Actually, I was talking about the backup method. Happily, that's a list of printable one-time codes. (Obviously, locking you out of your GMail if you lose your phone is not acceptable.)
If I can trick a user into submitting their username and password on my site, I can send a request to Google using that username/password and trigger a message to the mobile application. The user continues with the flow, enters the code on my screen, and I now have access to their account, same as before.
Yes. 2-factor authentication does not address site impersonation.
This is for the more common case of trying to access a user's account without the user's direct involvement. (e.g., if I grabbed lists of common passwords, try to use your password from a cracked site to access an account on google, etc.).
Classify this as "step forward" not "silver bullet".
Except they specifically list anti-phishing as one of the use-cases:
"if you reuse the same password on multiple sites and one of those sites gets hacked, or your password is conned out of you directly through a phishing scam, it can be used to access some of your most closely-held information."
You're right that it helps in cases where all the attacker has is your username and password. However, the blog post overstates the merits of this feature a little bit. ;)
How is this any different than the prior situation?
Now instead of needing to trick a user into giving you their username and password, you need to trick them into giving you their username, password, and one-time token.
It's designed to address situations where the password is discovered by other parties.
Seems to be the same thing with the BlizzAuthenticator. Good idea, but I wouldn't use it. You gotta consider what happens if you loose your phone. You can't do any emergency calls and don't even have access to your saved phone numbers anymore. You're also locked out of your Gmail Account for god knows how long. I like my phone, but a little bit decentralizing can never be wrong :)
I have a relative with a fire proof gun safe in another state. This is a good place for crypto keys, master passwords, etc. For the cost of overnight Fed Ex, I can recover from a disaster.
This is great - and it begs the question why my brokerage and banking accounts don't offer something similar, especially considering I have iPhone apps from both that could be providing the second authentication factor.
BofA uses something similar when transferring funds between accounts--a unique code is texted to a registered mobile device to complete the transfer. It seems feasible that they could extend the technology to logins.
Four or five years ago I did some work with a company that provides online banking web platforms to smaller regional banks. I asked the CEO about 1+1 authentication (at the time in the context of a RSAID type keychain fob device) and he said they'd pitched it but there was no interest from the banks. In their defense, maybe those RSA thingies are just too expensive for consumer accounts, I do know Citi now provides them to business accounts.
OTP's are much more popular with European banks. Companies such as Vasco sell lot's of OTP fobs there. It's gaining traction here in the US as well though.
I've been thinking how you'd do this as a generic application for web apps. A daemon somewhere on the web that resets your password once a day for all the web apps you use to "original password+unique daily code". Then you log in with that code from your phone and your original password.
Very interesting, I assumed someone would be working on something like this. I guess it's a big market, if you can convince bigcos to trust the phone to be secure.
But then you need to have the original password in cleartext somewhere, so I would say that is not the way you do it. I think the way this is more likely to be done is by generating a random token that is broken up into pieces using XOR magic. Each factor in the auth process gives you access to one piece of that token. You combine those pieces back together using more XOR magic and, if your token matches the original token, you can proceed.
I asked this before to the HN community, but I didn't get much feedback; please share your thoughts. How come domain registrars have not developed this eons ago? [+] Isn't that arguably the most critical gateway for a community of web developers? I humbly ask these questions as an amateur and aficionado without any deployed commercial sites, so maybe the pros in here would beg to differ with my paranoia.
[+] Better yet, why doesn’t some HNer take up launching a security-oriented domain registrar? ;-)
It'd be nice they allowed secondary passwords for eg google talk. I don't much care for having to hand out my full credentials just to use things like bitlbee/meebo.
Are these "application-specific" passwords limited in any way? For example, if one of them is stolen without my knowledge, can the attacker fully access my Google account (e.g. account settings, all Google services, etc.)? Obviously it's less likely that one of these passwords will be stolen than passwords, but it's still possible.
From the screenshots (don't have access yet) it seems that you don't get to specify the type of application or access, but I would assume there is some limitation on what you can do with these passwords?
I do hope that you can't get in just by knowing someone's mother's maiden name, though...