The Glade 4.0

I paid the six bucks and got one. It just hangs around on my keychain. No big.

Yeah that'd go great. "Honey, what's that on your keychain?"

_________________
"Hysterical children shrieking about right-wing anything need to go sit in the corner and be quiet while the adults are talking."

Seriously. It's an extremely high reward for practically no risk.

And while it may seem silly to do all of this over a video game, it is essentially data that represents several years-worth of investment for most people.

_________________
Les Zombis et les Loups-Garous!

Redundant. Basic security: something you know, something you have, something you are.
You've already got a password, that's your Something You Know. A secret question or whatever would only be an additional Something You Know, and would be vulnerable to the same vectors of attack that your password is. Keylogger catches both, for instance, and is a common means of stealing Blizzard account information.

_________________
"Aaaah! Emotions are weird!" - Amdee
"... Mirrorshades prevent the forces of normalcy from realizing that one is crazed and possibly dangerous. They are the symbol of the sun-staring visionary, the biker, the rocker, the policeman, and similar outlaws." - Bruce Sterling, preface to Mirrorshades

I'm not all that concerned; I have an exceedingly strong password. Keyloggers are a worry though, but you beat those by putting the choices on a pulldown menu; your right answer and 4 or 5 random answers that pertain to the question.

_________________
"Hysterical children shrieking about right-wing anything need to go sit in the corner and be quiet while the adults are talking."

You can defeat pulldown menus by taking screenshots when the choice is selected. You can also defeat a virtual keyboard this way. The advantage of an RSA token is that without the token's seed, having one sequence of numbers does not allow you to guess the next set of numbers. Also, each token is only accepted once. Once the server validates a token, it is no longer valid, even if the window has not yet expired for that token.

RSA tokens aren't perfect, though. It's still possible to defeat them if your system is compromised. But it would require working within the 30-45 second window where any particular token is valid.

_________________

What if you randomized the locations of the keys on the virtual keyboard at each use?

_________________
"Hysterical children shrieking about right-wing anything need to go sit in the corner and be quiet while the adults are talking."

If you can see the keys on the virtual keyboard, then the keylogger can capture that visual data. The keylogger can capture everything on the screen including your cursor position. Not to mention that even if you randomize the onscreen keyboard, eventually you have to enter your password, which can be sniffed from memory as you're typing it in.

edit: http://en.wikipedia.org/wiki/Keystroke_logging, http://en.wikipedia.org/wiki/SecurID#Th ... rabilities

_________________

Not to mention, randomizing key locations on a virtual keyboard is getting into "**** annoying" territory from a useability standpoint, so it seems like you're working backwards there, DE, since your initial objection to a dongle was convenience.

_________________
"Aaaah! Emotions are weird!" - Amdee
"... Mirrorshades prevent the forces of normalcy from realizing that one is crazed and possibly dangerous. They are the symbol of the sun-staring visionary, the biker, the rocker, the policeman, and similar outlaws." - Bruce Sterling, preface to Mirrorshades

I don't think virtual keyboards with random key locations would be annoying. I'm also a little unclear on how a keylogger capturing cursor location would matter if you randomized what was at that location, but I guess it doesn't matter if it can pull the keystrokes from memory.

I think the little dongle thing, or needing to have some fancy phone application, is more annoying, since the dongle can get lost or damaged, and the phone.. well, means you have to have the phone, but then again, I have objections to BlackBerrys, IPhones, DROIDs, and all that jazz that really don't pertain to most people.

_________________
"Hysterical children shrieking about right-wing anything need to go sit in the corner and be quiet while the adults are talking."

Guess at the end of the day, it's just not for you, DE. For the rest of us, it's an easy, nearly unbreakable way to secure our accounts.

If it works for you guys, that's awesome. I'd just like to see another method that doesn't cost extra and isn't easily lost.

I might be more inclined to it if fancy phones weren't such a problem. One of the main reasons my wife and I share a phone is that it has no camera. Do you know how hard it is to get a phone with no camera?

_________________
"Hysterical children shrieking about right-wing anything need to go sit in the corner and be quiet while the adults are talking."

The token's not easily lost. I have it attached to my keys, and I always know where they are

_________________

Holy shitsnacks!

You're not married.

_________________
"Hysterical children shrieking about right-wing anything need to go sit in the corner and be quiet while the adults are talking."

What does being married have to do with knowing where my keys are?

_________________

Holy shitsnacks!

You don't have kids living with you.

_________________
In time, this too shall pass.

That and he doesn't have a wife asking what that little new gadget on the keychain does, and then asking why you spent ten dollars on it.

_________________
"Hysterical children shrieking about right-wing anything need to go sit in the corner and be quiet while the adults are talking."

0.o

Ouch.

_________________

Holy shitsnacks!

Oh yeah, almost forgot. My kid has an account too, and that damn authenticator would be lost in under a week. She can't even keep track of a housekey.

_________________
"Hysterical children shrieking about right-wing anything need to go sit in the corner and be quiet while the adults are talking."

My daughter loses housekeys like they grew on a tree. But she has not once lost her authenticator

_________________
Darksiege
Traveller, Calé, Whisperer
Lead me not into temptation; for I know a shortcut

Diamondeye:

Two factor authentication.

In brief, there are 3 basic categories of authentication:

• Something you know (passwords, "secret" questions, etc.)
• Something you have (ex. RSA authenticator frob or a smart card)
• Something you are (i.e. biometrics - fingerprints, retinal scans, etc.)

In a nutshell, two-factor authentication uses two of these areas instead of just one. In principle, this is vastly more secure than almost any single-factor system. Three-factor authentication would be even more secure, but this is rarely done outside of very high security applications. One reason for this is that, practically speaking, the only reasonably affordable biometric authentication available to consumers is fingerprint scanners. Unfortunately, fingerprint scanners are relatively easy to fool. But beyond that, a lot of people just don't like biometrics from a security point of view. If compromised, it's easy enough to change your password or have your authenticator/keycard replaced. Replacing your fingerprints or your retinas, on the other hand...

_________________
Sail forth! steer for the deep waters only!
Reckless, O soul, exploring, I with thee, and thou with me;
For we are bound where mariner has not yet dared to go,
And we will risk the ship, ourselves and all.

Hmm... Scary stuff here...
http://www.dailymail.co.uk/sciencetech/ ... ounts.html

Thinking about this, I give Blizzard a lot of credit for putting 2 factor auth in as an option.

Makes me wonder why banks don't do this?

I think I'll be sending them an email today...

Yeah I understand all that. However, doing any one of those factors more than once in a different way is still more secure than one factor one time. That's all I was pointing out.

_________________
"Hysterical children shrieking about right-wing anything need to go sit in the corner and be quiet while the adults are talking."

Not reliably so. If one password is compromised, any other "known" factor should be assumed to be compromised, or compromiseable, too. How does a "known" security measure get compromised? Coercion, interception, or social engineering. I've forced, spied, or tricked you into revealing your password to me. And you think I didn't get the second password/secret question/whatever out of you, too?

_________________
"Aaaah! Emotions are weird!" - Amdee
"... Mirrorshades prevent the forces of normalcy from realizing that one is crazed and possibly dangerous. They are the symbol of the sun-staring visionary, the biker, the rocker, the policeman, and similar outlaws." - Bruce Sterling, preface to Mirrorshades

I secure my wow account with a one-time pad cipher.

_________________

Holy shitsnacks!