One time password Authenticator - Mobile App?

[Ziyyigo-Tipyigo]

The phone that is able to download an app is by definition online and therefore can be hacked/compromised/etc. Your keychain can't.

Never underestimate the security of an air gap.

[Impulse]

The phone that is able to download an app is by definition online and therefore can be hacked/compromised/etc. Your keychain can't.

Never underestimate the security of an air gap.

And your keys can be just as easily lost/stolen with your token attached to it. The app itself doesn't connect to the network (unless performing a restore/reset) and even if your phone were to be hacked, who would be doing that for the sole purpose of entering your XIV/XI account, or even bothering to figure out the account tied to the authenticator?

[Ziyyigo-Tipyigo]

And your keys can be just as easily lost/stolen with your token attached to it.

Yes, but for that you actually have to actually get a plane ticket from China and do it one at a time.

1.) Publish a Super Happy Awesome Funtime XIV app that XIV players would be likely to download. Say it's shows a /panic dancing Lalafell every hour, on the hour.

2.) While you're d'awwww-ing over said Lalafell, said Super Happy Awesome Funtime XIV app copies the keys from your onetime password app and sends them to the mothership in China.

3.) OK, they'd also need other login information. Conveniently enough, Super Happy Awesome Funtime XIV app will prompt you for some information about your account and character, to "personalize" your dancing Lalafell experience; this too will be sent back to the Chinese mothership.

Multiply this by however many users would fall for this. Lather, rinse, repeat, profit.

Meanwhile, your keychain device has only one input interface (the button) and one output (the screen).

[Impulse]

Yes, but for that you actually have to actually get a plane ticket from China and do it one at a time.

1.) Publish a Super Happy Awesome Funtime XIV app that XIV players would be likely to download. Say it's shows a /panic dancing Lalafell every hour, on the hour.

2.) While you're d'awwww-ing over said Lalafell, said Super Happy Awesome Funtime XIV app copies the keys from your onetime password app and sends them to the mothership in China.

3.) OK, they'd also need other login information. Conveniently enough, Super Happy Awesome Funtime XIV app will prompt you for some information about your account and character, to "personalize" your dancing Lalafell experience; this too will be sent back to the Chinese mothership.

Multiply this by however many users would fall for this. Lather, rinse, repeat, profit.

Meanwhile, your keychain device has only one input interface (the button) and one output (the screen).

If a person is stupid enough to give away their login details like that, I'd say let virtual Darwinism take its course. They'd be hacked with or without the authenticator (physical or mobile) in that case, especially if the person on the receiving end of the info were on top of their game with a 10 minute leniency. Codes expire after a short amount of time whether they are used or not.

Never had an issue with BNet's, didn't have an issue with TOR's equivalent in the short time I played that. If you get hacked with one of these attached to your account, you can almost guarantee that it's your own fault.

[Ziyyigo-Tipyigo]

If a person is stupid enough to give away their login details like that, I'd say let virtual Darwinism take its course.

I'd wager most people reading this have given their email password to Facebook.

Fine, we'll add another step:

0.) Super Happy Awesome Funtime XIV app claims to be from S-E themselves. People don't know the difference; they got to the download site through a QR code.

You don't protect yourself from social engineering by assuming you're immune to social engineering.

[Impulse]

I'd wager most people reading this have given their email password to Facebook.

Fine, we'll add another step:

0.) Super Happy Awesome Funtime XIV app claims to be from S-E themselves. People don't know the difference; they got to the download site through a QR code.

You don't protect yourself from social engineering by assuming you're immune to social engineering.

As far as Apple's Appstore goes, SE is in there as a developer. Good luck getting their name to show up above your shoddy app.
Android's marketplace is just a mess as it is, so I won't even get into that.

Either way, we're talking about a piece of software that has no idea what account it is attached to. The only connection is your SE account having the authenticator's serial number attached to it as well as the algorithm that goes with code generation.

[Jinko]

If a person is stupid enough to give away their login details like that, I'd say let virtual Darwinism take its course.

You now there are these viruses called key loggers that will copy and send information over the internet based on the buttons you press.

Darwinism indeed, I though you would know about such things with such mighty intellect.

[Delsus]

You now there are these viruses called key loggers that will copy and send information over the internet based on the buttons you press.

Darwinism indeed, I though you would know about such things with such mighty intellect.

Thats what anti-malware is for, and a little bit of common sense, I have never had a keylogger on my laptop, or any virus infact although I use lets say high risk software (not FFXIV related) because I have common sense about where I download from.

[Jinko]

Thats what anti-malware is for, and a little bit of common sense, I have never had a keylogger on my laptop, or any virus infact although I use lets say high risk software (not FFXIV related) because I have common sense about where I download from.

Well I have had one steal both my FFXI account and WoW account, although it was several years ago now, its more for peace of mind.

I can't believe you are actually arguing against security, lol well each to his own.

and Anti-malware and virus scanners don't always pick them up, I had to reformat my PC when my WoW account was stolen because I couldn't get the damn thing off.

[Impulse]

You now there are these viruses called key loggers that will copy and send information over the internet based on the buttons you press.

Darwinism indeed, I though you would know about such things with such mighty intellect.

That's nice. You still won't get far with one single-use pass without the serial number and the algorithm used to generate the code. Chances are if you get such a virus, you've been doing something wrong.

Hmm never heard of Blizzard having problems with their authenticator app.

Link please if you know of one.

Read the rest of the thread and you'll see that he's talking about the guy who claims that mobile authenticators are useless because the phone is connected to a network near full-time.

Actually, here you go.

The phone that is able to download an app is by definition online and therefore can be hacked/compromised/etc. Your keychain can't.

Never underestimate the security of an air gap.