One time password Authenticator - Mobile App?

[Impulse]

I've been wanting one of these since launch, and I'm sure countless others have been as well. As much as I love the giant thing of plastic on my keys, I misplace those much much much (emphasis on much) more often than my phone.

[Ziyyigo-Tipyigo]

The phone that is able to download an app is by definition online and therefore can be hacked/compromised/etc. Your keychain can't.

Never underestimate the security of an air gap.

[Impulse]

The phone that is able to download an app is by definition online and therefore can be hacked/compromised/etc. Your keychain can't.

Never underestimate the security of an air gap.

And your keys can be just as easily lost/stolen with your token attached to it. The app itself doesn't connect to the network (unless performing a restore/reset) and even if your phone were to be hacked, who would be doing that for the sole purpose of entering your XIV/XI account, or even bothering to figure out the account tied to the authenticator?

[Ziyyigo-Tipyigo]

And your keys can be just as easily lost/stolen with your token attached to it.

Yes, but for that you actually have to actually get a plane ticket from China and do it one at a time.

1.) Publish a Super Happy Awesome Funtime XIV app that XIV players would be likely to download. Say it's shows a /panic dancing Lalafell every hour, on the hour.

2.) While you're d'awwww-ing over said Lalafell, said Super Happy Awesome Funtime XIV app copies the keys from your onetime password app and sends them to the mothership in China.

3.) OK, they'd also need other login information. Conveniently enough, Super Happy Awesome Funtime XIV app will prompt you for some information about your account and character, to "personalize" your dancing Lalafell experience; this too will be sent back to the Chinese mothership.

Multiply this by however many users would fall for this. Lather, rinse, repeat, profit.

Meanwhile, your keychain device has only one input interface (the button) and one output (the screen).

[Impulse]

Yes, but for that you actually have to actually get a plane ticket from China and do it one at a time.

1.) Publish a Super Happy Awesome Funtime XIV app that XIV players would be likely to download. Say it's shows a /panic dancing Lalafell every hour, on the hour.

2.) While you're d'awwww-ing over said Lalafell, said Super Happy Awesome Funtime XIV app copies the keys from your onetime password app and sends them to the mothership in China.

3.) OK, they'd also need other login information. Conveniently enough, Super Happy Awesome Funtime XIV app will prompt you for some information about your account and character, to "personalize" your dancing Lalafell experience; this too will be sent back to the Chinese mothership.

Multiply this by however many users would fall for this. Lather, rinse, repeat, profit.

Meanwhile, your keychain device has only one input interface (the button) and one output (the screen).

If a person is stupid enough to give away their login details like that, I'd say let virtual Darwinism take its course. They'd be hacked with or without the authenticator (physical or mobile) in that case, especially if the person on the receiving end of the info were on top of their game with a 10 minute leniency. Codes expire after a short amount of time whether they are used or not.

Never had an issue with BNet's, didn't have an issue with TOR's equivalent in the short time I played that. If you get hacked with one of these attached to your account, you can almost guarantee that it's your own fault.

[Ziyyigo-Tipyigo]

If a person is stupid enough to give away their login details like that, I'd say let virtual Darwinism take its course.

I'd wager most people reading this have given their email password to Facebook.

Fine, we'll add another step:

0.) Super Happy Awesome Funtime XIV app claims to be from S-E themselves. People don't know the difference; they got to the download site through a QR code.

You don't protect yourself from social engineering by assuming you're immune to social engineering.

[Jinko]

If a person is stupid enough to give away their login details like that, I'd say let virtual Darwinism take its course.

You now there are these viruses called key loggers that will copy and send information over the internet based on the buttons you press.

Darwinism indeed, I though you would know about such things with such mighty intellect.

[Lollerblades]

The phone that is able to download an app is by definition online and therefore can be hacked/compromised/etc. Your keychain can't.

Never underestimate the security of an air gap.

I can see where you're coming from - But to hack into your phone in general would take alot i'm sure...

[Ziyyigo-Tipyigo]

I can see where you're coming from - But to hack into your phone in general would take alot i'm sure...

Just like any other web-enabled device, all it takes is you visiting the wrong web page, which is how people picked up keyloggers and ended up needing these one-time passwords to begin with.

The only real difference between your smart phone and your PC is that your PC has anti-malware software and a fighting chance.

[Delsus]

The phone that is able to download an app is by definition online and therefore can be hacked/compromised/etc. Your keychain can't.

Never underestimate the security of an air gap.

If its just an authenticator app they use it has no connection to your SE account except the OTP which changes every 30s, they have one part of the puzzle of hacking your account if they gained access to your phone.

They would need to find out what PC you access FFXIV from, then put a keylogger on it for your SE id and pass, then hack your phone for the OTP, the likely hood of getting access to all both of these devices is unlikely.

If RMT (usual account hackers) wanted to go through this they would be completly blind, they would have to hack every smartphone until they find an FFXIV app, but a OTP is usless without the user id and pass.

Someone also said that smartphones are mor vulnerable to attack because of lack of security, but smartphones have alot of security software available, and atleast android has protection in the framework in that if an app doesn't have permission to access certain features it cannot, example if the FFXIV app doesn't need network access it can never be manipulated to access the internet.