instead of making the user remember his password why don't websites just generate a password whenever requested and then send it to the user's phone so he can log in?
it seems like it would be more secure and it would keep people from having to keep track of a bunch of passwords
i guess if the phone was stolen you'd be guaranteed entry to the the site but theres probably some workaround for that.
>>58583598
>i guess if the phone was stolen you'd be guaranteed entry to the the site but theres probably some workaround for that.
Yeah, like maybe if you had a separate secret code phrase set aside, so not only would a thief have to Step 1: have your phone to receive the one-time password but ALSO Step 2: know the secret code. It would make logging in almost like a two-step process, sort of thing.
>>58583598
And them I'm required to have a phone and install each website's very own bloated "secure" app so I can log into their website. No thank you.
>>58583663
>>58583598
>what are security dongles
>>58583673
why would you need an app? they could just text you some sites already do that sort of thing.you hve to do it to install windows now
>>58583598
thats what Yubikey does
>>58583707
Because then they can get more money off of you. Sure they could text you but that doesn't mean they would. Instead you'd have to install their ad-ridden app to code your code to log in. Steam already does that, a lot of other sites as well.
>>58583683
Whoosh
>>58583732
to get your code*
>>58583732
the only site i know of that does this is my bank, and its actually a nice app and only necessary if i'm accessing from my phone. in what way does steam do this?
>>58583598
it's called MFA nigger
>>58583754
yeah but this is just one factor. its still just a password but its temporary, generated on the fly, and then shown to the user who enters it.
>>58583663
whoosh
>>58583673
>each website's
Literally every website with 2FA that I've ever used, with the sole exception of Steam, uses a very standardized TOTP algorithm, so one app is enough. Google Authenticator, for example, will handle all your one-time passwords just fine. Authy's another good example. You can also usually just receive one-time codes via SMS if you so choose.
>>58583683
Annoying.
Just do password recovery to your email account and set a random one you won't remember each time, ta-daaaa.
If you're worried about security, just generate and save a pseudorandom integer, append it to your plaintext password, then run it through ECDSA encryption and then use that result as your password on the website
What if we take OP's idea and combine it with fingerprint scanners most phones of today have?
No actual visible code at all, you just scan your finger when prompted and that grants you access.
>>58583978
this is a better idea for sure. but i was under the impression those fingerprint scanners were shit.
>>58583745
The mobile authenticator on Steam is more or less required if you want to trade in the market or sell all those useless trading cards. It's also required sometimes to log in.
>>58583925
So exactly what OP's idea would be?
>send it to the user's phone
I do not want any website to have access to my fucking phone number.
>>58584016
why? phone numbers are just ID's at this point. its like giving them your name
>>58584033
>its like giving them your name
That's what I don't want them to have.
>>58584016
This. Plus you can then be forced to give your password because they'll see your phone.
All the backdoors end exploits to get into phones. Stealing a phone suddenly becomes more enticing.
>>58583598
OP u retarded fuck. nothing is ever secure. no system is fool proof.cool gif tho.
OP you're ucking retarded.
1. Sending passwords using SMS is unsecure as fuck. No encryption. Would you want your bank login to be sent in cleartext in the air with some redhat sniffing for those messages?
2. It's way easier to not be a retard and just remember your passwords. I cycle through 4 that are alphanumeric, mixed case, special character. Except for 1 which is just alpha numeric. That way if 1 doesnt work, 1 of the other 4 will.
>>58583732
I honestly don't mind Steam's, but that's mainly because I have a gen 1 Pebble with a broken strap on my desk giving my easily visible phone updates so I can see the codes it sends me without having to pick up my phone and open some gay app.
>>58583598
I want to be that hula hoop.
>>58584263
It shows in notifications for both Android and iOS so you don't have to open the app to see guard codes. You do need to open to confirm trades though.