Sony Finally Enables Two Factor Authentication

H

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
It's about damn time Sony enabled two factor authentication for the PlayStation Network. I would say "better late than never" but damn man, how many years did this take?

Years after a catastrophic data breach brought Sony's PlayStation Network to its knees, the company has finally implemented two-factor authentication to limit the risk of such a disaster happening again. PlayStation and PSP owners who have signed up to the network can now enable two-factor authentication on their accounts.
 
So this two-factor security scheme, I assume the first factor is a password, what is the second authentication factor they have implemented?
 
Two-factor authentication is not a magic bullet. This is nice, but it shouldn't be the end.
 
lcpiper said:
So this two-factor security scheme, I assume the first factor is a password, what is the second authentication factor they have implemented?
Click to expand...

They've added an SMS check, along with a unique password that's only used when you use a new Sony device with your PSN account for the first time. I think that's a pretty cool idea. Once it's been used once, you can log in with your usual PSN password.
 
None of these are actually a different authentication factor, they are essentially all versions of the "Something you know" type. I suppose it's better than a single password alone, but it isn't nearly as strong as certificate authentication, biometrics, and security tokens via smart card. Like I say, it is an improvement.
 
I just had my account compromised Tuesday. Perfect timing......
 
I hate password + SMS 2FA due to not always have my cell phone on me at all hours of the day. It's really nice when a service or site utilizes apps like Authy & Google Authenticator. I won't be using this option due to crappy implementation thanks to Sony's ineptitude.
 
CrimsonKnight13 said:
I hate password + SMS 2FA due to not always have my cell phone on me at all hours of the day. It's really nice when a service or site utilizes apps like Authy & Google Authenticator. I won't be using this option due to crappy implementation thanks to Sony's ineptitude.
Click to expand...

You can stay logged into you own devices, so no need to always have your cell phone with you.
 
lcpiper said:
None of these are actually a different authentication factor, they are essentially all versions of the "Something you know" type. I suppose it's better than a single password alone, but it isn't nearly as strong as certificate authentication, biometrics, and security tokens via smart card. Like I say, it is an improvement.
Click to expand...

That's what I thought at first. But they do consider 'Something you have' to include a device that returns a code when issued a command by a server. Something the PSN server does when it sends the SMS message to the specified cell phone. But that is considered a less optimal 'something you have' solution compared to a dedicated smart key that generates its own key code without a server prompt. Especially in light of the recent reports on how easy it is becoming to hack into the SMS network.

I don't have a PSN account but do they require email address as account ID like so many sites do? If so, that is a violation of basic security 101. Account IDs are supposed to be as secret as passwords.
 
Now some Sony exec will suggest laying off all their IT staff now that "things are secure." He'll get a huge bonus. Then PSN will go down for another three months.
 
You must log in or register to reply here.
Back
Top