Regarding Java….. About 99% of all PC’s and Mac’s have Java already installed. SoundPass only uses Java to generate an applet used to automatically create a virtual dynamic token credential, encrypt it, and automatically send it to the authentication server.

IT Examiners are already stating that SoundPass is stronger authentication security than anything else they have seen for online banking. If any attack is made against Java the software that resides only on the authentication server will not function as designed and will therefore not allow access to the online account. Therefore, your online bank account will remain secure along with your hard earned money.

You should review the entire SoundPass design before you conclude that Java is a problem because in this application it is not an issue. If C++ or any other program would have been stronger than Java, we would have used it. When we start to protect Mobile Banking, we will use something other than Java because Java is not used on most phones. Consumers should have the best possible protection available and for our SoundPass design Java was and still is the best.

Mike, doesn’t Soundpass rely on having Java installed on your system? Personally, I could not with a straight face recommend any security solution that depended on Java being installed.

So DropBox is NOT implementing 2-Factor Authentication! Passwords and PIN codes entered by the user are both something the user KNOWS and neither are someting the user HAS. A smartcard or a USB token that automatically send a dynamic encrypted code to the authentication server are something the user HAS. SoundPass software that also automatically sends an encrypted code to the authentication server is something the user HAS.

Therefore, instead of using 2 single factors of Username and Password you will now be using 3 single factors and paying for the phone call. Real-time Keyloggers used in todays malware don’t care how many passwords and codes the user enters as it will copy and steal them all.

Checked – but unfortunately, Google Voice is not available outside the US…

http://productforums.google.com/forum/#!topic/voice/rDKUvIq8Xf8

As for the rest of your reasoning behind not using a GV # as an authenticator…you forgot about the possibility of a herd of wild elephants charging through my office and trampling my computer and cell phone, then stealing my lunch money.

As for the ways losing one password can mean you’ve lost them all, one of the most common ways that passwords get into the wrong hands is via a malware infection. Keyloggers and disk scanners in malware payloads mean that any password typed in or stashed on the disk while infected will be lost. Even for users of smarter tools like encrypted keyrings for passwords are likely to loose the whole thing if infected because at some point while infected they will type in a master password to decrypt the keyring and the malware slurps up that password and the keyring. Password-saving tools on mobile devices are worse, with many of them not even bothering to encrypt their data so if you lose the device, all the passwords can be extracted. In the realm of things a user cannot control, we’ve seen the demonstration of many service providers losing whole poorly-protected databases to attackers, and while I suspect Google is hardened against such a loss better than others, they may not be and if they managed to leak the password to one of your accounts they would stand a strong chance of having leaked the password to all of your accounts with them. And of course there are those simple bits of stupid like using the same password everywhere or using a pattern that makes all passwords easily guessed once one is known.

It’s certainly possible to lose control of a password in a way that does not threaten others, but that is not the most common sorts of compromise these days. Since 2FA exists to protect against password compromise, it doesn’t make a lot of sense to weaken it against common modes of compromise.

The problem with this is that for one, the commenter I was replying to was looking for a way *other than* using a cell phone (his mom doesn’t have one); and two…Google restricts each cell phone to ONE account. While you may be lucky enough to have more than one cell phone, I don’t.

The backup codes sounds good in theory, but I’ve found Google/Gmail’s 2-step identification to be less than perfect. I have to reauthenticate my computers anywhere from every 2 days to every 2 weeks, rather than the “remember me for 30 days” as it’s supposed to work.

As for your comment “If the password to your 2FA-protected account is compromised, there’s a very good chance that ALL of your passwords will be compromised along with it, including the one to GV”, I can’t for the life of me see how one is related to another, unless someone had all the same passwords, stored passwords in the email, etc.

And I’m truly not being a smart ass…I don’t see the connection.

A safer backstop that Google offers for losing your second factor device is to print (NOT save to disk) a set of “backup codes” (http://support.google.com/accounts/bin/answer.py?hl=en&answer=1187538) that you can generate in batches of 10 and use one time each. You can keep the code card wherever you keep other cards you don’t want to lose, and as long as you resist the temptation to carry around a record of what account they are for and what the password to that is, it is harmless to lose them. When you generate a new batch the old ones are disabled.

These are the issues with any 2FA system: losing the ability to authenticate is easier, the whole process is less convenient, and the obvious tricks to mitigate those problems are likely to weaken the independence of the 2 factors.