instead of making the user remember his password why don't websites just generate a password whenever requested and then send it to the user's phone so he can log in?
it seems like it would be more secure and it would keep people from having to keep track of a bunch of passwords
i guess if the phone was stolen you'd be guaranteed entry to the the site but theres probably some workaround for that.
Jason Campbell
>i guess if the phone was stolen you'd be guaranteed entry to the the site but theres probably some workaround for that.
Yeah, like maybe if you had a separate secret code phrase set aside, so not only would a thief have to Step 1: have your phone to receive the one-time password but ALSO Step 2: know the secret code. It would make logging in almost like a two-step process, sort of thing.
Jeremiah Nelson
And them I'm required to have a phone and install each website's very own bloated "secure" app so I can log into their website. No thank you.
Jack Bennett
>what are security dongles
Luis Peterson
why would you need an app? they could just text you some sites already do that sort of thing.you hve to do it to install windows now
Cooper Foster
thats what Yubikey does
Carson Allen
Because then they can get more money off of you. Sure they could text you but that doesn't mean they would. Instead you'd have to install their ad-ridden app to code your code to log in. Steam already does that, a lot of other sites as well.
Carson Bennett
Whoosh
Connor Davis
to get your code*
Carter Ward
the only site i know of that does this is my bank, and its actually a nice app and only necessary if i'm accessing from my phone. in what way does steam do this?
Kevin Lopez
it's called MFA nigger
Leo Cooper
yeah but this is just one factor. its still just a password but its temporary, generated on the fly, and then shown to the user who enters it.
Michael Miller
whoosh
Blake White
>each website's
Literally every website with 2FA that I've ever used, with the sole exception of Steam, uses a very standardized TOTP algorithm, so one app is enough. Google Authenticator, for example, will handle all your one-time passwords just fine. Authy's another good example. You can also usually just receive one-time codes via SMS if you so choose.
Luis Watson
Annoying.
Luke Russell
Just do password recovery to your email account and set a random one you won't remember each time, ta-daaaa.
Dominic Martinez
If you're worried about security, just generate and save a pseudorandom integer, append it to your plaintext password, then run it through ECDSA encryption and then use that result as your password on the website
Isaac Martinez
What if we take OP's idea and combine it with fingerprint scanners most phones of today have?
No actual visible code at all, you just scan your finger when prompted and that grants you access.
Bentley Diaz
this is a better idea for sure. but i was under the impression those fingerprint scanners were shit.
Charles Parker
The mobile authenticator on Steam is more or less required if you want to trade in the market or sell all those useless trading cards. It's also required sometimes to log in.
Joseph Cruz
So exactly what OP's idea would be?
Cooper Mitchell
>send it to the user's phone I do not want any website to have access to my fucking phone number.
Joshua Cruz
why? phone numbers are just ID's at this point. its like giving them your name
Blake Martinez
>its like giving them your name That's what I don't want them to have.
Mason Cooper
This. Plus you can then be forced to give your password because they'll see your phone.
All the backdoors end exploits to get into phones. Stealing a phone suddenly becomes more enticing.
Alexander Cox
OP u retarded fuck. nothing is ever secure. no system is fool proof.cool gif tho.
Colton Long
OP you're ucking retarded. 1. Sending passwords using SMS is unsecure as fuck. No encryption. Would you want your bank login to be sent in cleartext in the air with some redhat sniffing for those messages? 2. It's way easier to not be a retard and just remember your passwords. I cycle through 4 that are alphanumeric, mixed case, special character. Except for 1 which is just alpha numeric. That way if 1 doesnt work, 1 of the other 4 will.
Josiah Hernandez
I honestly don't mind Steam's, but that's mainly because I have a gen 1 Pebble with a broken strap on my desk giving my easily visible phone updates so I can see the codes it sends me without having to pick up my phone and open some gay app.
Liam Murphy
I want to be that hula hoop.
Isaiah Jones
It shows in notifications for both Android and iOS so you don't have to open the app to see guard codes. You do need to open to confirm trades though.