One time password Authenticator - Mobile App?

[Ryuko]

I am very much a fan of a mobile authenticator. I'm less likely to lose my phone than I am to lose this small keychain thing. Mobile authenticators seem to be pretty stable thus far, although you never know what the future brings.

[Impulse]

Hmm ?? You were talking about login and password nothing about authenticator (do I have to quote you or can you not remember what you typed?), its pretty obvious they can't steal an account if they don't have the one time password lol...

No, you simply took a small part of my post out of context. Read the whole damn thing and read the post I was responding to, you'll see that the other person was talking about a user putting in their one time use, time sensitive code along with the rest of their info, getting hacked in the process.

Yea and as I said show me a case of Blizzard running into issues because of this, the password only lasts for a matter of 10 second, so even if the one time password was transmitting over the internet the person on the other end would have to log in with 10-15 seconds making it almost impossible.

You do realize that neither Delsus or I have said anything about Blizz's app being insecure, right? Gogdamn you're dense.

[Jinko]

Ok lets go back a little bit to the first time Delsus quotes me and says

Thats what anti-malware is for, and a little bit of common sense, I have never had a keylogger on my laptop, or any virus infact although I use lets say high risk software (not FFXIV related) because I have common sense about where I download from.

Doesn't it look like you wer the first person to be aggressive for no apparent reason ?

Funnily it wasn't even a reply to something I said to you and then somehow you turned it around on me about what Ziyyigo-Tipyigo said about phone security.

Anyways seriously Whatever !!

Edit:- Ok I get it now, your on the same server, assuming the same LS and one of you is trying to defend the other hence why he replied to my post. (gottcha)

[Zumi]

I don't own a cell phone so this wouldn't really matter to me one way or the other.

[Delsus]

Ok lets go back a little bit to the first time Delsus quotes me and says



Doesn't it look like you were the first person to be aggressive for no apparent reason ?

Funnily it wasn't even a reply to something I said to you and then somehow you turned it around on me about what Ziyyigo-Tipyigo said about phone security.

Anyways seriously Whatever !!

Edit:- Ok I get it now, your on the same server, assuming the same LS and one if trying to defend the other hence why he replied to my post. (gottcha)

I was mearly saying that there are ways to protect against keyloggers, which is what you (admittedly rightly) said people can use to get your username and password, a valid comment, let me go back a bit:

Your reply to that was that I am against security, although I said anti-malware will protect against keyloggers.

How is using anti-malware being agains security, also you will have not used common sense when you downloaded that keylogger because you will have visited a suspicious website/downloaded an infected file/opened a dodgy email attatchment, to get it, they don't just appear from nowhere.

And with an authenticator (physical or on a smartphone) it would never have happened. Your fault I have no sympathy for you.

[Jinko]

Yea I get it now, I'm just guna leave it, somehow wires got crossed ... and everyone lived happily ever after.

[Delsus]

Yea I get it now, I'm just guna leave it, somehow wires got crossed ... and everyone lived happily ever after.

I'm happy to leave it if you now realise we are on the same side, lets just let this awesome idea get to the devs to make (we can have it as a stand alone app, looking at it, the 2.0 app will make it a security flaw because we will be signed in on it, so standalone app yes please, and appart from the work load on the devs, I don't see why they cant get it out before 2.0.

[Lollerblades]

Let's hope with enough general interest in the idea it might actually happen

[Antipika]

Before thinking about that, SE may want to fix the login process in XIV.

Currently auth is only done once, before starting the game client through a ****** web based interface that uses Internet Explorer (yeah for vulnerabilities \o/). As soon as the credentials are verified and the game client started, then you are free to log on/log off as will. Even worse, you can be connected on as many computers as you want, with different IPs address, provided that your character isn't online on XIV, you can remain on the main menu.

So technically, any "hacker" could "steal" your credentials (not hard if a victim's computer is infected), log on with them once without the victim being able to notice (the "hacker" would just need to make sure that he uses that OTP before the victim does, but since the auth is based on IE it's really not hard to mess up with your victim IE proxy settings to make sure that he cannot log on for a bit), wait for few hours or a even a day, use victim's account behind his back (impossible to notice unless you are on).

As for the OTP itself, it works for way longer than 10 or 30 seconds like some people are claiming. You will receive a new password every 10~30 seconds, but any password generated and unused is valid for a way longer time frame (can be as long as 15 minutes)

I just tried now, generated my OTP @ 0.04. Logged on with it @ 0.11. That is how people still manage to get "compromised" because of phishing website. The window given to the hacker is large enough to enable him to use information the victim entered. And since the OTP the victim entered didn't reach SE's server but the phishing site instead, the OTP remain valid for the hacker to use.

[VytasBismarck]

Great idea imho. Doesn't have to replace Security Token, but would be great option for those who prefer to use their phone instead, and don't want to wait for a shipment of Token cause they could just download the app instantly.