Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Imposed passwords aren't the only solution. Something like Google Authenticator is an alternative. Or key fobs. Or send a confirmation code to their phone. Or something like Barclays' PINsentry [1] for cards where you need the gadget, the card and the PIN. Or face recognition, which I recently saw demonstrated (it includes liveness checks like asking you to blink).

[1] http://www.barclays.co.uk/Helpsupport/UpgradetoPINsentry/P12...



Authenticator is great, but then you get the arsehole effect - every arsehole company decision maker wants you to only use their authenticator. So, I made an account on MS recently and can't use GA because "fuck you user, we won't stop until we own every facet of your digital existence" or something. That shows you where such companies rank security.

[FWIW I expect the reverse situation is probably the same, this is just my anecdotal experience].


Assuming MS means Microsoft then you are incorrect. You can use Google Authenticator just fine with Microsoft accounts (because I'm doing it.)


Then I apologise, it must be an information 'hiding' issue then because they clearly flagged installing their own Authenticator and I was completely ignorant of the use of GA; GA must be the most popular authenticator? Does this all mean I can use a third-party auth for both MS and Google sites or is it only MS that supports third-party authenticators?


You can use any authenticator. Authy is actually probably the best nowadays.


GA is just an implementation of an open protocol (TOTP). You can't be locked in to GA.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: