Two factor authentication with Google Authenticator.
A lot of security-conscious users already use Google Authenticator with their Google accounts. It seems like a no-brainer to include in the two-factor authentication options (or at least to use as a backup).
Martin Bachmann commented
Actually, while Google Authenticator and OTP are really a needed feature here (it's a password manager, after all), we should also consider the emerging U2F unified 2 factor auth standard developed by the FIDO alliance. Seems there is finally a standard for 2FA which works great (e.g. with Yubikey and others). See https://www.yubico.com/applications/fido/
Google Authenticator would be a great alternative to the Yubi key. I think you should keep the Yubi key as an option for those that want the ultimate two-factor authentication solution. There is nothing wrong with Google authenticator as a second factor, it is more secure than e-mail as the second authentication.
I would like this so I can use Google Authenticator/Authy. Otherwise, if I plan to use something like one-time passwords via email, there's a possibility that my emails would be compromised, and I will never be able to get my passwords out of them.
Patrick Smalley commented
The YubiKey is great, but has limited site support and costs money. I would never be able to convince my parents to get one and set it up with passpack for example. Google Auth would be a great compromise. It surely has to be better than the email based 2nd factor, even if it is not as strong as YubiKey. Better to have as many people as possible on MultiFactor. For my Google Auth app I use Authy, which requires a passcode to open the app.
I also would like to see Google Authenticator as an option for two-factor authentication.
Chuck Atkins commented
It seems I am the lone dissenting opinion here. Using Google Aauthenticator as the 2fa option for Paspack is quite dangerous. Since Google Authenticator is a software based solution, the 2FA process is quite suceptable to mobile malware. If a phone is hacked and it's screen captured (or think more coordinated with a 3rd person involved) and a malicious 3rd party can see your auth code, they can enter it and lock the account out forever, unrecoverably.
The technological advantge of the YubiKey is that it's impossible for an attacker to know the secret code before it's entered. Even the user doesn't know it; It's automatically generated in hardware, never seen by the user. The only time it can be captured is the split second between the code being generated and the code being sent, which would be present in any 2fa system. All of the "generate a code that I manually type in" methods have a much larger window of oportunity for attack.
Adding my upvote for this feature. Many exchanges use Google Authenticator already.
If there is a security reason not to use it, please let us know!
Even Microsoft now allows Google based authenticator and they have an app in Microsoft app store as well. Please allow 2FA using Google based authenticator
Ralph Finch commented
I'd like this. Yubikey won't work with iOS devices.
Using Google Authenticator with dropbox already. Would be great to allow 2-factor authentication with Google Authenticator as an alternative to yubi key.
Any one of the following: Google Authenticator, Symantec's VIP Access (second factor generated on a mobile phone app) or SMS verification would all be a big improvement as the second factor! I like that Passpack offers the Yubikey, but I don't want more hardware to manage.
It is better to replace the packing key with SMS verification. Less things to remember for the user.
Spencer McIntyre commented
Seconded, this would be a fantastic feature.
It would be great to have Google Authenticator App for 2-factor-authentication of passpack. Google Authenticator App works e.g. with Dropbox or Synology DSM logins. It would help to replace yubikey and having only one tool :-)
Suggesting to use google authenticator as a cheap replacement for yubikey.
In my eyes this is already possible. If you only use your Google-Account with two factor authentication to login using unsafe computers. This way a key/screen-logger could not aquire all necessary information to login at your passpack-account.
Or do you suggest to add the possiblity to use the google Authenticator App as a cheap replacement for a yubikey?