commodorejohn
Veteran Member
So why would I use that when my web browser already does all of that perfectly well?
- VCF South West - June 14 - 16, Davidson-Gundy Alumni Center at University of Texas at Dallas
- VCF West - Aug 2 - 3, Computer History Museum, Mountain View, CA
- VCF Midwest - Sept 7 - 8 2024, Schaumburg, IL
- VCF SoCal - Mid February 2025, Location TBD, Southern CA
- VCF East - April 2025, Infoage Museum, Wall NJ
-
Please review our updated Terms and Rules here
Are Internet Passwords About to Become Passé?
- Thread starter Stone
- Start date
Ole Juul
Veteran Member
No special irritation for me to do that myself.
Bingo! I actually get that now that I think about it.
Some of those checkout forms are seriously irritating. It's bad enough always having to convince the form that I know where I live. Its rude suggestion to send the goods to some script-mangled address that it thinks would be fun to try instead mine is already consuming too much of my time.I'm not going back to Linux. It's getting less UNIX like, and more MS-Windows like (actually worse) by the minute.
[ Last time I tried to set up Linux networking by hand I discovered I didn't know how to do that any more because it was all changed now. No thanks to that kindastuff. ] That said, I could probably run RoboForm in Linux emulation which generally works quite well on FreeBSD.Ole Juul
Veteran Member
For those who might be interested, these things cost $25 each plus about $5 shipping. A little cheaper in quantity. Here is the Yubico site.
vwestlife
Veteran Member
Google AdSense is a form of profit-sharing. Users don't pay them directly, but Google takes their cut of your earnings to run the service. And now that YouTube is giving out Partnerships and AdSense accounts like candy, with no requirements to have a minimum number of subscribers and video views, there are thousands of YouTube users who have Partnerships and AdSense accounts, but have no access to e-mail support because they don't meet the strict "15,000 hours of watch time over the past 90 days" requirement.
That is unfair. Either they shouldn't give out Partnerships and AdSense accounts to people who don't meet that minimum requirement for e-mail support, or they should open up e-mail support to all YouTube Partners, regardless of how many views their videos are getting.
From the AdSense page:
"Google AdSense provides a free, flexible way to earn money from your websites, mobile sites, and site search results with relevant and engaging ads."
So if you are a publisher (a content provider) Google pays you for space on your site. And if you are an advertiser, Google finds the space to run your ads.
This thread is about a security technique that defends against malicious hacking and identify theft. Let's not hijack it anymore.
"Google AdSense provides a free, flexible way to earn money from your websites, mobile sites, and site search results with relevant and engaging ads."
So if you are a publisher (a content provider) Google pays you for space on your site. And if you are an advertiser, Google finds the space to run your ads.
This thread is about a security technique that defends against malicious hacking and identify theft. Let's not hijack it anymore.
Maybe Google doesn't want to hire a few hundred people to read emails from users who are not making them money. Google is giving out accounts like candy to see who is up for the task of making them money, dead weight will get filtered out over time.
Ole Juul
Veteran Member
I don't really want to join the Google discussion here. Not because I don't have a lot to say about that, but because it is not that relevant to the thread. I had mentioned my suspicions earlier, but see now that the featured article reads:
Following a few links, I find the FIDO Alliance Mission Statement:
I'm all for better security, especially for banking and things vulnerable to potential harm in case of a security breach. However, more relevant to this board is how this can potentially effect those of us who like or prefer to use older or "alternative" hardware and operating systems. Does anybody have any ideas about that?
Following a few links, I find the FIDO Alliance Mission Statement:
I'm all for better security, especially for banking and things vulnerable to potential harm in case of a security breach. However, more relevant to this board is how this can potentially effect those of us who like or prefer to use older or "alternative" hardware and operating systems. Does anybody have any ideas about that?
commodorejohn
Veteran Member
It'll potentially effect us just like all Modern Solutions Which We All Must Adapt Because Otherwise We Are Horrible Terrible No-Good Recidivist Luddites effect us, by progressively locking us out of everything until we either throw up our hands and give in or get really stubborn and forgo the use of everything thusly restricted.
I think you are way too negative about it. Nobody says you have to buy a new Macbook Air to access your stuff. ;-0
Two factor authentication would work on a DOS machine if you were using that. This particular solution (the Yubikey) requires USB, but the general idea of "something you know" and "something you have" works no matter what the hardware. The existing hardware tokens that generate one time codes are an example of this.
Two factor authentication would work on a DOS machine if you were using that. This particular solution (the Yubikey) requires USB, but the general idea of "something you know" and "something you have" works no matter what the hardware. The existing hardware tokens that generate one time codes are an example of this.
Chuck(G)
25k Member
I keep my passwords in a hollow nickel.
commodorejohn
Veteran Member
I have yet to see a new standard in computing that came about for any other reason than somebody wanting to sell something.
But these people are pushing for the adoption of this specific standard which does require USB. Your argument here is like saying I'm not going to be locked out of the house because lots of places sell keys and locks. There's still a specific key in question that's going to be an issue.
vwestlife
Veteran Member
Google AdSense doesn't pay you unless you earn at least $100 from them. "Filtering out the dead weight" would take a trivial amount of code to verify that you have been paid at least once by them before they give you access to e-mail support. After all, you getting paid $100 means that Google has already pocketed $47 from your work (the user gets 68% of AdSense income and Google keeps the rest).
Anyway, as for two-step verification... whatever happened to using your fingerprint? After all, fingerprint readers have only been on laptops for the past 15 years or so... you'd think they'd find a way to mass-market it by now.
TanruNomad
Veteran Member
Reminds me of those RSA tokens I used to use 10 years ago to access VPN at work.
Ole Juul
Veteran Member
No they're not. Here is what they do say:
As you can see, the standard is not tied to any specific technology in regards to "something you have".
---
vwestlife said:
Nothing happened. Not only is it mentioned, there's a picture right on the standards page.
In the context of a two factor authentication, fingerprints are great. As generally used for locks on doors and laptops with single factor, it is only a convenience in a situation where "that'll do". It doesn't actually offer a high level of security - partly because we all tend to leave our fingerprints all over the place every day. In the topic context, we're much less likely to be sprinkling USB dongles everywhere we go between the bathroom and the office. Although that makes an interesting image.
Tor
Veteran Member
Two-factor authentication is better than one-factor authentication, but the tokens and hardware keys are a pain in the neck. I've had a bunch of them from the bank over the years, and there are two main problems: 1: They fail. Like last year when I went to Japan and the key didn't work anymore (but fortunately there was another option - more below). 2: They are a HUGE HASSLE to bring when travelling, or even just between home and work.
Fortunately my bank now offers a much better alternative: Two-factor authentication through my mobile phone. Phones are better than tokens. They don't accidentally get activated as easily as these tokens, the battery can be recharged (unlike the tokens), and I've actually never had a mobile phone fail on me, since the first GSM phone I bought in 1997. And lastly, I always bring the phone - they are easier to carry than a token. They are actually built to be handled and messed with and stuffed into pockets (tokens have buttons that can easily be accidentally activated in a pocket). I don't have to remember where on earth I put it, and so on.
The phone two-factor authentication is not via SMS by the way - I had to get a newer SIM card which supports some other kind of transmission channel, but it works great. It's the _only_ hardware-based, 2nd-channel authentication I can accept.
-Tor
Fortunately my bank now offers a much better alternative: Two-factor authentication through my mobile phone. Phones are better than tokens. They don't accidentally get activated as easily as these tokens, the battery can be recharged (unlike the tokens), and I've actually never had a mobile phone fail on me, since the first GSM phone I bought in 1997. And lastly, I always bring the phone - they are easier to carry than a token. They are actually built to be handled and messed with and stuffed into pockets (tokens have buttons that can easily be accidentally activated in a pocket). I don't have to remember where on earth I put it, and so on.
The phone two-factor authentication is not via SMS by the way - I had to get a newer SIM card which supports some other kind of transmission channel, but it works great. It's the _only_ hardware-based, 2nd-channel authentication I can accept.
-Tor
Ole Juul
Veteran Member
Interesting observations Tor.
It seems to me that if we were to rely on this kind of system, then there needs to be more than one choice though. I don't have a cell phone, and am not in the habit of carrying any of my other current radio transmission options (vhf/uhf, citizens band, microwave oven) around with me. I don't feel comfortable with biometrics like eyeparts and faceparts. And it seems to me that finger prints are only a part-way-there kind of solution, so not ideal. For me it would have to be a pocketable dongle of some kind. I'm not prone to losing little things that I keep in my pocket or elsewhere so that would probably be perfect for me. I imagine that a lot of different options could be made like that. USB doesn't need a battery and I don't see why a little solid thing like this Yubikey would be particularly delicate.
I'm thinking though, that regardless of how it may be a good idea to find easier and/or better solutions for high levels of security, a big part of this is about protecting people who are either incapable, or unwilling, to look after themselves in this regard. And that, as a concept, does not bode well. (If we had a philosophy section, I'd expand on that. )
It seems to me that if we were to rely on this kind of system, then there needs to be more than one choice though. I don't have a cell phone, and am not in the habit of carrying any of my other current radio transmission options (vhf/uhf, citizens band, microwave oven) around with me. I don't feel comfortable with biometrics like eyeparts and faceparts. And it seems to me that finger prints are only a part-way-there kind of solution, so not ideal. For me it would have to be a pocketable dongle of some kind. I'm not prone to losing little things that I keep in my pocket or elsewhere so that would probably be perfect for me. I imagine that a lot of different options could be made like that. USB doesn't need a battery and I don't see why a little solid thing like this Yubikey would be particularly delicate.
I'm thinking though, that regardless of how it may be a good idea to find easier and/or better solutions for high levels of security, a big part of this is about protecting people who are either incapable, or unwilling, to look after themselves in this regard. And that, as a concept, does not bode well. (If we had a philosophy section, I'd expand on that.
)Stone
10k Member
We do... it's called... Rants.(If we had a philosophy section, I'd expand on that.
You'll find it in the Completely Off Topic section. I'll be looking for your Rant.EverythingIBM
Experienced Member
I find it interesting that there's a push for authentication USB dongles. It seems like there's a huge push for dongles today --> I have to use an iLok dongle for my audio software licenses.
In terms of security, I think the [most effective] solution will always be security through obscurity. Using a system no one else does.
Two things I like about dongles that automatically save credentials and spit them out:
A) you don't have to constantly type them in, especially if they are long and complex (which is the case for all of my passwords)
B) when dealing with clients who are completely OBLIVIOUS of the passwords they have set (such as for POP3 or office365), having a dongle to save them all would make support such things easier*
*Sometimes clients try to convince me that there is no password for such things when I ask for it. No, you just lack the majority of your hippocampus and didn't remember that you set anything!
In terms of security, I think the [most effective] solution will always be security through obscurity. Using a system no one else does.
Two things I like about dongles that automatically save credentials and spit them out:
A) you don't have to constantly type them in, especially if they are long and complex (which is the case for all of my passwords)
B) when dealing with clients who are completely OBLIVIOUS of the passwords they have set (such as for POP3 or office365), having a dongle to save them all would make support such things easier*
*Sometimes clients try to convince me that there is no password for such things when I ask for it. No, you just lack the majority of your hippocampus and didn't remember that you set anything!
Ole Juul
Veteran Member
I agree that passwords will likely remain with us for a while, but what's so expensive about two factor authentication? The password is cheap, as we all know. But, does the other factor have to cost money?
Fingerprint readers do add a cost. Retina readers probably only cost in software development. Voice, the same. Those are some of the factors commonly used as a second one. I don't think the complexity is overly significant in the greater scheme of modern operating systems.