How about 2-step verification for important accounts?

For discussions about security.
Post Reply
Message
Author
jpeps
Posts: 3179
Joined: Sat 31 May 2008, 19:00

How about 2-step verification for important accounts?

#1 Post by jpeps »

Seems like a great idea for protecting google accounts, requiring codes sent to your phone when trying to gain access from a new computer/device. This should be the standard for credit cards as well....different password for every transaction. It's available for DropBox also.

User avatar
Q5sys
Posts: 1105
Joined: Thu 11 Dec 2008, 19:49
Contact:

Re: 2-step verification

#2 Post by Q5sys »

jpeps wrote:Seems like a great idea for protecting google accounts, requiring codes sent to your phone when trying to gain access from a new computer/device. This should be the standard for credit cards as well....different password for every transaction. It's available for DropBox also.

Two Factor Auth is great, but only if done properly. Done wrong its no better than single factor.
Example, online credit card transactions usually now require your 3 digit ccv number (the one on the back). that # is used for verifying the information you've given. (name, card #, epr date). The idea was to make sure you had the card in hand and not just written down or stole the card info
That number is NOT supposed to be stored anywhere, I think its actually in the CC POS Payment Service agreement... But leaked credit card dbases that have been stolen from online retails has shown alot of them storing that number in their database. So they've basically made that a pointless

Another Problem with 2 factor is that people dont want any hassle. This of course is a delicate balance. Easy enough not to be a hassle on the proper user, but too much trouble for a non user.

I think we'll slowly move into the right direction.

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#3 Post by nooby »

And in the fine print maybe one promise that their partners
have the right to use that phone number to alert you when
you walk past the stores that pay for the ads?

Or you can be phoned in the middle of the night
as often as their partners love to do. Sure one can afford
to have an old cell phone that one only use for banking
or google verification. I most likely have ten such old phones.
I use Google Search on Puppy Forum
not an ideal solution though

jpeps
Posts: 3179
Joined: Sat 31 May 2008, 19:00

Re: 2-step verification

#4 Post by jpeps »

Q5sys wrote:

Two Factor Auth is great, but only if done properly. Done wrong its no better than single factor.
Example, online credit card transactions usually now require your 3 digit ccv number (the one on the back). that # is used for verifying the information you've given. (name, card #, epr date). The idea was to make sure you had the card in hand and not just written down or stole the card info
The difference is that the number isn't stored by the user..it just registers a particular device. It won't work on another device. That's the beauty of it. Similarly with transactions, the code would become instantly useless for another transaction.
nooby wrote: And in the fine print maybe one promise that their partners
have the right to use that phone number to alert you when
you walk past the stores that pay for the ads?
2 step verification is most likely provided by a third party security service...nobody else gets your phone number, and in itself has zero marketing value in that there isn't any personal info connected with it other than that you exist. Spamming occurs when you give out your personal info on sites that can exploit it for marketing...such as buying a particular product. My phone spams are almost always connected with my business listings...trying to sell me ads, websites, etc.

User avatar
Q5sys
Posts: 1105
Joined: Thu 11 Dec 2008, 19:49
Contact:

Re: 2-step verification

#5 Post by Q5sys »

jpeps wrote:
Q5sys wrote:

Two Factor Auth is great, but only if done properly. Done wrong its no better than single factor.
Example, online credit card transactions usually now require your 3 digit ccv number (the one on the back). that # is used for verifying the information you've given. (name, card #, epr date). The idea was to make sure you had the card in hand and not just written down or stole the card info
The difference is that the number isn't stored by the user..it just registers a particular device. It won't work on another device. That's the beauty of it. Similarly with transactions, the code would become instantly useless for another transaction.

Well the devil is in the details. Trust me I'm sure some place will come up with a way that it'll be insecure. lol

Side note: I know of one site that if you try to log into the site with a different browser, or even a different configuration, it will prompt you for confirmation of one of your billing address details. It does this after you present the correct password.
It basically does a similar check as this: https://panopticlick.eff.org/
If it doesnt match up to what they have saved in their dbase... they ask you to confirm who you are.

Post Reply