This site makes extensive use of JavaScript.
Please enable JavaScript in your browser.
Live
PTR
10.2.7
PTR
10.2.6
Beta
Forgot authenticator?
Post Reply
Return to board index
Post by
Exfactor4
You can only have one authenticator per account. I have the keychain version and when I got my droid phone I downloaded the app but sadly am not able to attach both.
Post by
thelaks
You can only have one authenticator per account. I have the keychain version and when I got my droid phone I downloaded the app but sadly am not able to attach both.
Right, you have to remove one to add the other. Or use the new "call me if I do something suspicious" version.
The codes generated are different on the physical device than the phone versions (even different number of digits 6 vs. 8), so there is no way to have a back up version of the physical keychain device. For good reason.
However, there is an open-source desktop version around that implements the Android BMA algorithm. That could be used as a backup.
Post by
292411
This post was from a user who has deleted their account.
Post by
frostely
...making the authentication process completely pointless.
I think you are missing the point of the desktop authenticator. It can be a optional main, alternate or backup for those who decide to use an unlocked device.
The secret key component is encrypted on the desktop or mobile device, making it much more difficult to compromise.
An authenticator is just another layer of security. Whilst the keychain physical device is no doubt the most secure choice, having an iPhone, Android, J2ME or desktop version can all be acceptable security measures.
Post by
292411
This post was from a user who has deleted their account.
Post by
frostely
Thanks for responding. An alternate or backup authenticator is not for everyone, clearly. I think it's worthwhile to discuss potential issues but also clear up some points.
Let me ask you this way then, if I was sitting in front of your computer I would be able to start the desktop authenticator and generate a valid key for your wow account, right? Lets also say that I saw you type your email and wow password earlier, so now I have no problem logging onto your wow account, correct?
My keychain device sits in front of my computer too and you just have to press a button. As you are in my house, you can take it and have complete control of my account. However, you don't know my password to my Windows login, nor my WoW account nor that of my desktop authenticator application.
A hacker don't need to sit in front of your computer. Once his/her malware has made it's way onto your computer, he/she can watch you type your email and password and he/she can also browse the programs om your computer, start the desktop authenticator you foolishly installed for backup reasons and copy the number it generates.
All tokens are subject to MITM attacks. This applies to everything. However the authenticator's key is encrypted, so having access to files or applications on my machine doesn't help. The number is not copyable, so it is no different than typing a number from a keychain device.
...he/she still doesn't have a way to generate a valid authentications code. If you add a desktop authenticator the hacker can just start that program remotely and get the needed key.
No one can generate codes on a desktop authenticator without decrypting my keyfile by manually entering a password. No one can generate codes from an iPhone Authenticator, because they need to decrypt the built-in Apple keychain. No one can generate codes from a keychain device, because it is stored internally.
It is ultimately true that nothing is as secure as a physical separated device and these are recommended. However, you are trying to say that given access to my machine either physically or remotely that is all you need to be able to compromise my account, and that is simply not true.
Post by
292411
This post was from a user who has deleted their account.
Post Reply
You are not logged in. Please
log in
to post a reply or
register
if you don't already have an account.