On Mon, Sep 1, 2014 at 6:12 PM, Loïc Minier <loic.minier@xxxxxxxxxx> wrote:
Or could we avoid/strengthen tokens when we can confirm that you're indeed
on a phone that we know of? e.g. sending a text message to
confirm that it's
a phone number you've added to your SSO account from the web (e.g. to
recover your lost password).
As far as I know, we're not planning on supporting sms sending in any
way, though it could be useful to use some sort of phone-specific
piece of info to decide whether a token refresh via password is needed
or not. But of course this does not help at all with the case "my
child played with my phone and spent zillions of dollars" (see below).
On Mon, Sep 1, 2014 at 8:39 PM, Martin Albisetti
<martin.albisetti@xxxxxxxxxxxxx> wrote:
Leaving aside 2FA as the answer, as it's clearly not widely adopted
(for its complexity?), what can we do to make this a bit better in our
platform?
Can we confirm purchases and other tasks that are frequently used
somehow differently than with the account password, and encourage ...
A simple option (specially in terms of implementation effort) would be
to expose a setting in one of our services (pay for this concrete
feature) to let the user choose whether payments require confirmation
or not. When doing the purchases in the phone that require re-entering
the password, the UI could display a message such as (marketing-like
input super needed):
"Want to enable automatic payments? Please choose so <here-link>"
and that would take the user to our web service in an embedded browser.
