Phew, OK, I am reading a lot of vague miscomprehension about two factor auth in this thread, so I wanted to raise something which nobody here seems to have mentioned.
When you authenticate you usually use something you *know* -- a password -- to prove you are who you say you are. Another option is to use something you *have*. When you go into your apartment, this would be the key to your front door. For online services, it's unlikely to be a hardware key, but more likely to be some kind of software thingy. What sort of software thingies do people typically have in their pockets? Phones!
Now, somehow, you have to show your physical telephone to DW and say "I am holding this phone in my hand". How do you do that? You're in one place, Dreamwidth's servers are in another, and even if they weren't they'd probably have trouble recognising your phone by sight. So, we use some software to prove it.
There are multiple ways to do this.
METHOD ONE, as many people have touched on in this thread, is to get DW to send you a text message. If you receive that text message, then it's a pretty good sign that you're holding that physical phone in your hand. Enter the number in the DW login form, and you've proved it (or near enough).
Now, that number Dreamwidth sends you... they need to make sure that it's decently random, can't be guessed, and also can't be re-used if someone steals your phone. For that reason they usually use something called a "one time password". This means that a) the number they send you can only be used for one login, and b) the number will usually expire pretty quickly if you don't use it. You can read up on one-time password generation (OTPs) here: http://en.wikipedia.org/wiki/One-time_password
The thing is, if you're generating OTPs *anyway*, why bother generating them on DW's side and sending them through? Why not just generate them on your phone? This leads to...
METHOD TWO: you have an app on your (smart) phone which generates one-time passwords to assist in two-factor login. Nobody sends anyone a text message; instead, you just open the app and it generates a password on the spot for you. (Some banks and the like also offer little plastic key-fobs that do the same thing.)
The upside to method 2 is that it works even if you're outside cell-phone reception, change your SIM card (eg. while travelling, as I am right now), etc. You also don't need to provide your cell phone number to DW/the provider in question.
I guess what I'm saying here is that you don't technically need to provide a cellphone number, or send a text message, to do 2-factor auth. So for those who are saying that integrating with the phone system is expensive, or that they don't want to provide their phone numbers, it's not *technically* necessary.
That said, the whole thing would still be pretty expensive even if you did it via a smartphone app or plastic dongle. Probably the cheapest way to get 2-factor auth on DW would be to allow login using Google or Facebook, effectively outsourcing the 2-factor authentication. I'm not sure how I'd feel about that but "somewhat uncomfortable" would be a good start.
no subject
When you authenticate you usually use something you *know* -- a password -- to prove you are who you say you are. Another option is to use something you *have*. When you go into your apartment, this would be the key to your front door. For online services, it's unlikely to be a hardware key, but more likely to be some kind of software thingy. What sort of software thingies do people typically have in their pockets? Phones!
Now, somehow, you have to show your physical telephone to DW and say "I am holding this phone in my hand". How do you do that? You're in one place, Dreamwidth's servers are in another, and even if they weren't they'd probably have trouble recognising your phone by sight. So, we use some software to prove it.
There are multiple ways to do this.
METHOD ONE, as many people have touched on in this thread, is to get DW to send you a text message. If you receive that text message, then it's a pretty good sign that you're holding that physical phone in your hand. Enter the number in the DW login form, and you've proved it (or near enough).
Now, that number Dreamwidth sends you... they need to make sure that it's decently random, can't be guessed, and also can't be re-used if someone steals your phone. For that reason they usually use something called a "one time password". This means that a) the number they send you can only be used for one login, and b) the number will usually expire pretty quickly if you don't use it. You can read up on one-time password generation (OTPs) here: http://en.wikipedia.org/wiki/One-time_password
The thing is, if you're generating OTPs *anyway*, why bother generating them on DW's side and sending them through? Why not just generate them on your phone? This leads to...
METHOD TWO: you have an app on your (smart) phone which generates one-time passwords to assist in two-factor login. Nobody sends anyone a text message; instead, you just open the app and it generates a password on the spot for you. (Some banks and the like also offer little plastic key-fobs that do the same thing.)
The upside to method 2 is that it works even if you're outside cell-phone reception, change your SIM card (eg. while travelling, as I am right now), etc. You also don't need to provide your cell phone number to DW/the provider in question.
I guess what I'm saying here is that you don't technically need to provide a cellphone number, or send a text message, to do 2-factor auth. So for those who are saying that integrating with the phone system is expensive, or that they don't want to provide their phone numbers, it's not *technically* necessary.
That said, the whole thing would still be pretty expensive even if you did it via a smartphone app or plastic dongle. Probably the cheapest way to get 2-factor auth on DW would be to allow login using Google or Facebook, effectively outsourcing the 2-factor authentication. I'm not sure how I'd feel about that but "somewhat uncomfortable" would be a good start.