# Two-factor/two-step authentication



## Mark Holtz (Mar 23, 2002)

Anyone starting to use two-factor authentication? Two factor authentication is when, in order to authenticate an account, you not only enter in a password but also a code from a device that you hold such as your smartphone. I know that it was previously was used by some financial institutions where you had a keychain FOB to authenticate access, and it has also been used by some online MMORPG such as Battle.net (for World of Warcraft and Starcraft) and Star Wars: The Old Republic. A few months ago, the Google Authenticator application was introduced as well, and I have locked down both my LastPass account as well as my Google Accounts. Yahoo, however, implements a SMS message that gets sent to your cell phone as part of the log in process.

Thoughts on this? Will Google Authenticator be implemented as a security feature now with web forum software such as vBulletin?


----------



## Kevin F (May 9, 2010)

I've used it before but turned it off as it was overkill for me. For mobile devices Google Authenticator gives you a really long password to enter so you don't have to fuss around with it's settings all the time.

Kevin


----------



## dpeters11 (May 30, 2007)

I use two factor, but only on computers that aren't recognized. I use LastPass for everything, and its setup so that if I log into it from a computer it doesn't recognize, it requires my Yubikey. Mobile devices require me to login from a computer to authorize. Google Authenticator is similar I guess, but I figured Yubikey was more secure but I don't need it often.

I don't use Google Authenticator anymore. My Gmail password is impossible in a realistic sense to brute force, knowing that the primary email address password is one of the most important aspects of a good password policy overall.


----------



## spartanstew (Nov 16, 2005)

Would be overkill for me too. If someone learns/gets my passwords, shame on me. I hate having to go through hoops to log on to places. 

I'd like to be able to log on to my laptop with a single password and every site I go to after that gets logged on automatically.


----------



## RasputinAXP (Jan 23, 2008)

I use two-factor on my Google accounts.


----------



## The Merg (Jun 24, 2007)

I had a key fob for accessing my work network from home. I would have to enter my logos and password. After that I had to enter in my PIN plus a 6-digit code on the key fob, which changed every 6 minutes. Now, I have that code e-mailed to me after I first login. The code e-mailed to me is good for 60 minutes. There is also a work-related website that I use where they e-mail me a 6 character PIN after I login that needs to be entered.

I find it kinda annoying.

- Merg


----------



## Mark Holtz (Mar 23, 2002)

spartanstew said:


> Would be overkill for me too. If someone learns/gets my passwords, shame on me. I hate having to go through hoops to log on to places.


The way I work is that all my passwords are stored with KeePass where the master file is on a USB drive on my keychain and backed up to my hard drive using FreeFileSync and copied over to my Dropbox folder. Needless to say, I have very complex passwords.

Since I work across multiple computers (and virtualizations) and multiple browsers, I use LastPass and Xmarks to synchronize my bookmarks and passwords. However, the LastPass list is much shorter than my KeePass list. And, yes, I have secured it with the Google Authenticator.

What frustrates me is when financial institutions have weaker password limits than web forums.


----------



## SayWhat? (Jun 7, 2009)

I wouldn't suggest giving Google any personal information at all nor letting them 'authenticate' anything. They're about to get kicked in the head pretty hard over numerous privacy violations. The FTC has been asked to investigate their practices of hacking and bypassing privacy policies.

I use them for a browser and NOTHING else.


----------



## klang (Oct 14, 2003)

RSA SecureID makes the key fobs with the six digit codes most use. 

I used them with a previous employer for VPN access. Currently use one with the bank to access our commercial accounts via the web. 

I suspect we will see them used more frequently in the future for business but I see no need for my personal stuff.


----------



## RasputinAXP (Jan 23, 2008)

SayWhat? said:


> I wouldn't suggest giving Google any personal information at all nor letting them 'authenticate' anything. They're about to get kicked in the head pretty hard over numerous privacy violations. The FTC has been asked to investigate their practices of hacking and bypassing privacy policies.
> 
> I use them for a browser and NOTHING else.


[citation needed]


----------



## SayWhat? (Jun 7, 2009)

> Today's controversy surrounding Google's tracking of Safari-based cookies has prompted the attention of Congress, with several House members calling on the Federal Trade Commission to investigate.


http://www.pcmag.com/article2/0,2817,2400453,00.asp



> The Consumer Watchdog advocacy group today asked the Federal Trade Commission to investigate whether Google violated a previous privacy agreement with the FTC by tracking cookies in a way that circumvents default privacy settings in Apple's Safari browser.
> 
> Google's method of getting around Safari's default blockage of third-party cookies was detailed today in a study by Stanford grad student Jonathan Mayer and in two articles in the Wall Street Journal. One Journal headline calls it "Google's iPhone tracking," but the technique actually works across iPhones, iPads, iPod touches, and desktop computers. After being contacted by the Journal, Google disabled the code that had allowed it to install tracking cookies on Safari, even though the browser is designed to block such cookies by default.


http://arstechnica.com/tech-policy/...tm_source=rss&utm_medium=rss&utm_campaign=rss



> Google was caught last week bypassing default privacy settings in the Safari browser in order to serve up tracking cookies. The company claimed the situation was an accident and limited only to the Safari web browser, but today Microsoft claimed Google is doing much the same thing with Internet Explorer.
> 
> In a blog post titled "Google bypassing user privacy settings" Microsoft's IE Corporate Vice President Dean Hachamovitch states that "When the IE team heard that Google had bypassed user privacy settings on Safari, we asked ourselves a simple question: is Google circumventing the privacy preferences of Internet Explorer users too? We've discovered the answer is yes: Google is employing similar methods to get around the default privacy protections in IE and track IE users with cookies."


http://www.webmonkey.com/2012/02/go...-accepting-tracking-cookies-microsoft-claims/


----------



## RasputinAXP (Jan 23, 2008)

Yeah. Except it's already a non-issue.

http://www.engadget.com/2012/02/20/microsoft-finds-google-bypassed-internet-explorers-privacy-sett/



> As Microsoft explains at some length, Google took advantage of what it describes as a "nuance" in the P3P specification, which effectively allowed it to bypass a user's privacy settings and track them using cookies -- a different method than that used in the case of Safari, but one that ultimately has the same goal...Google isn't the only company that was discovered to be taking advantage of the P3P loophole. Researchers from Carnegie Mellon University's CyLab say they alerted Microsoft to the vulnerability in 2010, and just two days ago the director of the lab, Lorrie Faith Cranor, wrote about about the issue again on the TAP blog (sponsored by Microsoft, incidentally), detailing how Facebook and others also skirt IE's ability to block cookies.


Again, it's a non-issue. It has to do with Microsoft trying to force an IE-only web policy down peoples' throats.

And if you want the same info regarding Safari, it's all here. Cookies are the least of your worries.


----------



## The Merg (Jun 24, 2007)

"klang" said:


> RSA SecureID makes the key fobs with the six digit codes most use.
> 
> I used them with a previous employer for VPN access. Currently use one with the bank to access our commercial accounts via the web.
> 
> I suspect we will see them used more frequently in the future for business but I see no need for my personal stuff.


That's who my key fob was from.

- Merg


----------



## dpeters11 (May 30, 2007)

klang said:


> RSA SecureID makes the key fobs with the six digit codes most use.
> 
> I used them with a previous employer for VPN access. Currently use one with the bank to access our commercial accounts via the web.
> 
> I suspect we will see them used more frequently in the future for business but I see no need for my personal stuff.


But after the security breach at RSA, did you get a new fob? Until the ones that were active at that point are replaced, the entire system is suspect.


----------



## bobukcat (Dec 20, 2005)

dpeters11 said:


> But after the security breach at RSA, did you get a new fob? Until the ones that were active at that point are replaced, the entire system is suspect.


I wondered about that breach myself as I use RSA Fobs for my work login (soft token on my laptop) and and for a couple customers who provide me with remote VPN access to their systems using keychain fobs. I've never received a replacement for any of them or even a new seed file for the soft token I use, therefore I suspect the breach did not warrant such replacement.


----------



## dpeters11 (May 30, 2007)

I think they basically said to call them, but they might only replace them if they feel the company has higher risk. I'd call them and see about replacement.

http://www.rsa.com/node.aspx?id=3891


----------



## klang (Oct 14, 2003)

dpeters11 said:


> But after the security breach at RSA, did you get a new fob? Until the ones that were active at that point are replaced, the entire system is suspect.


For the older one I left the company before the breach. The one from the bank was only issued a couple months ago. I should be clean.


----------



## Mark Holtz (Mar 23, 2002)

SayWhat? said:


> I wouldn't suggest giving Google any personal information at all nor letting them 'authenticate' anything. They're about to get kicked in the head pretty hard over numerous privacy violations.


The Google Authenticator is specifically designed not to access the Internet. To read in the code, you scan in a QR code which then generates the token needed to log in.

Remember, there are three ways to authenticate a user:
What the user knows - such as a password or PIN code
What the user has - such as a physical token
What the user is - fingerprint or facial biometrics
Anything to better secure my accounts that either deal with money or allow me to receive "Forgot password" or bank statements is very important to me. Two-factor authentication on Facebook? Maybe. Two-factor authentication on dbstalk? Don't think so.


----------



## dpeters11 (May 30, 2007)

Yeah certainly not needed for here. I figure I need the most security on systems that aren't mine, so that's where I have the most hoops. As long as I have my keys, it's all good.


----------

