A warning to anyone who uses verisign vip access App two factor authenticat

[+Warwagon MVC]

When you first open the application up it generates a "Credential ID" and then based off that ID starts generating Security codes. Now if say with Paypal you register that Credential ID and that security code you can then use this app on your smart phone as two factor authentication

.

Accept, there is one problem

If you ever, for any reason have to reinstall the application, it gives you a COMPLETELY DIFFERENT Credential ID and thus the app will no longer generate codes that will work with your sites you already have setup.

So unless have "I for got my two factor authentication device" which defeats the purpose. You will be totally screwed.

I wish it would some how register with an account so upon re-installation of the application you retain the same Credential ID.

I got totally ****ed by this when I used it on my Paypal account. For security reasons I did not want someone to be able to get around my security key by clicking "I don't have it with me"

Then I formatted my iPod touch 4th gen and went to reinstall the VIP app and got a different ID I was totally locked out of my account. This was before you could also use your cell phone, or in the case of eBay they only allow you to activate one device on the account

So this is just a slight warning for anyone who uses this as their sole method of two factor authentication.

[djdanster]

I don't personally use it, but for those that do this is a good heads up!

[vcfan]

if the credential ID was generated from a hardware ID for example, then wouldn't this create another security risk if you lose your device or even sell it?

and about creating some account, again, wouldn't that also create another security risk? if someone hacks that account, then they can generate codes too.

I think even though their method is somewhat cumbersome, its still the safest route.

[+Warwagon MVC]

if the credential ID was generated from a hardware ID for example, then wouldn't this create another security risk if you lose your device or even sell it?

and about creating some account, again, wouldn't that also create another security risk? if someone hacks that account, then they can generate codes too.

I think even though their method is somewhat cumbersome, its still the safest route.

Why not create the credentials ID based on a device ID + a password or pin of your choice.

First allow you to protect opening the app with a password (right now there is none)

second when you go to install / reinstall the application, have it ask for the special pin or password that it then hashes with the device ID to create the same Credential ID.

[vcfan]

Why not create the credentials ID based on a device ID + a password or pin of your choice.

of course they can do that,and it would be easier,but a random credential id is still safer. the algorithm to generate the credential id from a hardware id and password would be known by looking at the code of the app. someone would just have to know your password,and a piece of static info that will never change, to be able to start generating codes on their own.

[+Warwagon MVC]

of course they can do that,and it would be easier,but a random credential id is still safer. the algorithm to generate the credential id from a hardware id and password would be known by looking at the code of the app. someone would just have to know your password to be able to start generating codes on their own.

Well assuming someone isn't an idiot and wouldn't use a password they always use. how would anyone know what the password would be? I'm no longer using this application because you could VERY easily get locked out of your account.

Lets say you are using this as a sole two factor authentication and the phone dies? Or android crashes or for any reason you have to reinstall the application. Anyone using this would be so ****ed.

I still like a Text message SMS.

[vcfan]

Well assuming someone isn't an idiot and wouldn't use a password they always use. how would anyone know what the password would be? I'm no longer using this application because you could VERY easily get locked out of your account. I still like a Text message SMS.

there are plenty of idiots :) ,and that's why this application does what it does the way it does it.

[+Warwagon MVC]

there are plenty of idiots :) ,and that's why this application does what it does the way it does it.

I had a hell of a time getting back into my paypal account. Took a phone call.

[vcfan]

I had a hell of a time getting back into my paypal account. Took a phone call.

see how secure it is,even the rightful account holder has a hard time getting into his account :laugh: . you win,verisign.

[+Warwagon MVC]

see how secure it is,even the rightful account holder has a hard time getting into his account :laugh: . you win,verisign.

What about how Google authenticator does it. They give you special QR codes. That you can save. If you have to reinstall google authenticator on your phone you take a picture of the QR code and you are back in business! :)

[vcfan]

What about how Google authenticator does it. They give you special QR codes. That you can save. If you have to reinstall google authenticator on your phone you take a picture of the QR code and you are back in business! :)

that's actually a really good idea. well until you lose your QR codes. what do you do if that happens?

[+Warwagon MVC]

that's actually a really good idea. well until you lose your QR codes. what do you do if that happens?

Then your ****ed. But then it's your own fault :)

[vcfan]

Then your ****ed. But then it's your own fault :)

lol yep. gotta love security.

[+Warwagon MVC]

lol yep. gotta love security.

As a test i've uninstalled Google Authenticator from my phone and reinstalled it and then took a picture of the saved QR code. It worked beautiful, I almost got a tear in my eye.

[vcfan]

As a test i've uninstalled Google Authenticator from my phone and reinstalled it and then took a picture of the saved QR code. It worked beautiful, I almost got a tear in my eye.

I just installed the Microsoft authenticator app on my WP,and it works beautifully too for my microsoft accounts by scanning QR codes. nice.

[+Warwagon MVC]

I just installed the Microsoft authenticator app on my WP,and it works beautifully too for my microsoft accounts by scanning QR codes. nice.

Did you almost get a tear?

[vcfan]

Did you almost get a tear?

I was bawling.

[Erratist]

Lol, so you blame the app for you being dumb enough not to remove it from your account before resetting your device?

[+Warwagon MVC]

12 minutes ago, Bachsau said:

Lol, so you blame the app for you being dumb enough not to remove it from your account before resetting your device?

There is that. But also if the device were to get broken or stolen and you had to reinstall the application on a new device. Same issue.

 

 

[Erratist]

13 minutes ago, warwagon said:

There is that. But also if the device were to get broken or stolen and you had to reinstall the application on a new device. Same issue.

 

 

This is the way that keys are supposed to work.

 

If you lose your key you can't open your door. I mean you can't blame a security app for… well, being secure. To get access to your PayPal account again, you will just have to provide some more of your information to prove your identity, which I think is okay if you don't get your devices stolen on a daily basis.^^