sircaliban: (Default)
sircaliban ([personal profile] sircaliban) wrote in [site community profile] dw_suggestions2012-09-25 11:31 am
  • Add Memory
  • Share This Entry
Entry tags:

2 factor authentication

Title:
2 factor authentication

Area:
improvement to login

Summary:
Create a 2 factor authentication option. The user would login with the password, and then the server would sent a code to a cell phone. The user would then enter the code to verify that they are trying to log in and it's not someone trying to hack into the account.

Description:
This would of course only be necessary for when users are connecting from unknown networks or networks they have not connected to from before. Once logging in, the user would have the option to 'trust this computer', so subsequent authentication requests would not have to got through this option.

Yahoo, Google and Facebook all off similiar functionality.

ETA: I see this option as being 'opt-in', if you opt-in, then the system will ask you for an additional code. The code is generated via something you have (cell phone, hard token, soft token).

Poll #11749 2 factor authentication
Open to: Registered Users, detailed results viewable to: All, participants: 72

View Respondents

This suggestion:

View Answers

Should be implemented as-is.
10 (13.9%)

Should be implemented with changes. (please comment)
15 (20.8%)

Shouldn't be implemented.
35 (48.6%)

(I have no opinion)
10 (13.9%)

(Other: please comment)
2 (2.8%)

Flat | Top-Level Comments Only
erik: A Chibi-style cartoon of me! (Default)

[personal profile] erik 2012-09-28 02:45 pm (UTC)(link)
I'm not against—and may even be for—two-factor authentication. But I think this form of it is clunky.

I have heard of someone using a QR code. as part of the login process, You scan the QR code with your phone and it takes you to a page (in your phone's browser) that checks a cookie previously set (in your phone's browser) (or checks the phone number against your stored phone number) that authenticates you. So you never enter your password on the foreign PC.

I can imagine all sorts of variations on that theme that would use a smartphone client app to do the authentication. There probably already exist 3rd-party apps to do that work, if DW didn't want to. I know there's an RSA app, for instance. (which would have the advantage that people who wanted two-factor authentication but had no mobile could buy an RSA token....)

But it should definitely be opt-in. Not everyone has a smartphone, or even a mobile phone at all, and not everyone is so concerned about security.
Edited 2012-09-28 14:46 (UTC)
sophie: A cartoon-like representation of a girl standing on a hill, with brown hair, blue eyes, a flowery top, and blue skirt. ☀ (Default)

[personal profile] sophie 2012-11-09 11:06 am (UTC)(link)
I really like the QR code idea. If implemented properly (including just giving the URL in plain text at the same time - unlinked, of course), that'd be pretty neat.

[edit: However, it does require a data connection, which may be an issue.]
Edited 2012-11-09 11:08 (UTC)

[personal profile] thomasneo 2012-11-10 04:03 am (UTC)(link)

3 reasons why using QR codes is a bad idea

First, not everybody owns a camera phone.

Second, not everybody who owns a camera phone has a QR reader application installed.

Third, two factor authentication shouldn't be exclusive to just the people who own camera phones and have QR reader applications installed.

sophie: A cartoon-like representation of a girl standing on a hill, with brown hair, blue eyes, a flowery top, and blue skirt. ☀ (Default)

[personal profile] sophie 2012-11-10 10:38 am (UTC)(link)
That's why I also said "(including just giving the URL in plain text at the same time - unlinked, of course)".

[personal profile] thomasneo 2012-11-10 03:54 pm (UTC)(link)
What about those people who don't use a mouse to surf? Or those people who use keyboard-based assistive programs to surf? Isn't this penalizing them?
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2012-11-10 04:00 pm (UTC)(link)
Our accessibility guidelines have always been "make things as accessible as possible and provide several alternate methods of access and workarounds for common accessibility-based use cases", not "make the experience identical for people using all forms of assistive technology"; the latter is impossible.

At some point you have to say that something is "good enough".

[personal profile] thomasneo 2012-11-10 05:47 pm (UTC)(link)
I'm afraid you got me wrong. I didn't say anything about making the experience identical for everyone; I was just saying how unlinkable URLs might penalize (inconvenience) those who don't use mouse or use only keyboard-based assistive programs to surf.

Making the URLs unlinkable, as suggested by sophie, doesn't seem to me like it's going to make things as accessible as possible for everyone. Rather, I think it's going to make things more inaccessible to those who need it. For instance, tabbing from the keyboard won't work if the URL is not linked in the first place.

With that said, I think one can only say something is "good enough" when one has tried and exhausted every option to make it better. The keyword here is better. Taking away links from URLs doesn't seem to me like it's making it better, so I don't agree that her suggestion is "good enough".

Anyway, this are just my thoughts. No personal attack intended. :)
Edited 2012-11-10 17:48 (UTC)
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2012-11-10 06:30 pm (UTC)(link)
...I think there is a disconnect here. [personal profile] erik and [personal profile] sophie are not discussing visiting a link on the computer it is being displayed on, but on a previously-authorized device. Given the proposal being discussed here, the reason for making the link unclickable is to indicate to everybody that they shouldn't follow the link on that device, but on the device they'd previously authorized.

[personal profile] thomasneo 2012-11-10 06:41 pm (UTC)(link)
Ahh... Now that makes sense. :)

For a while, I was thinking "is DW nuts?". But never mind that.

Thanks for the clarification.

<3
sophie: A cartoon-like representation of a girl standing on a hill, with brown hair, blue eyes, a flowery top, and blue skirt. ☀ (Default)

[personal profile] sophie 2012-11-10 05:10 pm (UTC)(link)
Not as much as you may think. It's quite possible to select text using the keyboard if you have a good screen reader like JAWS or NVDA, and sighted people who don't use mice also normally have access to keyboard navigation controls in their browser. (In Firefox or Internet Explorer, for example, try pressing F7 to turn Caret Browsing on. This might work in other browsers too, but I haven't tested it.)

This isn't to say it's a perfect method, and DW certainly shouldn't be relying solely on that, because DW can't (and shouldn't) dictate what browser, assistive tools, etc. their users use, so thank you for bringing it up. Suggestions is all about brainstorming ideas, and this is exactly the sort of thing that makes DW better. :D
azurelunatic: Vivid pink Alaskan wild rose. (Default)

[personal profile] azurelunatic 2012-11-09 02:12 pm (UTC)(link)
The RSA app for Android is pretty nice.
Flat | Top-Level Comments Only