

Ask HN: Why no 2-factor authentication for web apps? - gstar

More and more I find myself keeping data on webapps (like gmail) that is really sensitive.  I don't doubt that someone could successfully impersonate me or steal my identity if they shoulder surfed my password and had intent.<p>Why is there no open and easy to implement 2-factor authentication system?  Is it just because nobody has built one and championed it?<p>Obviously this won't work on Gmail unless Google implemented it - but maybe this could be the killer app for OpenID (yeah right).
======
wmf
Yep, with OpenID _you_ can choose to use stronger auth. Somebody from Vidoop
said they want to give away tokens; I wonder how that's going.

------
cperciva
Some banks -- mostly in Europe -- have started using two-factor
authentication. But so far the biggest problem with "something you know and
something you have" is an unavoidable one: "something you have" costs money.

~~~
gstar
Yes, I use Barclays and have one of their nifty chip and pin devices.

What if the "something you have" was your mobile phone?

~~~
bd
My bank sends me SMS with a PIN code when I log in. But they are in the
process of replacing the system with a card reader that reads your debit card
(smartcard with a chip).

~~~
thwarted
Are you supposed to use this card reader from your computer at home? The SMS
with a PIN seems more secure AND more usable, and has the added benefit that
you get notified if someone else tries to login to your account.

~~~
bd
It's a small calculator-like device, more or less the size of the credit card.

Their reasoning for why it's supposed to be better than SMS:

a) you are not dependent on a third party (mobile phone operator), so that you
couldn't access your account when there is no coverage, or your battery is
dead, etc;

b) with SMS you get authorization once per session, with card reader each
transaction gets unique authorization (you have to enter a transaction details
twice - online and in the reader). So even if somebody "listens in" to your
traffic, they would be just able to reply your actions exactly, not use your
credentials to do their actions.

This layer of protection also exists for SMS solution, but it's limited as
they use printed grid of codes for additional authorization of transactions.
So that in principle if somebody hijacks your traffic for a long enough time,
they would be able to reconstruct your static grid of codes. Or they could
phish you to give your codes (it did happen, there is a big red warning on
their homepage).

