2 Step vs 2 ID check.....how does TOTP help in either case
I am confused. As a 20 year veteran user of Macs I have always been reluctant to jump on new releases.
My understanding of 2-Step REQUIRES a separate Apple (or other vendor) approved device such as a IPhone so that the 2nd step of verification can be "texted" back to clear the 2nd step?..Right?
Not all sites require this...in fact none of my Banking, Wall Street, Healthcare or other mission-critical sites require 2Step. Please give me an example of a site that absolutely requires 2step verify. I have not found One.
However many sites require what I call 2ID Check. After you log in you are required to answer pre-determined info such as "What was your first job?". Or, "what is your Fathers middle name"...that is NOT 2step verify. And no other Apple known ( or any other vendor known ) device is required to get access.
So, for me, where does TOTP fit in? How does it help with 2ID Check?
I am the Sole user of both my iPad (ver 7.1.2) & my iMac (ver 10.8.5)........
So why should I get all elicited about a hurry- up move to iOS 8 OR Yosemite? I skipped Mavericks b/c of little perceived value...imagine iBook on a Mac? Why?
.I waited on iOS8 b/c of bad Apple releases....
I definitely will wait till Yosemite stops messing with WiFi dropouts. I have spent a 45 year career in computer science being stung over & over when moving to the latest releases of ANY software upgrade!
BUT, I really like 1PW! I can't believe how I ever got along without it! But I don't need any fancy new Login display...the one I have is just great!
So, I'm not all excited about this new stuff. I DO plan to bite the bullet on iOS 8 very soon. If I do that, what added value will I get with the upgraded 1PW that matches iOS 8?
I really need some help here..and your recommendations. Will staying with OS 10.8.5 on iMac and updating iOS 8 give me added value? Is so, how?
Regards, Jim B
Comments
-
Actually, 2ID is better known as Login Verify? I don't recall it having a name. Jim B
0 -
I guess "second level of verification" is a better definition of what I call 2ID verify? Jim B
0 -
Hi @three-cushion ,
Two step authentication is an extra level of protection. Let's say, for example, you were sitting in a coffee shop with your laptop, and someone saw you enter your username and password. Or there was keylogger malware on your computer. Then they could log into your account.
With TOTP, there is a second "password" you enter that can only be used once. So if you log in with your username, password, and the TOTP, and someone sees you doing it, they can't log in because you already used it. And it also changes every 30 seconds, so if someone saw it displayed on your phone, they couldn't write it down and use it later. The password is generated from a code you scan into your iPhone or iPad when you setup two step authentication with the service (e.g. Dropbox). That code is stored securely in 1Password and is never displayed unless you edit the login item that contains it. Only the TOTP generated from it is displayed.
I hope that explains it. Feel free to reply if you have further questions.
0 -
But...DropBox does NOT require 2 Step verify!! And, of all the apps, it is one of the most secure. Also, when I am in the coffee shop I can't see when I would use/access Dropbox? Maybe, but not in mundane communications though.
Have any of you used Paypal? Well it offers a little key-like gadget for $5 that generates 6 digit random numbers. When you login, it offers this as an 'option' & NOT as a requirement. You press the key...add in the number and they simply add it to your initial Password. The # is good for 30 sec. So, an intruder might get the PW. But it will fail on a second try.
Is this an example of what TOTP is attempting to offer? Yet, again, it is ONLY useful if the Target site utilizes it.....Very Few sites offer this, Right? So, other than a very few instances...what does it give me...a user with ONE device (iPad) and no other device? OK....go get an iPhone.......I get it....
Jim B
And thanks very much for the example!0 -
BTW.... I never run my iPad over any Wifi, including my home, without using a VPN!! Now that is a required mode that more users should adopt...IMHO, of course...Jim B
0 -
Final note & accolade to 1PW. Several sites I use require the "Second level authentication" for the initial Login.... EG..what town is your mothers birthplace. And many sites ask you to sign up to multiple questions only you know the answer. Well...I use Secure Notes for all my answers... Saves me a lot of hassle remembering them.
So, thanks for that feature... I've some minor difficulty in editing the notes.. But I'm OK with it.
Jim B0 -
Hi Jim ( @three_cushion ),
Thanks for sharing your thoughts here!
Well...I use Secure Notes for all my answers... Saves me a lot of hassle remembering them.
I think I might have an even simpler solution for you. I've been storing these Security Questions inside custom fields. It means that those answers can be concealed behind a 'password' type, and easily copied when necessary. Here's what that looks like in a demo Login:
Let me know what you think of this suggestion. :)
0 -
Great idea....I'll use it
0 -
And, of course, there is no need to enter correct, or even pronounceable, answers.
The name of my first pet (it was actually an Altairian spider-dragon) was xQ2+3rv!
0 -
Looks like you've had a few good answers here @three-cushion. Most sites that are TOTP aware currently make them optional and something you need to turn on e.g. Dropbox. The use of a software based TOTP is one way, the other is like how Apple implemented two factor authentication where you designate trusted devices to send the code to.
The one small difference to Megan's suggestion in my own setup is i set the field's title to the question rather than using Q & A although you may find her approach easier for viewing.
0
