My suggestion for Passpack is ...

Two factor authentication with Google Authenticator.

A lot of security-conscious users already use Google Authenticator with their Google accounts. It seems like a no-brainer to include in the two-factor authentication options (or at least to use as a backup).

192 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Dan LoewenherzDan Loewenherz shared this idea  ·   ·  Admin →

    13 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...
      • ChrisChris commented  · 

        The YubiKey is great, but has limited site support and costs money. I would never be able to convince my parents to get one and set it up with passpack for example. Google Auth would be a great compromise. It surely has to be better than the email based 2nd factor, even if it is not as strong as YubiKey. Better to have as many people as possible on MultiFactor. For my Google Auth app I use Authy, which requires a passcode to open the app.

      • storeboystoreboy commented  · 

        I also would like to see Google Authenticator as an option for two-factor authentication.

      • Chuck AtkinsChuck Atkins commented  · 

        It seems I am the lone dissenting opinion here. Using Google Aauthenticator as the 2fa option for Paspack is quite dangerous. Since Google Authenticator is a software based solution, the 2FA process is quite suceptable to mobile malware. If a phone is hacked and it's screen captured (or think more coordinated with a 3rd person involved) and a malicious 3rd party can see your auth code, they can enter it and lock the account out forever, unrecoverably.

        The technological advantge of the YubiKey is that it's impossible for an attacker to know the secret code before it's entered. Even the user doesn't know it; It's automatically generated in hardware, never seen by the user. The only time it can be captured is the split second between the code being generated and the code being sent, which would be present in any 2fa system. All of the "generate a code that I manually type in" methods have a much larger window of oportunity for attack.

      • ChuckChuck commented  · 

        Adding my upvote for this feature. Many exchanges use Google Authenticator already.

        If there is a security reason not to use it, please let us know!

      • VimalVimal commented  · 

        Even Microsoft now allows Google based authenticator and they have an app in Microsoft app store as well. Please allow 2FA using Google based authenticator

      • Ralph FinchRalph Finch commented  · 

        I'd like this. Yubikey won't work with iOS devices.

      • dasheddotdasheddot commented  · 

        Using Google Authenticator with dropbox already. Would be great to allow 2-factor authentication with Google Authenticator as an alternative to yubi key.

      • DulaniDulani commented  · 

        Any one of the following: Google Authenticator, Symantec's VIP Access (second factor generated on a mobile phone app) or SMS verification would all be a big improvement as the second factor! I like that Passpack offers the Yubikey, but I don't want more hardware to manage.

      • BINITBINIT commented  · 

        It is better to replace the packing key with SMS verification. Less things to remember for the user.

      • Anonymous commented  · 

        It would be great to have Google Authenticator App for 2-factor-authentication of passpack. Google Authenticator App works e.g. with Dropbox or Synology DSM logins. It would help to replace yubikey and having only one tool :-)

      • VimalVimal commented  · 

        Suggesting to use google authenticator as a cheap replacement for yubikey.

      • RafaelRafael commented  · 

        In my eyes this is already possible. If you only use your Google-Account with two factor authentication to login using unsafe computers. This way a key/screen-logger could not aquire all necessary information to login at your passpack-account.
        Or do you suggest to add the possiblity to use the google Authenticator App as a cheap replacement for a yubikey?

      Feedback and Knowledge Base