On 6/10/2014 9:26 AM, Jerry B. Altzman wrote:
The notion of "I don't have FB, therefore nobody should force FB auth" is
equivalent to saying "we must absolutely positively backwards support IE6".
This is 2014, sorry, if you don't want any social media accounts, that's your
prerogative, but the vast majority of everyone else does.
Likewise I could claim that it is incorrect to conclude that just because you
have an FB account everyone else has or should have one, too. Some sites
insist on using only FB accounts or publish info only on their FB page that
requires an FB account to view.
Yes, that is their prerogative, but a pretty dumb move if the point is to get
people to use your services. And given the security track record of FB I am
not so sure if I'd call that securing anything.
And offer more options for the second factor. For example, I do not have a
smartphone (yes, saves a lot of money every month). So unless you can figure
out how to send an SMS to my landline forget it. In 2014 it should be
possible to dial my phone and use voice recognition to confirm a pass phrase.
In fact, Sprint will do text-to-voice if it detects a voiceline (or at least
it used to). But once again, we shouldn't aim towards supporting IE6 forever.
Landlines and dialup are still the only means of connectivity for many,
especially in rural areas. Of course, if that is not part of the target
audience then feel free to ignore it...and load up the pages with images and
video.
The numbers only slowly go down in favor of satellite or cell service.
We're also not optimizing the user experience for those using lynx...
Remember that you are not the world.
Neither are you...my point is that by picking very specific 3rd party services
to be used you exclude a good number of folks. If that matters is a case by
case decision.
accounts most likely only need complex passwords[based on potential damage
of a compromised account...if a site manager can give out refunds and
credits for an e-commerce site, obviously you want to add extra security!]
Yes, for these things, you almost certainly want a second layer of
authentication atop the ones above. For these, little crypto keyfobs are
great. If the potential financial loss is large, the client should not balk at
the relatively small cost.
I agree, but in best US fashion the industry miserably fails at agreeing on
a standard here. Then again, with any of these fobs you are authenticating
the fob, not the person holding the fob. For that you'd need biometrics
which is yet another can of worms.
Indeed: you are assuming that the user has both something-you-know and
something-you-have. Biometrics isn't foolproof either, vis
http://bbc.in/1oQshE4 (link is SFW).
Agreed, the gummibear trick showed that nicely. Which brings me back to the
point that if something is so hot that it needs utmost security then the
public web might be not the place that should be accessible through.
--David
_______________________________________________
New York PHP User Group Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org/show-participation
