One time password Authenticator - Mobile App?

[Delsus]

Yea I get it now, I'm just guna leave it, somehow wires got crossed ... and everyone lived happily ever after.

I'm happy to leave it if you now realise we are on the same side, lets just let this awesome idea get to the devs to make (we can have it as a stand alone app, looking at it, the 2.0 app will make it a security flaw because we will be signed in on it, so standalone app yes please, and appart from the work load on the devs, I don't see why they cant get it out before 2.0.

[Lollerblades]

Let's hope with enough general interest in the idea it might actually happen

[Antipika]

Before thinking about that, SE may want to fix the login process in XIV.

Currently auth is only done once, before starting the game client through a ****** web based interface that uses Internet Explorer (yeah for vulnerabilities \o/). As soon as the credentials are verified and the game client started, then you are free to log on/log off as will. Even worse, you can be connected on as many computers as you want, with different IPs address, provided that your character isn't online on XIV, you can remain on the main menu.

So technically, any "hacker" could "steal" your credentials (not hard if a victim's computer is infected), log on with them once without the victim being able to notice (the "hacker" would just need to make sure that he uses that OTP before the victim does, but since the auth is based on IE it's really not hard to mess up with your victim IE proxy settings to make sure that he cannot log on for a bit), wait for few hours or a even a day, use victim's account behind his back (impossible to notice unless you are on).

As for the OTP itself, it works for way longer than 10 or 30 seconds like some people are claiming. You will receive a new password every 10~30 seconds, but any password generated and unused is valid for a way longer time frame (can be as long as 15 minutes)

I just tried now, generated my OTP @ 0.04. Logged on with it @ 0.11. That is how people still manage to get "compromised" because of phishing website. The window given to the hacker is large enough to enable him to use information the victim entered. And since the OTP the victim entered didn't reach SE's server but the phishing site instead, the OTP remain valid for the hacker to use.

[VytasBismarck]

Great idea imho. Doesn't have to replace Security Token, but would be great option for those who prefer to use their phone instead, and don't want to wait for a shipment of Token cause they could just download the app instantly.

[Warchi]

Yes awesome idea.

[Zantetsuken]

Mobile phone authenticators are very secure and are currently used across the business world as a way to lock down sensitive networks, etc.

The RSA SecurID has an industry standard authentication app. In fact, the iphone version of the app requires it's own 5 digit code to even access, so if anyone wants to hack your SE acct, they would need the following:

1. Your SE Acct User Name
2. Your SE Acct Password
3. Knowledge that you are using your iPhone Authenticator and not a Security Token
4. Your iPhone
5. Your Phone's password
6. Your Security Authenticator Password.

If anything, an iPhone Authenticator is even less likely to be compromised than a security token (which has a FF logo on it btw).

Impossible? No, nothing is impossible in the world of hacking, but if anyone goes through all that to steal my acct -- until I call SE to get it restored -- then more power to them.

[Delsus]

Mobile phone authenticators are very secure and are currently used across the business world as a way to lock down sensitive networks, etc.

The RSA SecurID is an industry standard. In fact, the iphone version of the app requires it's own 5 digit code to even access, so if anyone wants to hack your SE acct, they would need the following:

1. Your SE Acct User Name
2. Your SE Acct Password
3. Knowledge that you are using your iPhone Authenticator and not a Security Token
4. Your iPhone
5. Your Phone's password
6. Your Security Authenticator Password.

If anything, an iPhone Authenticator is even less likely to be compromised than a security token (which has a FF logo on it btw). Impossible? No, nothing is impossible in the world of hacking, but if anyone goes through all that to steal my acct -- until I call SE to get it restored -- then good luck to them.

And lets not forget if your phone is stolen decent security software lets you remotely lock and wipe your phone get that done fast enough and no one who steals your phone can hack your account, if a token gets stolen you have to go through SE not only to get access but to stop your account getting hacked.

[Zantetsuken]

And lets not forget if your phone is stolen decent security software lets you remotely lock and wipe your phone get that done fast enough and no one who steals your phone can hack your account, if a token gets stolen you have to go through SE not only to get access but to stop your account getting hacked.

Exactly - Can't do that with a token...

Those who say that this is not secure really need to do their research on it.

[Delsus]

Exactly - Can't do that with a token...

Those who say that this is not secure really need to do their research on it.

So many reasons why it should be implemented and any argument against can be easily countered.

[Antipika]

If anything it will come at 2.0 anyway, we were told that smartphone apps are planned, having a mobile auth software is pretty standard these days so it will most likely be released.