Hacker News new | ask | show | jobs
by IgorPartola 4154 days ago
This is a horrible practice. You are trying to implement two factor auth, but with a static second factor that will not be considered private by most users. It is a huge burden on them to remember, and is providing you with dubious security at best, and actually providing a vector of attack at worst. Please don't do this.
1 comments
MarkMc 4154 days ago
Yes, it is two factor authentication with a static second factor that will not be considered private by most users. And yes, a 'real' two-factor authentication mechanism would provide better security.

Unfortunately, due to market competition many websites simply cannot require 'real' two-factor authentication for all users. Here are the steps I would need to provide to my father to register for a typical '30-day free trial':

  1) Go to website.com and click 'Register'
  2) Enter your email address
  3) Think of a password and type it 
  4) Click 'I agree'
  5) Click 'Register'
Here are the steps I would need to provide to my father to register on a website for a free trial with 2-factor authentication using the Google Authenticator app:

  1) Go to website.com and click 'Register'
  2) Enter your email address  
  3) Think of a password and type it 
  4) Click 'I agree'
  5) On your phone, press the 'Play Store' or 'App Store' icon
  6) Press the 'Search' icon and search for 'Google Authenticator'
  7) Press 'Install' and wait for it to install (if you have an iPhone the install button might look like a little cloud icon)
  8) Press 'Open' to open Google Authenticator
  9) Press the 'Menu' button which looks like three dots in the top-right corner of the phone screen
  10) Choose 'Scan with barcode'
  11) Point the phone at the computer screen as though you were going to take a photo of the barcode on screen. 
  12) Wait for the phone to register the barcode, then enter the number shown on your phone into the website form
  13) Click 'Register'
Even with all these steps laid out for him, my father would probably find it extremely frustrating to get to step 13.
link
stef25 4154 days ago
You could do it for him. Google Authenticator is great. My bank uses 2FA but it's on some fiddly little calculator device that I never have with me.

Some sites (Coibase) do 2FA with text message which is also great.

link
seriocomic 4154 days ago
> My bank uses 2Fa but it's on some fiddly little calculator device that I never have with me.

I left my bank for this very specific reason (HSBC Aust)

Grrr

link
dingaling 4154 days ago
Conversely I stay with my bank ( Nationwide ) because they use the device...
link
learnstats2 4154 days ago
Your bank has not done this for your benefit and it hasn't done it in a way that benefits you. They've done it to pass on (to you) the liability for any fraudulent activity.

From http://www.cl.cam.ac.uk/~sjm217/papers/fc09optimised.pdf:

"We reverse engineered the UK variant of card readers and smart cards and here provide the first public description of the protocol. We found numerous weaknesses that are due to design errors such as reusing authentication tokens, overloading data semantics, and failing to ensure freshness of responses. The overall strategic error was excessive optimisation. There are also policy implications."

"The move from signature to PIN for authorising point-of-sale transactions shifted liability from banks to customers; CAP introduces the same problem for online banking. It may also expose customers to physical harm."

Meanwhile, I switched to a bank that uses SMS as a second factor and only where it's necessary: I don't need to use an inconvenient calculator.

link