Comments on: Double Thanks, with Two Factor Authentication http://blog.passpack.com/2009/11/double-thanks-with-two-factor-authentication/ Passpack keeps your logins safe, organized and available 24/7. You can share passwords with your team in 100% privacy. Fri, 10 May 2013 18:12:33 +0000 hourly 1 http://wordpress.org/?v=3.4 By: Neil http://blog.passpack.com/2009/11/double-thanks-with-two-factor-authentication/comment-page-1/#comment-2930 Neil Wed, 02 Dec 2009 07:58:10 +0000 http://blog.passpack.com/?p=3319#comment-2930 You likely don't need a separate SMS OTP/token implementation. Most telephone companies provide an email to SMS gateway, so the existing email support is sufficient to accomplish the same thing. http://en.wikipedia.org/wiki/List_of_carriers_providing_SMS_transit You likely don’t need a separate SMS OTP/token implementation. Most telephone companies provide an email to SMS gateway, so the existing email support is sufficient to accomplish the same thing.

http://en.wikipedia.org/wiki/List_of_carriers_providing_SMS_transit

]]> By: Dan http://blog.passpack.com/2009/11/double-thanks-with-two-factor-authentication/comment-page-1/#comment-2928 Dan Tue, 01 Dec 2009 19:27:10 +0000 http://blog.passpack.com/?p=3319#comment-2928 Have you looked at using the VeriSign cards that PayPal uses? If you were able to use the same VeriSign backend for free, your users could use the same cards as they use for PayPal and that you can purchase from PayPal for $5. Alternatively, is there a way to force the Third Party login to be the *only* valid login to PassPack? That way, you could leave the whole two-factor issue up to the Third Party, such as OpenID or Yubikey. Finally, you might want to offer two levels of two-factor authentication availability: a free one that doesn't cost you on the backend, and other options, such as PhoneFactor, that are only available to your paid subscribers. You could even offer such options as features on top of your paid subscription price. Thanks, Dan Have you looked at using the VeriSign cards that PayPal uses? If you were able to use the same VeriSign backend for free, your users could use the same cards as they use for PayPal and that you can purchase from PayPal for $5.

Alternatively, is there a way to force the Third Party login to be the *only* valid login to PassPack? That way, you could leave the whole two-factor issue up to the Third Party, such as OpenID or Yubikey.

Finally, you might want to offer two levels of two-factor authentication availability: a free one that doesn’t cost you on the backend, and other options, such as PhoneFactor, that are only available to your paid subscribers. You could even offer such options as features on top of your paid subscription price.

Thanks,

Dan

]]> By: Ryan http://blog.passpack.com/2009/11/double-thanks-with-two-factor-authentication/comment-page-1/#comment-2926 Ryan Tue, 01 Dec 2009 08:31:22 +0000 http://blog.passpack.com/?p=3319#comment-2926 I would be willing to pay for a keyfob token. I would also be willing to pay per-use for SMS tokens. I would be willing to pay for a keyfob token. I would also be willing to pay per-use for SMS tokens.

]]> By: Jordan http://blog.passpack.com/2009/11/double-thanks-with-two-factor-authentication/comment-page-1/#comment-2923 Jordan Mon, 30 Nov 2009 21:34:52 +0000 http://blog.passpack.com/?p=3319#comment-2923 I think a keyfob token, like RSA SecurID, that displays a one-time password you can type in would be useful. I think a keyfob token, like RSA SecurID, that displays a one-time password you can type in would be useful.

]]> By: Francesco http://blog.passpack.com/2009/11/double-thanks-with-two-factor-authentication/comment-page-1/#comment-2922 Francesco Mon, 30 Nov 2009 19:59:58 +0000 http://blog.passpack.com/?p=3319#comment-2922 Hi Dan, I tested PhoneFactor a year ago, and it worked perfectly. But it is free only for a limited number of users.We would have to introduce a prepaid credits plan in order to fully support it. The same is for SMS. So I preferred to <a href="http://blog.passpack.com/2009/11/yubikeytwo-factor-or-third-party/" rel="nofollow">start implementing Yubikey</a>. I know that a Yubikey is not free, but I if you have one, you're free to use it. Hi Dan,

I tested PhoneFactor a year ago, and it worked perfectly. But it is free only for a limited number of users.We would have to introduce a prepaid credits plan in order to fully support it. The same is for SMS.

So I preferred to start implementing Yubikey. I know that a Yubikey is not free, but I if you have one, you’re free to use it.

]]> By: Dan http://blog.passpack.com/2009/11/double-thanks-with-two-factor-authentication/comment-page-1/#comment-2921 Dan Mon, 30 Nov 2009 17:36:57 +0000 http://blog.passpack.com/?p=3319#comment-2921 Have a look at PhoneFactor.com. It looks promising and it's probably quite easy to implement. And I'm not affiliated with them in any way... Another simple alternative to the email OTP would be an SMS OTP. Have a look at PhoneFactor.com. It looks promising and it’s probably quite easy to implement. And I’m not affiliated with them in any way…

Another simple alternative to the email OTP would be an SMS OTP.

]]> By: Francesco http://blog.passpack.com/2009/11/double-thanks-with-two-factor-authentication/comment-page-1/#comment-2919 Francesco Mon, 30 Nov 2009 13:50:49 +0000 http://blog.passpack.com/?p=3319#comment-2919 Hello Mike, I agree with you. This is not a real second factor. But, first of all, I had to develope a way to intersect the sign in process with a further step. Now we are ready to add more factors. What's your suggestion for the next one? Hello Mike,

I agree with you. This is not a real second factor. But, first of all, I had to develope a way to intersect the sign in process with a further step. Now we are ready to add more factors. What’s your suggestion for the next one?

]]> By: Mike Christiansen http://blog.passpack.com/2009/11/double-thanks-with-two-factor-authentication/comment-page-1/#comment-2916 Mike Christiansen Mon, 30 Nov 2009 03:04:10 +0000 http://blog.passpack.com/?p=3319#comment-2916 That's awesome, but that's not really two factor authentication... 1. What you know (Password) 2. What you have (Security Token) 3. Who you are (Biometrics) A one time password to my e-mail is just another instance of factor 1... So, we have the following: 1. Username 2. Password 3. Packing Key 4. One Time Password We have 4x 1 Factor authentications and 0x 2 Factor authentications. That’s awesome, but that’s not really two factor authentication…

1. What you know (Password)
2. What you have (Security Token)
3. Who you are (Biometrics)

A one time password to my e-mail is just another instance of factor 1…

So, we have the following:
1. Username
2. Password
3. Packing Key
4. One Time Password

We have 4x 1 Factor authentications and 0x 2 Factor authentications.

]]>