheed

    astropheed

  • 1,741 posts
  • Joined: 08-December 11
  • Location: Sydney, AU

Posted 10 April 2013 - 00:03

Incorrect, the definition of two or multi-factor authentication, includes "something the user knows" example, password..... and "something the user has" like a keyfob, usb dongle, phone, code card. etc. Or replacing "something the user has" would be "something the user is" like a fingerprint, retina scan

Having a pin go to your e-mail isn't "something the user has"


I took the time to Google it and concede. You learn something new every day.

#24 xendrome

xendrome

    In God We Trust; All Others We Monitor

  • 7,328 posts
  • Joined: 05-December 01
  • OS: Windows 8.1 Pro x64

Posted 10 April 2013 - 00:05

I took the time to Google it and concede. You learn something new every day.


I am in the middle of a multi-factor authentication roll out right now to comply with FBI CJIS requirements, so I've had to do some research on it myself. The PIN system helps, like the way Steam implements it. But it still turns into a single point of failure if someone gets into the e-mail account associated with the Steam account, they then control the account e-mail and the PIN access.

#25 OP +warwagon

warwagon

    Only you can prevent forest fires.

  • 26,436 posts
  • Joined: 30-November 01
  • Location: Iowa

Posted 10 April 2013 - 00:05

Incorrect, the definition of two or multi-factor authentication, includes "something the user knows" example, password..... and "something the user has" like a keyfob, usb dongle, phone, code card. etc. Or replacing "something the user has" would be "something the user is" like a fingerprint, retina scan

Having a pin go to your e-mail isn't "something the user has"


Correct.

Something you know : Text
Something you have : Physical Device
Something you are: Finger prints or retina scan.

A pin to your email would be something you have access to but so could someone else.

#26 xendrome

xendrome

    In God We Trust; All Others We Monitor

  • 7,328 posts
  • Joined: 05-December 01
  • OS: Windows 8.1 Pro x64

Posted 10 April 2013 - 00:09

A pin to your email would be something you have access to but so could someone else.


The pin, like with Steam as an example. Would help in the instance where your steam password and e-mail password were different, but someone got into your steam account using it's password. Then they could just change the associated account e-mail address and password to the steam account. If you have the PIN enabled, it'll stop that, and hopefully the user doesn't have the same password for both services.

#27 Hum

Hum

    totally wAcKed

  • 62,887 posts
  • Joined: 05-October 03
  • Location: Odder Space
  • OS: Windows XP, 7

Posted 10 April 2013 - 00:16

Angers me when Yahoo wants my phone number to log-on --- I always avoid that crap. :crazy:

#28 MorganX

MorganX

    MegaZilla™

  • 3,846 posts
  • Joined: 16-June 04
  • Location: Midwest USA
  • OS: Digita Storm Bolt, Windows 8.1 x64 Pro w/Media Center Pack, Server 2k12 - Core i7 3770K/16GB DDR3/OCZ Vector 256GB/Gigabyte GTX 760
  • Phone: HTC One 64GB

Posted 10 April 2013 - 01:09

Incorrect, the definition of two or multi-factor authentication, includes "something the user knows" example, password..... and "something the user has" like a keyfob, usb dongle, phone, code card. etc. Or replacing "something the user has" would be "something the user is" like a fingerprint, retina scan

Having a pin go to your e-mail isn't "something the user has"


Or something the user has and is: My favorite, Smart Card Fingerprint reader with fingerprint stored on smart chip for authentication as opposed to being stored in AD.

#29 Sandor

Sandor

    Neowinian Senior

  • 3,956 posts
  • Joined: 28-November 03
  • OS: Win 8.1

Posted 10 April 2013 - 01:32

I think your views would quickly change if your important accounts were hacked.

Not that long ago I used to use the same password for a lot of my accounts, I knew it was a bad move but never did anything about it until not all that long ago, my email and password that I was using for all these accounts, was exposed in a hack that publicised thousands of account details from some insignificant site that I had not even thought about for years.

Then I realised just how much could be lost if someone went playing with those details.

I use lastpass and fortunately for me, they told me which accounts were compromised,

Unfortunately for me, that was over 300 sites.

I spent the majority of the next few days changing my passwords on all of those sites with a securely generated password from lastpass, which I should have been using the entire time.

A lot of hours wasted and driving me insane, but a lesson learned all the same.

2 factor authentication would have prevented me worrying at all.


Considering you use LastPass, not really an excuse for having the same password on 300 sites.

I need to beef my security up bit but at least I have a variety of usernames, email addresses and passwords to make combinations out of.

#30 Growled

Growled

    Neowinian Senior

  • 41,508 posts
  • Joined: 17-December 08
  • Location: USA

Posted 10 April 2013 - 02:23

I think it's a great idea but I rarely use it because it's annoying as hades. I'd rather use Lastpass.