"in use for over a decade"
Much, much longer than that. I remember dragging around a SecurID credit-cardy thing in 1994 and various un*x tools have implemented OTP for at least 25 years...
Dropbox has followed through on an earlier promise and is rolling out two-factor authentication for its Windows, Mac, and Linux users. In July, the company pledged to the move after a bunch of its customers had their accounts hijacked and used to send vast quantities of spam for gambling websites. Dropbox blamed the security …
...if you don't have a mobile phone or any other way to perform an out-of-band authentication? I think this was one reason TFA didn't become practical in the consumer sphere until recently. Until most people had cell phones capable of SMS, it was difficult to determine if a person had a means to accept an out-of-band authentication. And before you say the telephone, back then long distance calls involved some money, and some people even then tend to screen or otherwise resist always picking up the phone for fear of attracting salesmen, scammers, or other people who may be interested in live targets.
>TFA didn't become practical in the consumer sphere until recently
Not at all. My bank here in Norway uses two factor authentication with printed one time pads by the simple expedient of sending me a credit card sized printed one time pad in the post. When I log in the web site asks for a specific one of the numbers in addition to my id number and a password that I can set myself. When it has used about two thirds of them it sends out a new pad.
Now I can also ask it to send send a time limited one time code as a text to my registered mobile so I can use either and I don't need to be concerned about not being able to log in if my mobile is not available.
Downvoted for trying to make out that something so simple can only be made practical by the application of high technology.
I totally agree with you. I keep my phone number private, it is only being used to receive calls in case of an emergency situation at the school where my son is a student. The rest of the world is welcome to call me on my regular land line phone. So this stuff should be opt-in for those who value their cloud stuff more than their privacy, unless of course mobile phone providers would be so kind and reduce their prices so I can afford to pay for a second mobile phone solely dedicated to this task. Besides that, whenever I'm at home, I put my mobile phone away and I'm too lazy to fetch it just to be able to login to gmail. Also since I don't really enjoy Google tracking me, I prefer to logout from gmail as son as I've done reading/replying which means I would have to receive a dozen messages a day.
To those who do not agree, yeah I understand and I assume the risk.
I have a serious problem with privacy concerns handing out my phone number to Google.
I really wish they would let me create a private/public key pair for authentication purposes. This would be far more useful than a phone number that a) should be private and b) may not work overseas.
I just turned on two factor authentication on my own Dropbox account and did so without a text message being necessary. I already installed the Google Authenticator on my phone and use it elsewhere, Dropbox can use that too. No need for mobile coverage to get a verification code.
Dropbox also provides an mobile app that can generate two factor codes for you. And Google does the same. The App functions very much like a a SecureID token. You need to establish the initial seed, and then it just calculates new numbers every 5 minutes.
Also, you are logging into Gmail, but worried about the privacy of your phone number? That doesn't make any sense. Phone numbers are less trackable than IP addresses. Especially, since SMS to non-mobile numbers is available.
This post has been deleted by its author
It appears that the benefit of 2-factor authentication is broadly recognized, not the least because OTP can now be sent to smart phones by SMS at very low costs. The benefit is indeed remarkable when the users are in the indoor environment. Is the benefit the same when the users are in the outdoor environment?
What can be relied upon in a dangerous environment can be relied upon in a safe environment, but we cannot say that the reverse is also true. I mean that the indoor environment is relatively much safer than the outdoor.
Some banks tell us that it is a “mistake” to carry a bank card together with a paper with the PIN on it. Then it should also be a mistake to carry a mobile computer, tablet or phone together with a paper with the password on it. Replace such a paper with a token generating OTP or a phone receiving OTP, and what conclusion do you think you would reach?
The PIN/password on a paper proves the identity of the paper, not the identity of the person who holds the paper. OTP generated on a token proves the identity of the token, not the identity of the person who holds the token. OTP received on a phone proves the identity of the phone, not the identity of the person who holds the phone. The structure is the same in all of them.
Those banks abovementioned may be wrong in using the word “mistake”,, but we could at least learn that the 2-factor authentication in the outdoor environment is not as beneficial as in the indoor environment, and that, in the outdoor environment, what matters most is the security of remembered PIN/password rather than the reliability of a paper with PIN/password on it or a token generating OTP or a phone receiving OTP.
Whether or not we use OTP-generating/receiving tokens/phones, it should still be imperative to enhance the remembered password itself if we want the safe cyber-life in the outdoor environment.
From the article: "In July, the company pledged to the move after a bunch of its customers had their accounts hijacked and used to send vast quantities of spam for gambling websites"
Is this correct? I understood it was merely a spreadsheet containing a list of customer email addresses which was leaked from within an employee's Dropbox.
I use Two-Factor Authentication across a lot of my accounts. I feel a lot more secure when I can telesign into my account. If you have that option available to you use it, it is worth the time and effort to have the confidence that your account won't get hacked and your personal information isn't up for grabs. I'm hoping that more companies start to offer this awesome functionality. This should be a prerequisite to any system that wants to promote itself as being secure.
Biting the hand that feeds IT © 1998–2020