Hacker News new | past | comments | ask | show | jobs | submit login

I hope Dropbox uses google's authenticator. It supports multiple accounts and won't clutter up my phone.

http://code.google.com/p/google-authenticator/

Their "Such as" example makes it seem they only decided to use 2-factor but haven't chosen an implementation yet.




RFC 6238 TOTP: Time-Based One-Time Password Algorithm describes how to implement your own google authenticator if you wish http://tools.ietf.org/html/rfc6238


The one thing I'm missing from this thing is to be able to export the data. Migrating from one device to another is painful as it is..

Edit: I was annoyed so long by this missing feature and - never did something myself. My bad.

If you have the same problem (one device paired with a couple of services, you want to migrate the accounts):

'/data/data/com.google.android.apps.authenticator2/databases' contains the sqlite3 file 'databases', which contains a table 'accounts' with your keys (and counter values, if necessary).


I agree. Their is no space for another Authenticator. I already use it with Lastpass.


A password as secure as my phone is not promising; T-Mobible was recently happy to reset my lost PIN by having me give the last four digits of any phone number I'd dialled in the last 23 hours. I don't really think it's as useful two-factor because the token is only as secure as another company's password system. (Aside from the problems that you have to have a Google Account and a smartphone.)

I looked into this recently when Dreamhost launched google-authenticator instead of two-factor auth. Disappointing.


Someone would need to not only have possession of your phone, but your password as well. So for a hacker to work this:

First, get your password. Second, find your location. Third, steal your phone, which for most people, is almost always on their person. Finally, crack whatever security mechanism you have on your phone.

For someone to go through all that trouble ... you must be storing some very valuable info. If that's the case, may I suggest that Dropbox is probably not the right platform? In fact, any internet connected platform is probably not the right answer.


No. First, get password. Second, get phone number. Third, pretext to gain control of the account and forward/copy texts, view them via web interface, or replace the phone.


well most "security mechanisms" on phones are a joke.


The point isn't the security mechanism, but for consumer products the point is physical location. Without two factor authentication, a sweat shop in China could hack you (and thousand others) easily. With two-factor authentication they would need physical proximity to you, so they won't even try.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: