+Warwagon MVC Posted May 19, 2013 MVC Share Posted May 19, 2013 When you first open the application up it generates a "Credential ID" and then based off that ID starts generating Security codes. Now if say with Paypal you register that Credential ID and that security code you can then use this app on your smart phone as two factor authentication . Accept, there is one problem If you ever, for any reason have to reinstall the application, it gives you a COMPLETELY DIFFERENT Credential ID and thus the app will no longer generate codes that will work with your sites you already have setup. So unless have "I for got my two factor authentication device" which defeats the purpose. You will be totally screwed. I wish it would some how register with an account so upon re-installation of the application you retain the same Credential ID. I got totally ****ed by this when I used it on my Paypal account. For security reasons I did not want someone to be able to get around my security key by clicking "I don't have it with me" Then I formatted my iPod touch 4th gen and went to reinstall the VIP app and got a different ID I was totally locked out of my account. This was before you could also use your cell phone, or in the case of eBay they only allow you to activate one device on the account So this is just a slight warning for anyone who uses this as their sole method of two factor authentication. MikeChipshop 1 Share Link to comment Share on other sites More sharing options...
djdanster Posted May 19, 2013 Share Posted May 19, 2013 I don't personally use it, but for those that do this is a good heads up! Link to comment Share on other sites More sharing options...
vcfan Posted May 19, 2013 Share Posted May 19, 2013 if the credential ID was generated from a hardware ID for example, then wouldn't this create another security risk if you lose your device or even sell it? and about creating some account, again, wouldn't that also create another security risk? if someone hacks that account, then they can generate codes too. I think even though their method is somewhat cumbersome, its still the safest route. Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted May 19, 2013 Author MVC Share Posted May 19, 2013 if the credential ID was generated from a hardware ID for example, then wouldn't this create another security risk if you lose your device or even sell it? and about creating some account, again, wouldn't that also create another security risk? if someone hacks that account, then they can generate codes too. I think even though their method is somewhat cumbersome, its still the safest route. Why not create the credentials ID based on a device ID + a password or pin of your choice. First allow you to protect opening the app with a password (right now there is none) second when you go to install / reinstall the application, have it ask for the special pin or password that it then hashes with the device ID to create the same Credential ID. Link to comment Share on other sites More sharing options...
vcfan Posted May 19, 2013 Share Posted May 19, 2013 Why not create the credentials ID based on a device ID + a password or pin of your choice. of course they can do that,and it would be easier,but a random credential id is still safer. the algorithm to generate the credential id from a hardware id and password would be known by looking at the code of the app. someone would just have to know your password,and a piece of static info that will never change, to be able to start generating codes on their own. Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted May 19, 2013 Author MVC Share Posted May 19, 2013 of course they can do that,and it would be easier,but a random credential id is still safer. the algorithm to generate the credential id from a hardware id and password would be known by looking at the code of the app. someone would just have to know your password to be able to start generating codes on their own. Well assuming someone isn't an idiot and wouldn't use a password they always use. how would anyone know what the password would be? I'm no longer using this application because you could VERY easily get locked out of your account. Lets say you are using this as a sole two factor authentication and the phone dies? Or android crashes or for any reason you have to reinstall the application. Anyone using this would be so ****ed. I still like a Text message SMS. Link to comment Share on other sites More sharing options...
vcfan Posted May 19, 2013 Share Posted May 19, 2013 Well assuming someone isn't an idiot and wouldn't use a password they always use. how would anyone know what the password would be? I'm no longer using this application because you could VERY easily get locked out of your account. I still like a Text message SMS. there are plenty of idiots :) ,and that's why this application does what it does the way it does it. Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted May 19, 2013 Author MVC Share Posted May 19, 2013 there are plenty of idiots :) ,and that's why this application does what it does the way it does it. I had a hell of a time getting back into my paypal account. Took a phone call. Link to comment Share on other sites More sharing options...
vcfan Posted May 19, 2013 Share Posted May 19, 2013 I had a hell of a time getting back into my paypal account. Took a phone call. see how secure it is,even the rightful account holder has a hard time getting into his account :laugh: . you win,verisign. Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted May 19, 2013 Author MVC Share Posted May 19, 2013 see how secure it is,even the rightful account holder has a hard time getting into his account :laugh: . you win,verisign. What about how Google authenticator does it. They give you special QR codes. That you can save. If you have to reinstall google authenticator on your phone you take a picture of the QR code and you are back in business! :) Link to comment Share on other sites More sharing options...
vcfan Posted May 19, 2013 Share Posted May 19, 2013 What about how Google authenticator does it. They give you special QR codes. That you can save. If you have to reinstall google authenticator on your phone you take a picture of the QR code and you are back in business! :) that's actually a really good idea. well until you lose your QR codes. what do you do if that happens? Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted May 19, 2013 Author MVC Share Posted May 19, 2013 that's actually a really good idea. well until you lose your QR codes. what do you do if that happens? Then your ****ed. But then it's your own fault :) Link to comment Share on other sites More sharing options...
vcfan Posted May 19, 2013 Share Posted May 19, 2013 Then your ****ed. But then it's your own fault :) lol yep. gotta love security. Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted May 19, 2013 Author MVC Share Posted May 19, 2013 lol yep. gotta love security. As a test i've uninstalled Google Authenticator from my phone and reinstalled it and then took a picture of the saved QR code. It worked beautiful, I almost got a tear in my eye. Link to comment Share on other sites More sharing options...
vcfan Posted May 19, 2013 Share Posted May 19, 2013 As a test i've uninstalled Google Authenticator from my phone and reinstalled it and then took a picture of the saved QR code. It worked beautiful, I almost got a tear in my eye. I just installed the Microsoft authenticator app on my WP,and it works beautifully too for my microsoft accounts by scanning QR codes. nice. Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted May 19, 2013 Author MVC Share Posted May 19, 2013 I just installed the Microsoft authenticator app on my WP,and it works beautifully too for my microsoft accounts by scanning QR codes. nice. Did you almost get a tear? Link to comment Share on other sites More sharing options...
vcfan Posted May 19, 2013 Share Posted May 19, 2013 Did you almost get a tear? I was bawling. Link to comment Share on other sites More sharing options...
Erratist Posted February 5, 2016 Share Posted February 5, 2016 Lol, so you blame the app for you being dumb enough not to remove it from your account before resetting your device? Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted February 5, 2016 Author MVC Share Posted February 5, 2016 12 minutes ago, Bachsau said: Lol, so you blame the app for you being dumb enough not to remove it from your account before resetting your device? There is that. But also if the device were to get broken or stolen and you had to reinstall the application on a new device. Same issue. Link to comment Share on other sites More sharing options...
Erratist Posted February 5, 2016 Share Posted February 5, 2016 13 minutes ago, warwagon said: There is that. But also if the device were to get broken or stolen and you had to reinstall the application on a new device. Same issue. This is the way that keys are supposed to work. If you lose your key you can't open your door. I mean you can't blame a security app for… well, being secure. To get access to your PayPal account again, you will just have to provide some more of your information to prove your identity, which I think is okay if you don't get your devices stolen on a daily basis.^^ Anibal P 1 Share Link to comment Share on other sites More sharing options...
Recommended Posts