ubuntu-phone team mailing list archive

Thread
Date

Re: Ubuntu One SSO Password and App purchases

To: Martin Albisetti <martin.albisetti@xxxxxxxxxxxxx>
From: Rodney Dawes <rodney.dawes@xxxxxxxxxxxxx>
Date: Tue, 02 Sep 2014 10:33:55 -0400
Cc: Jamie Strandboge <jamie.strandboge@xxxxxxxxxxxxx>, Ricardo Kirkner <ricardo.kirkner@xxxxxxxxxxxxx>, Ubuntu Touch <ubuntu-phone@xxxxxxxxxxxxxxxxxxx>, Natalia Bidart <natalia.bidart@xxxxxxxxxxxxx>
In-reply-to: <CAAosnqvpZrfr-1DYSjPguM+T891BFGPCjrOmFbhCsW4ywiOb2A@mail.gmail.com>
Organization: Canonical

On Mon, 2014-09-01 at 15:39 -0300, Martin Albisetti wrote:
> Leaving aside 2FA as the answer, as it's clearly not widely adopted
> (for its complexity?), what can we do to make this a bit better in our
> platform?
> Can we confirm purchases and other tasks that are frequently used
> somehow differently than with the account password, and encourage
> (and/or force) better passwords for the general account?
> 
> To try and reduce the scope of the discussion, I'm mostly looking for
> proposals that would be implementable in the short or mid term, rather
> than changes that would require 6 or more months to implement across
> the platform (which we may need to, but I wouldn't want to start off
> that discussion here and now).
> 
> 
> Any other ideas?

Unfortunately, I'm having trouble thinking of anything that wouldn't
require significant work on the client side, and that doesn't involve
just sending users through a complex process of going to the web site.
Requiring a 2FA code (without logging in, but just using the one-time
passcode as a PIN), or a PIN, will require the user to actually
configure that after registering or logging in, making the process a bit
more complex.

References

Ubuntu One SSO Password and App purchases
From: Martin Albisetti, 2014-09-01