One time password Authenticator - Mobile App?

[Impulse]

The phone that is able to download an app is by definition online and therefore can be hacked/compromised/etc. Your keychain can't.

Never underestimate the security of an air gap.

And your keys can be just as easily lost/stolen with your token attached to it. The app itself doesn't connect to the network (unless performing a restore/reset) and even if your phone were to be hacked, who would be doing that for the sole purpose of entering your XIV/XI account, or even bothering to figure out the account tied to the authenticator?

[Lollerblades]

The phone that is able to download an app is by definition online and therefore can be hacked/compromised/etc. Your keychain can't.

Never underestimate the security of an air gap.

I can see where you're coming from - But to hack into your phone in general would take alot i'm sure...

[Impulse]

The problem i have with this idea is that when your phone needs to be restored or that somehow you lose your app, you have to go through hell in order to get access to your account again. Happened to me twice in WOW and i never used this app again, i rather be hacked. Unless they make it so that this won't happen in XIV, make it that you can use your e-mail account to reset that app or something, i don't want it.

The B.NET authenticator gives you the serial and a reset/restore code (and tells you to copy it down) as soon as you install and attach the app. If you lock yourself out of your account due to a phone reformat/app deletion, that's more your fault than theirs.

[Jinko]

The problem i have with this idea is that when your phone needs to be restored or that somehow you lose your app, you have to go through hell in order to get access to your account again. Happened to me twice in WOW and i never used this app again, i rather be hacked. Unless they make it so that this won't happen in XIV, make it that you can use your e-mail account to reset that app or something, i don't want it.

If you have it resettable by email it kind of defeats the purpose, if your SE account happens to be hacked the chances are the person will also have other details such as your email log in and password aswell.

+1 for the mobile app, I currently use the token though so have no need for the mobile app until the battery dies.

[Ziyyigo-Tipyigo]

I can see where you're coming from - But to hack into your phone in general would take alot i'm sure...

Just like any other web-enabled device, all it takes is you visiting the wrong web page, which is how people picked up keyloggers and ended up needing these one-time passwords to begin with.

The only real difference between your smart phone and your PC is that your PC has anti-malware software and a fighting chance.

[Arcell]

I'm all for an idea for this. Hell they could even charge me for the app if they're concerned with losing out on the fee for the physical authenticator. There are quite a few reasons why this is a great idea:

* Don't have to keep track of the physical authenticator. It's kind of small and one could easily lose it, plus it's just one more thing on my keychain.

* Don't have to worry about battery life. The physical authenticator will, albeit a long ways away, eventually run out of power. When this happens, you're kind of SOL if you want to play the game until you get it cleared up with customer service.

* It's on a mobile device that many people carry around with them all the time. It's one less thing people have to keep track of.

However there are some cons:

* It's on a mobile device, so if for whatever reason that device is rendered unusable (broken, out of power, stolen, etc...) you have to go through the same hassle as if you lost your physical authenticator or if it ran out of power. At the mercy of customer service until you can get it straightened out.

* It takes up space on your mobile device, I guess lol.

[Ziyyigo-Tipyigo]

And your keys can be just as easily lost/stolen with your token attached to it.

Yes, but for that you actually have to actually get a plane ticket from China and do it one at a time.

1.) Publish a Super Happy Awesome Funtime XIV app that XIV players would be likely to download. Say it's shows a /panic dancing Lalafell every hour, on the hour.

2.) While you're d'awwww-ing over said Lalafell, said Super Happy Awesome Funtime XIV app copies the keys from your onetime password app and sends them to the mothership in China.

3.) OK, they'd also need other login information. Conveniently enough, Super Happy Awesome Funtime XIV app will prompt you for some information about your account and character, to "personalize" your dancing Lalafell experience; this too will be sent back to the Chinese mothership.

Multiply this by however many users would fall for this. Lather, rinse, repeat, profit.

Meanwhile, your keychain device has only one input interface (the button) and one output (the screen).

[Delsus]

Hello

This is just a general idea i've picked up from the Battle.net mobile authenticator app
(Haters gonna hate WoW so sod off and troll somewhere else you're input is neither needed nor appreciated)

I think something like this would be rather nifty for our Square-Enix accounts i'm not to sure about the rest of you but i lost mine once and it was a serious pain in the arse to cancel it via the phone - And there is always the possiblity of the fob running out of battery power, i think a mobile phone Authenticator app would be a good move for SE as 99.99% of us always have our phone on / near our persons.

Sorry if a thread like this already exsits... SE are always banging on about extra protection for our FFXI / FFXIV accounts and i just thought that maybe this could be doable

Post up what you guys think, Good idea, Bad idea ?

Thanks

This is what the iPhone / Android version of the Battle.net authentication app looks like

As much as I hate WoW and it pains me to say but this is a brilliant idea, although with the announcement that we would have a mobile app to interface with the game (manage retainer, inv etc) it has been asked for as a part of the official FFXIV app we are gonna get after 2.0.

But a seperate one for now will suffice.

[Delsus]

The problem i have with this idea is that when your phone needs to be restored or that somehow you lose your app, you have to go through hell in order to get access to your account again. Happened to me twice in WOW and i never used this app again, i rather be hacked. Unless they make it so that this won't happen in XIV, make it that you can use your e-mail account to reset that app or something, i don't want it.

Sorry for the double post, this is not an issue, if you can get locked out of WoW because of a factory reset/reflash it made wrong.

Every phone has a unique identifier called and IMEI, this is unique to each phone, app devs can access this IMEI number and for an authenticator app it can be used in the algorithm to work out the OTP.

This will protect users against accout lockouts because of a factory reset or reflash, the only problem will be when you get a new phone, which needs a workaround, its not a problem you will see every day, seeing as (atleast in UK) people are on 2yr contracts so they have to keep their phone for at least 2 years.


The work around could be using a code based on your phone's IMEI, which you can copy over to a new one if needed and it overwrites the default IMEI based algorithm.

[Niko_Kishiko]

Fantastic idea. I would definitely use it.