maxerickson 207 days ago link
Have a look at Yubico Authenticator ; )
internet, which doesn matter in the typical case but matters a lot in edge cases. Email might be down. SMS might be down. You might not have cell coverage at all. Yubikey only has two slots, and so you can store unique OATH seeds for more than two sites, right? How many yubikeys do you expect people to carry around? How many sites even implement HOTP rather than TOTP? If every site implementing 2FA Nike Air Force 1 Low Grey And Red
Sadly, portability trumps everything. The thing is, most people will never experience a identity theft. But most people will want to lock in to some service from a friends computer at Air Force 1 High Supreme Qs Work Boot Brown
I had a talk in 2005 and the person was saying passwords belonged to the past. 2014 and we still there: Why? We have browserside certificates. Granted they not sexy. We have logins by email tokens. It would waste everyone time. They cost money, and serve no purpose other than improving security of logins. Compare to a smartphone running a TOTP app. Most people already have a handheld device, and a TOTP app and setup for a website is a free one time install with one time setup and no ongoing overhead. It also doesn require working email or even working Nike Air Force 1 Low Blue
yk 207 days ago link
> Because passwords qua passwords are not the problem. Imagine one piece of software that a million people have, which provides access to all their banks and mail and websites? How much is the bug bounty for 1Password? I give you the formula: risk occurrence x cost of a leak per user x number of users. That an entirely different mindset. I said that I don know how to secure people, at all. Explaining why passwords don work is evidence in my favor, not a reason why I wrong. The problem is, it not as simple as just "throwing away passwords", you have to actually have a solution. However, the track record on manifesting them is pretty dubious. Those of us with enough technology skills to use things like 2FA are sitting prettier than ever, but frankly we were already the ones that tended to be secure. The evidence that we successfully pushed this out into the real world is pretty lacking. We can even get website developers to stop requiring us to use 4 digit pins as passwords on our banking sites.
Late Meditations on XKCD 936
"I had a talk in 2005 and the person was saying passwords belonged to the past. 2014 and we still there: Why?"Because passwords qua passwords are not the problem. The security skill of the median person is. I honestly don know how to secure people in general, even making the blindingly optimistic assumption of perfectly secure authentication code.2FA has the problem that to work properly, you must also print off one time use reset tokens and properly keep them. (If you can just reset via an email, well, you just returned back to auth by email account and the second factor is of dubious utility.) Specialized hardware is problematic because it really ought to be open to be secure, but if it open, it hard to make the profit enough to make it work. and users would still have to do something to properly prepare for losing their token which is going to be nontrivial.(Login by email tokens, BTW, is not a great idea in general; obtaining an email account fraudulently should not grant you access to everything the user has. That a problem with the current system, not the solution.)
aragot 206 days ago linkHow did we get there?By ignoring human nature and geeking out about the technical side of things? It doesn matter how technically advanced and theoretically secure an auth solution is. If it has certain kinds of usability problems it will never be willingly adopted by large number of common people. Soon.
jerf 207 days ago link
Gregarious device use should sort of be on the decline. It an order of magnitude better than passwords. But history didn make them sexy and it too late to start.
lstamour 207 days ago Nike Air Force 1 Green link
implemented challenge for yubikey, then yubikey would be great. However, TOTP is the dominant form of 2FA, and that limits the usefulness of yubikey.
some point. At each login to my bank, I would be asked for 3 of them, plus my password. With this kind of extremely cheap and portable token, I would dare to login even from an untrusted country. I wish a system like Mozilla Persona would gain traction (looking at you Gmail), because it would trigger innovation. There are a lot of better alternatives to passwords and SMS for 2FAs.
aragot 207 days ago link
Nike Air Force 1 Boys
New Balance Yellow Black
Nike Air Force 1 Low Suede Black Gum
New Balance Running Shoes Review
Nike Air Force 1 Low Black On Feet
Nike Air Force 180 - Men's
Nike Air Force 1 Low Purple Suede
New Balance Pink And Purple
Nike Air Force 1 Pink High Top
New Balance Concepts Trailbuster
New Balance Malaysia
Nike Air Force 1 Low Womens Red
Nike Air Force High Grey
Air Force 1 Low Grey
Air Force 1 High On Feet