![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
![[site community profile]](https://www.dreamwidth.org/img/comm_staff.png)
2 factor authentication
Title:
2 factor authentication
Area:
improvement to login
Summary:
Create a 2 factor authentication option. The user would login with the password, and then the server would sent a code to a cell phone. The user would then enter the code to verify that they are trying to log in and it's not someone trying to hack into the account.
Description:
This would of course only be necessary for when users are connecting from unknown networks or networks they have not connected to from before. Once logging in, the user would have the option to 'trust this computer', so subsequent authentication requests would not have to got through this option.
Yahoo, Google and Facebook all off similiar functionality.
ETA: I see this option as being 'opt-in', if you opt-in, then the system will ask you for an additional code. The code is generated via something you have (cell phone, hard token, soft token).
This suggestion:
Should be implemented as-is.
10 (13.9%)
Should be implemented with changes. (please comment)
15 (20.8%)
Shouldn't be implemented.
35 (48.6%)
(I have no opinion)
10 (13.9%)
(Other: please comment)
2 (2.8%)
no subject
I have heard of someone using a QR code. as part of the login process, You scan the QR code with your phone and it takes you to a page (in your phone's browser) that checks a cookie previously set (in your phone's browser) (or checks the phone number against your stored phone number) that authenticates you. So you never enter your password on the foreign PC.
I can imagine all sorts of variations on that theme that would use a smartphone client app to do the authentication. There probably already exist 3rd-party apps to do that work, if DW didn't want to. I know there's an RSA app, for instance. (which would have the advantage that people who wanted two-factor authentication but had no mobile could buy an RSA token....)
But it should definitely be opt-in. Not everyone has a smartphone, or even a mobile phone at all, and not everyone is so concerned about security.
no subject
[edit: However, it does require a data connection, which may be an issue.]
no subject
3 reasons why using QR codes is a bad idea
First, not everybody owns a camera phone.
Second, not everybody who owns a camera phone has a QR reader application installed.
Third, two factor authentication shouldn't be exclusive to just the people who own camera phones and have QR reader applications installed.
no subject
no subject
no subject
At some point you have to say that something is "good enough".
no subject
Making the URLs unlinkable, as suggested by sophie, doesn't seem to me like it's going to make things as accessible as possible for everyone. Rather, I think it's going to make things more inaccessible to those who need it. For instance, tabbing from the keyboard won't work if the URL is not linked in the first place.
With that said, I think one can only say something is "good enough" when one has tried and exhausted every option to make it better. The keyword here is better. Taking away links from URLs doesn't seem to me like it's making it better, so I don't agree that her suggestion is "good enough".
Anyway, this are just my thoughts. No personal attack intended. :)
no subject
no subject
For a while, I was thinking "is DW nuts?". But never mind that.
Thanks for the clarification.
<3
no subject
This isn't to say it's a perfect method, and DW certainly shouldn't be relying solely on that, because DW can't (and shouldn't) dictate what browser, assistive tools, etc. their users use, so thank you for bringing it up. Suggestions is all about brainstorming ideas, and this is exactly the sort of thing that makes DW better. :D
no subject