
Mailchimp offers 10% discount for using 2-factor security - dpeck
http://blog.mailchimp.com/new-subscriber-profile-pages/
======
Samuel_Michon
Note that this is not a new service, but the discount percentage has been
increased:

 _“Previously, we gave a 2% discount, which was probably only significant for
high volume senders. 10% makes it significant for everybody.”_

However, I'm still not doing it – too much hassle. Instead, I just have
1Password create unique passwords for each service I use and change the
passwords once in a while.

That said: I'm a satisfied MailChimp customer and I really appreciate that
they continue to improve their service.

~~~
r00fus
The cyclical password change for my dozens of accounts would be a constant
pain. Some of these accounts also need to be used on mobile devices where
1password doesn't auto-fill (ie, iPad). Add to that sharing certain of these
accounts with spouse/family and you have serious friction to constant
credentials updates.

~~~
pavel_lishin
The LastPass app on mobile devices worked great for me; true, it doesn't auto-
fill, but copying and pasting the passwords is fairly painless.

And I think LastPass also supports multiple Identities, though I'm not sure
how that works.

~~~
evilduck
LastPass for iOS will do autofill if you browse _through_ their app. It's not
the best UX, but it's nice for when you just need to check something and
aren't doing a lot of heavy browsing.

------
benchestnut
MailChimp founder here. Here's a little back story to Alter Ego, since it does
tend to confuse people. There was a time, not long ago, when email providers
were under attack and suffering from some major breaches
([http://www.cauce.org/2011/04/epsilon-interactive-breach-
the-...](http://www.cauce.org/2011/04/epsilon-interactive-breach-the-
fukushima-of-the-email-industry.html)). It's hard to describe the feeling of
helplessness when you watch industry peers get systematically attacked like
that. We wanted to do whatever we could to prevent that by providing 2FA
protection to our customers. We researched RSA and other solutions. It seemed
way too costly to ship key fobs to millions of users (our larger users could
afford it, but not our vast majority of small business users, who are the ones
who need the most help w/security). Still, we ordered the RSA hardware and
fobs to try it out. While the equipment was all en route, RSA was breached
(<http://blogs.rsa.com/anatomy-of-an-attack/>). To be safe, they told us we
had to wait for new hardware to be re-issued. There's that feeling of
helplessness again. We decided not to wait, and to just roll our own 2F app
because we could make it free and easier than most (2 critical requirements
for our SMB user base).

It's important to note that Google Authenticator wasn't yet open for
integration (trust me--we badly wished for it). There were only rumors that
they might open it up, and frankly, we couldn't wait for them to decide. Now
we all know that it's been opened up, which is nice. And fwiw, in the next
couple days we'll be announcing support in Alter Ego for Google Authenticator
and Yubi Key pass-through.

Someone mentioned Duo. That's an impressive app. We didn't know it existed
until after we launched AlterEgo (their CEO introduced himself in the comments
when we launched AlterEgo). I was blown away by what a thorough app it was.
Still, it wasn't "free enough" for our users (Gasp! How _dare_ they charge
money?!?). Remember, we wanted maximum usage, so it was important to make a
free app. We could theoretically and happily do a pass-through integration for
Duo users too.

Someone mentioned the uncertainty of relying on a Google service, considering
Google's recent "spring cleaning" of Google Reader. Roughly around the time we
launched AlterEgo, I don't remember all that much spring cleaning going on at
Google, so I can't say we had concerns they'd kill their 2FA service. I
vaguely recall them deprecating the Google Translate API (which we heavily
relied on) and I _vividly_ remember them sending us a ginormous bill for using
their Maps API. Larry Page hadn't yet made his "more wood behind fewer arrows"
statement, but the writing was on the wall that we can't all just feast off of
Google's generosity and altruism forever. So at that time, I think we were
more concerned about Google eventually charging us for the service (God
forbid, right?). If we had even tens of thousands of users activating, that
would be a bit expensive.

Hope that explains things.

~~~
ProblemFactory
> Someone mentioned the uncertainty of relying on a Google service,
> considering Google's recent "spring cleaning" of Google Reader.

Google Authenticator is not a service that Google _can_ even shut down. It's
an open-source implementation of open standard protocols.

You install a library + few tens lines of code on your server, and users
install the app on their phone. After this, no Google server or service is
ever touched in the authentication process.

Even if Google decides to pull the app from the store, it's open source: you
can build it from source and put a copy up yourself.

~~~
Create
Current Version of the Android app is now proprietary and it isn't clear
whether the source code repository will be getting any more updates.

------
smileysteve
It had me until Alter Ego. Why not just use Google Authenticator?

~~~
uptown
See Google Reader. When you create your own solutions, you don't have to worry
about somebody else changing the rules down the road.

~~~
spindritf
Google Authenticator is opensource[1] and implements a standard.

[1] <https://code.google.com/p/google-authenticator/>

~~~
signed0
Google Authenticator is also used by Amazon for AWS and LastPass.

------
dave1010uk
The idea of rewarding customers who behave in a responsible way is very
interesting. I'm tempted to see if we can offer discounts to users who use a
password with high entropy. Do any other SaaS or ecommerce sites do anything
like this? I recall one site adding an "IE tax" (rather than offering a
Firefox / Chrome discount). Trying to think if there's any other metrics that
could be used to apply discounts.

~~~
MichaelApproved
How important is a high entropy password for web services that properly encode
passwords and limit brute force attempts? It's my understanding that the
biggest issue is stolen passwords or captured login cookies that cause the
most problems.

I'm genuinely curious to hear the argument.

~~~
tnorthcutt
It's probably fairly common that $high_entropy_password !=
$password_used_elsewhere.

In other words, if a user uses a high entropy password, there's a better
chance that they're not reusing it elsewhere, thus improving security.

~~~
MichaelApproved
Not that common for me. I know several users who have 1 simple & 1 complicated
password that's used depending on the site's requirements. Those two password
are used repeatedly.

------
pbreit
I hate having to enter a second, email/sms-delivered passcode EVERY time I log
in. Salesforce's cookie-based approach is much more humane.

------
tylerhowarth
Will this discount apply to Mandrill?

------
PixelPusher
Sweet, mailchimp and newrelic are becoming invaluable in our tech stack.

