Quoting Andrew Morgan <mor...@orst.edu>:
I'm not sure where you are getting your information from - unless you think Google's 2-step verification via a cell phone is not actually 2-factor authentication? Since a hacker won't have access to your phone, they cannot retrieve the one-time PIN generated by Google and sent to your phone.
I didn't say this wasn't 2-factor authentication. Of course it is. But what does that mean? 2-factor authentication in and of itself doesn't imply any sort of additional security.
AFAICT, with Google's system you could have a password like "password". You then get a PIN such as "123456". So your password essentially becomes "password123456". Don't see how this is any different than forcing a user to have a password of at least 12 characters, and having this password expire every 30 days.
Especially since almost every sane user is NOT going to have the PIN sent to them on every email access. They are going to have the PIN sent to them once every 30 days. (I will say that having the PIN sent every time is similar to the RSA keyfob security method, although not as secure since the PIN has to be delivered via the cellular network).
Not to mention that if you REALLY care about security, you're not going to have Google host your data anyway.
Sending an SMS message to an arbitrary cell phone number is hard though. Most providers have email-to-SMS gateways, but that requires getting more information from the user than just their cell phone number. You need to know their carrier in order to lookup the email gateway from a list, or the user must provide the full email-to-SMS gateway email address for their phone. Sending "real" SMS messages requires getting a special cell card from a carrier and signing a contract saying how many messages you'll be sending.
You simply can't require SMS for anything. Cell service is not universal. And plenty of people don't have SMS, because of cost (e.g. my parents) or because of technical reasons (I have friends who work in the finance industry who, because of SEC regulations, are not allowed to receive SMS messages).
It seems to me that a OTP system is preferable to any kind of system that requires an additional network. Especially with the prevalence of smartphones, it is trivial for a user to carry around the pad (which used to be the limiting factor in implementing). It implements no further requirements than Google's 2-factor system since both require a phone, and has the additional bonuses of being easier to implement and, if implemented correctly, 100% secure.
My point being that at a practical level, you can provide secure passwords easier/more reliably by enforcing appropriate password policies rather than by adding additional levels to the process.
michael ___________________________________ Michael Slusarz [slus...@horde.org] -- imp mailing list Frequently Asked Questions: http://wiki.horde.org/FAQ To unsubscribe, mail: imp-unsubscr...@lists.horde.org
