ubuntu-phone team mailing list archive

Thread
Date

Re: Ubuntu One SSO Password and App purchases

To: Martin Albisetti <martin.albisetti@xxxxxxxxxxxxx>
From: Loïc Minier <loic.minier@xxxxxxxxxx>
Date: Mon, 1 Sep 2014 23:12:31 +0200
Cc: Jamie Strandboge <jamie.strandboge@xxxxxxxxxxxxx>, Ricardo Kirkner <ricardo.kirkner@xxxxxxxxxxxxx>, Ubuntu Touch <ubuntu-phone@xxxxxxxxxxxxxxxxxxx>, Natalia Bidart <natalia.bidart@xxxxxxxxxxxxx>
In-reply-to: <CAAosnqvpZrfr-1DYSjPguM+T891BFGPCjrOmFbhCsW4ywiOb2A@mail.gmail.com>
Sender: loic.minier@xxxxxxxxxxxxx

For people not using 2FA because it is too complex, would we be able to
confirm new sensitive tokens over email? e.g. "Type the code you've just
received over email on your phone"

Or could we avoid/strengthen tokens when we can confirm that you're indeed
on a phone that we know of? e.g. sending a text message to confirm that
it's a phone number you've added to your SSO account from the web (e.g. to
recover your lost password).

These are basically the strategies I've witnessed from Steam and from my
bank respectively.



On Mon, Sep 1, 2014 at 8:39 PM, Martin Albisetti <
martin.albisetti@xxxxxxxxxxxxx> wrote:

> So, iCloud was hacked somehow. I haven't seen any details as to how,
> but reading about people panicked and confused on twitter led me to a
> tweet[1] that said:
>
> "Of course people pick terrible iCloud passwords. You can't enter a
> good password 50x per week on a mobile device. You'll go carpal."
>
> Which makes perfect sense. We have the same problem, we have a single
> sign on system, which is great for some things, but given the
> introduction of the phone with a touch-screen keyboard and mandatory
> password re-entry on app purchasing as well as new influx of users who
> create their account for the first time on the phone, people will tend
> to pick less secure passwords.
>
> Leaving aside 2FA as the answer, as it's clearly not widely adopted
> (for its complexity?), what can we do to make this a bit better in our
> platform?
> Can we confirm purchases and other tasks that are frequently used
> somehow differently than with the account password, and encourage
> (and/or force) better passwords for the general account?
>
> To try and reduce the scope of the discussion, I'm mostly looking for
> proposals that would be implementable in the short or mid term, rather
> than changes that would require 6 or more months to implement across
> the platform (which we may need to, but I wouldn't want to start off
> that discussion here and now).
>
>
> Any other ideas?
>
>
>
> thanks!
>
>
> [1] https://twitter.com/matthew_d_green/status/506427220546826240
> --
> Martin
>
> --
> Mailing list: https://launchpad.net/~ubuntu-phone
> Post to     : ubuntu-phone@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~ubuntu-phone
> More help   : https://help.launchpad.net/ListHelp
>

Follow ups

Re: Ubuntu One SSO Password and App purchases
From: Natalia, 2014-09-01

References

Ubuntu One SSO Password and App purchases
From: Martin Albisetti, 2014-09-01