denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)
Denise ([staff profile] denise) wrote in [site community profile] dw_suggestions 2012-09-28 06:09 pm (UTC)

Re: Possible alternative

That helps you to be sure you're entering your data on the bank's website, and not on a clever phishing site that looks like your bank's site but is actually that of some horrible scammy spammer -- it doesn't do anything to reassure the *site* that you are the person who actually belongs to the account.

Basically, the point of two-factor authentication is to combine something you know (your password) with something you have (access to the phone that just got the code texted to it, access to a dongle that generates unique keys, possession of your own retinal scan/fingerprint/etc). That way, if someone gets your password, which is pretty easy to do in a bunch of cases, they hit the second step in authentication and can't complete it, and therefore they can't get into your account. Under a system like this, you can generally authorize individual computers as "known", so (for instance) if you log in regularly on your home computer, your work computer, and your iPad, you would only have to authorize each device once and subsequent logins on that device wouldn't need the second authentication factor, just your password.

But if you fly halfway around the world (or even walk around the block) and try to log in on a computer in an internet cafe, that could be you doing it, or it could be somebody nefarious trying to get into your account for awful purposes -- I've had people break into some of my accounts on various sites before, despite being incredibly paranoid about account security. So, on a site that offers two-factor authentication, if you're trying to log in on a computer you've never logged in on before, two-factor authentication kicks in, and you have to not only provide the something you know, aka your password (which, again, can be easy for somebody to find out) and the something you have (a telephone to get the text with the one-time auth code, the dongle that generates one-time unique keys, your own eyeball for the retinal scan, etc), and that makes it way more likely that the person who's logging in on this strange new computer is actually you.

Basically, the picture-thumbnail method is designed to reassure you that the site you're logging into is actually the site you mean to be logging into, by showing you something that (theoretically) only you and the site both know and a third-party faker can't. Two-factor auth is designed to reassure the site that you really are you, and not just somebody who happens to know your password (which could be anybody).

Does that make a bit more sense?

Post a comment in response:

If you don't have an account you can create one now.
HTML doesn't work in the subject.
More info about formatting

If you are unable to use this captcha for any reason, please contact us by email at support@dreamwidth.org