
Stripe adds two-factor auth - pc
https://stripe.com/blog/two-step-verification
======
programminggeek
After being a WoW user, I think two factor auth only works if it is forced on
all accounts.

Here's a scenario that plays out in WoW all the time and it happened to me.
Basically, a user quits playing WoW and their account gets hacked at some
point after they quit. The hacker then turns on 2 factor auth via the WoW
authenticator app. It is now impossible for the original user to log in to the
account or reset passwords. To fix this you must argue and explain with
customer support that the account was hacked an that the 2 factor auth is
preventing you from resetting passwords and such.

So, unless you turn on two factor auth up front for all users, it's going to
actually make it worse for the end user if their account gets hacked. So, like
captchas, it's solving one problem and creating another for the user. I'm not
sure that is the best solution.

~~~
chimeracoder
> To fix this you must argue and explain with customer support that the
> account was hacked an that the 2 factor auth is preventing you from
> resetting passwords and such.

That's not a problem when it comes to Google accounts, though. Maybe Google's
lack of customer support is really a "security feature"!

~~~
programminggeek
Maybe you don't understand. It takes 0 customer support to add 2 factor auth
and lock out the original user. It takes several emails and support requests
back and forth to finally get it sorted out. Also, maybe a few phone calls. If
that happened to your google account, it would be INCREDIBLY unpleasant.

~~~
chimeracoder
I was just making a joke, but I was pointing out that if you have 2FA enabled,
I could (theoretically) call up customer support and try and convince them
that you're the attacker and I'm the legitimate account holder.

~~~
programminggeek
Oh sorry, and yes, you are right. It's kind of a screwed up system either way.

------
nwh
Just a thought regarding 2FA in general.

Why are people manually typing in keys? The authenticated website could just
have an API with a receiving point for a token. A press of a button in a
mobile app would unlock the login form for a short period just like a normal
2FA key, only with typing from the user.

You could use the numerical codes as a backup if the mobile device wasn't
network accessible, but just being able to "push button" authenticate in a
mobile app would make them a lot more usable normally.

Has this already been done, and I just haven't heard of it?

~~~
Osiris
Yubikey is sort of like this. It's a USB key with a small contact on it. It
reports to the OS as a keyboard and when you press the contact is inputs a
very long string of characters followed by an ENTER. So at the 2FA page you
just press the USB key button and you get logged in.

Mt. Gox uses Yubikey for their 2FA.

~~~
nwh
I actually have two around my neck at the moment, I use them for my own hand-
rolled websites. They're concienient, but just being able to push a button in
an app would be even more so. Not to mention, the backend code they supply on
their website is anything but pleasant.

------
alanctgardner2
This is interesting for a few reasons:

1) I'm surprised it didn't happen sooner. There are a few turn-key two-factor
auth solutions, and I expect having this added security is a major benefit for
their customers.

2) I'm surprised they chose to use Google Authenticator. The favourite in this
space seems to be Authy; off the top of my head Cloudflare and DNSimple both
use them. Any thoughts on the pros and cons?

~~~
apawloski
There were concerns raised yesterday [1] about the way Authy backs up tokens.
The founder's comments initially raised some major flags about their crypto
usage [2], but later on they backtracked and indicated that they are in fact
using a logical implementation [3].

The major pro is their seed length, which is significantly longer than Google
Authenticator. The major con is you have to trust that they are using a secure
system.

[1]<https://news.ycombinator.com/item?id=4916983>

[2]<https://news.ycombinator.com/item?id=4917283>

[3]<https://news.ycombinator.com/item?id=4917488>

~~~
alanctgardner2
This looks like it was blown out of proportion. The founder is not involved in
day-to-day technical stuff, and he misspoke. It's not the greatest thing to
happen to a startup, but it hardly invalidates the whole premise. It's
interesting to read that Google's seed length seems to compromise the security
of their offering, since most of the replies here seem to be predicated on the
idea that Google is doing everything right.

~~~
danielpal
This is exactly what happened. Although I am involved in product on 100% of
the time, I don't deal with specific implementation details, the engineers
working on the solution deal with that. So I tried to be a truthful as
possible and answer all the questions I could, I simply got some details
wrong. One of the engineers noticed and I rectified my answer.

~~~
blake8086
I'm not trying to be rude, but they weren't "details", they were the
difference between "secure" (which is the service you sell) and "insecure".

~~~
danielpal
Details are really important. That doesn't mean I could possibly handle every
single detail myself, I can't. We have a whole team that handles different
parts of the system and they are fully qualified. In fact the engineers doing
this feature did write the correct implementation. I simply made a mistake
answering the question.

I think people are confusing the Authy Google Authenticator Support with the
Authy product.

We do not sell Google Authenticator or aim to be a replacement for it. We
simply added the possibility to add Google Authenticator tokens into the Authy
App - mostly since our existing clients wanted this -.

Our Service, it's usage etc are completely separate.. If you are not using
Authy you can simply use Google Authenticator App.

The only thing in common is we both use RFC 6238 which is an open standard for
Time based OTP's.

------
rdl
Ugh, please expose the code/seed and just just the QR code. (I usually put the
code into a couple of devices manually, vs. one)

Also, let administrators enforce 2fa on all users of an account, and/or see
the status of all users of the account. Also being able to enforce password
complexity requirements would be nice, but 2fa might be sufficient.

------
skadamat
2 Factor auth really sucks in its current form.

A few peeps from my university started Toopher though, looks promising -
<https://www.toopher.com> , since it leverages your phone

~~~
harshreality
2-factor has a lot of forms, from trusted third party (authy, duo security,
etc) to non-networked app (OATH implementations like google authenticator) to
smartcards as part of a PKI, to dedicated hardware tokens (RSA/EMC tokens).

They do not suck. Which one is best for a particular need depends on the
service and the user.

Toopher's location awareness looks like an incremental improvement on services
like Duo. However, it still depends on a third party (Toopher) in addition to
the Toopher-enabled website and the user, and it additionally depends on the
device having internet connectivity and having location information (GPS, or
rough location from cell towers). Some applications cannot rely on a third
party; they only want to require trust in the application servers themselves
and the user's device, and not trust of third parties (Duo, Authy, Toopher) or
network access (internet, SMS). In those cases you need a OATH app like google
authenticator, or a hardware token, or, if you don't want to support mobile
access, perhaps smartcards as part of a PKI.

The problem with hardware tokens, which are arguably the most secure, is that
they don't scale well: you need one per application, and the marginal cost for
each one is not trivial. That's fine if you only need one to access your
employer's VPN; the employer decides the cost is worth while, and one thing on
your keychain is not a big deal. If you need another one for your bank,
another for your primary investment account, another for your employer-
sponsored IRA, another for AWS, and on and on, pretty soon you need a man-
purse to carry them all, and the services that offer them have to absorb the
hardware costs somehow. Either the risk mitigation has to make the costs worth
it, or else the service will pass on the costs to you, the customer, in some
way.

