Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Ok, but what is Google offering?

Unless I'm missing something, RFC 4226 sounds like the RSA SecurID system I've worked with before; which is essentially equivalent to Blizzard's system for World of Warcraft.

In which case, my criticism stands. It's trivially more difficult to phish a keycode and the limited window of opportunity is simply a non-issue.[1]

Unless Google is calculating a one-time pad based on the individual login attempt and sending it along a second channel to the registered user, there'll be almost no reduction in phishing.

[1] The tens of seconds a keycode is valid are more than enough to establish a connection.



Which means you phished it once. Which means you need to take drastic actions to exploit it, a slow buildup over time is not an option.

Which in turn means you're more likely to get detected. It's not full protection - you'd still need a second channel for that - but it's better than nothing.


It is certainly better than nothing. I just took issue with the article's repeated insistence that it'd make phishing harder/impossible.

It does many good things. That is not one of them.


For the systems I log in to, each SecurID code is only valid once. If you want to log in again, you need to wait until a new code is available and use it.


See: http://en.wikipedia.org/wiki/HOTP and http://en.wikipedia.org/wiki/Time-based_One-time_Password_Al...

You can download the Google Authenticator app.

These algorithms are known. You can implement it yourself if you wanted to.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: