Two factor authentication with Google Authenticator.
A lot of security-conscious users already use Google Authenticator with their Google accounts. It seems like a no-brainer to include in the two-factor authentication options (or at least to use as a backup).
David Johnson commented
This is an incredibly easy implementation and it is not planned or even under review. It is one of the top requested features without any feedback from passpack.
My guess is that passpack is getting kickbacks from YubiKey and has some kind of deal to exclusively use YubiKey.
For a security oriented company this is disgraceful.
I have a yubikey and I use it, but it is an unreasonable demand from passpack for a little extra profit. Easy two-factor is better than no two-factor.
I am considering alternative password managers because of the lack of alternate and easy to use 2FA. Everyone I know and everyone I recommended passpack to in the past will know exactly why I changed:
Passpack is a security company that seems to put profit ahead of security. Is the exclusive deal with yubikey really worth it?
Anton Derbenev commented
> Using Google Aauthenticator as the 2fa option for Paspack is quite dangerous.
you say it's more "dangerous" than email or no second factor at all?
Chiarng Lin commented
2FA beats having to remember a packing key that is only used on passpack, especially when my only option is to create a new account.
sammy singh commented
I am also looking for this same. DropBox is using google authenticator for their 2FA. passpack should do the same....
Nathan Pond commented
Yes, some additional options for mfa would be welcome, Google Authenticator, mobile app, etc.
Martin Bachmann commented
Actually, while Google Authenticator and OTP are really a needed feature here (it's a password manager, after all), we should also consider the emerging U2F unified 2 factor auth standard developed by the FIDO alliance. Seems there is finally a standard for 2FA which works great (e.g. with Yubikey and others). See https://www.yubico.com/applications/fido/
Google Authenticator would be a great alternative to the Yubi key. I think you should keep the Yubi key as an option for those that want the ultimate two-factor authentication solution. There is nothing wrong with Google authenticator as a second factor, it is more secure than e-mail as the second authentication.
I would like this so I can use Google Authenticator/Authy. Otherwise, if I plan to use something like one-time passwords via email, there's a possibility that my emails would be compromised, and I will never be able to get my passwords out of them.
Patrick Smalley commented
The YubiKey is great, but has limited site support and costs money. I would never be able to convince my parents to get one and set it up with passpack for example. Google Auth would be a great compromise. It surely has to be better than the email based 2nd factor, even if it is not as strong as YubiKey. Better to have as many people as possible on MultiFactor. For my Google Auth app I use Authy, which requires a passcode to open the app.
I also would like to see Google Authenticator as an option for two-factor authentication.
Chuck Atkins commented
It seems I am the lone dissenting opinion here. Using Google Aauthenticator as the 2fa option for Paspack is quite dangerous. Since Google Authenticator is a software based solution, the 2FA process is quite suceptable to mobile malware. If a phone is hacked and it's screen captured (or think more coordinated with a 3rd person involved) and a malicious 3rd party can see your auth code, they can enter it and lock the account out forever, unrecoverably.
The technological advantge of the YubiKey is that it's impossible for an attacker to know the secret code before it's entered. Even the user doesn't know it; It's automatically generated in hardware, never seen by the user. The only time it can be captured is the split second between the code being generated and the code being sent, which would be present in any 2fa system. All of the "generate a code that I manually type in" methods have a much larger window of oportunity for attack.
Adding my upvote for this feature. Many exchanges use Google Authenticator already.
If there is a security reason not to use it, please let us know!
Even Microsoft now allows Google based authenticator and they have an app in Microsoft app store as well. Please allow 2FA using Google based authenticator
Ralph Finch commented
I'd like this. Yubikey won't work with iOS devices.
Using Google Authenticator with dropbox already. Would be great to allow 2-factor authentication with Google Authenticator as an alternative to yubi key.
Any one of the following: Google Authenticator, Symantec's VIP Access (second factor generated on a mobile phone app) or SMS verification would all be a big improvement as the second factor! I like that Passpack offers the Yubikey, but I don't want more hardware to manage.
It is better to replace the packing key with SMS verification. Less things to remember for the user.
Spencer McIntyre commented
Seconded, this would be a fantastic feature.
It would be great to have Google Authenticator App for 2-factor-authentication of passpack. Google Authenticator App works e.g. with Dropbox or Synology DSM logins. It would help to replace yubikey and having only one tool :-)