[with the current system] A scammer simply click the "I forgot my password link" on HA and changes your password. Access to dashboard granted!
You're right. The current system needs to be improved so there is some second point of confirmation -
Like if HomeAway were to send a text message with a code to the phone number in your profile and you had to type that code in to the password reset screen before it would send you a new password. Unless someone also steals your phone, they wouldn't be able to get or reset your HomeAway password to get in.
Hello! (as they say when the lights come on) - this is a likely way that scammers have taken over any hacked accounts by resetting owner passwords. I'm so surprised that HA didn't already have more verification steps in place in order to change a password.
As to your proposed solution, those who do not use text messages or who travel out of area/country and do not always have phone access, this verification step would not work for them. They could always ask the additional security questions (with answers not visible anywhere to scammers to find/change), mother's maiden name, best friend's name, etc.
You're right - an SMS / text message can not be the only way to provide the second form of verification - whether for reseting a password or any sort of regular logon either.
Even for people in the US, it's unreasonable to expect people to always have their phone with them, that it always has a charge, or even that they have enough credits to receive a text message. Thankfully (I say sarcastically) all the cellular carriers are going to be pushing us to unified data plans that combine internet volume and text message volume into one bill.
Sending text messages to overseas carriers would cost HomeAway and arm and two legs, so I have to imagine that they have some other validation method in mind.
The overview of 2-factor / 2-step authentication on wikipedia is pretty inclusive: http://en.wikipedia.org/wiki/Two-factor_authentication
One of the things it says is that challenge questions are typically not considered a strong enough way to confirm someone's identity. At the very least, they'd have to use questions more unique than just the old "mother's maiden name" question.
The wikipedia article points out that using phones for authentication is relatively new. So, HomeAway could send homeowners traditional RSA SecurID tokens (similar to what swlinph described earlier). Or they could send out USB tokens. Either would work, but would entail a cost to purchase, send, and replace when lost.
My guess is that they will offer a soft token solution of some sort. Cheap to license, easy to distribute, can be quickly enabled or disabled, and generally easier for the end use to make use of. I'd be pushing for that if I were their accountant or support manager.
Anyone here work for a company that does two-factor authentication for remote access by VPN? Care to share how they validate that you are really you?
VPN connections, RSA SecurID tokens, softtokens, USB tokens, 2-factor/2-step authentication, text messages to a cellular? I think it's time to learn a new internet word... are you sure you guys aren't just trolling here?
These can't be serious suggestions. If so, then I think it's clear you're not listening to those of us who are serious about proposing a viable and realistic solution as well as aiming for simplification of the process.
No disrespect intended but I feel like someone has suggested that the Ambassadors propose outlandish solutions so that when HA rolls out their final solution we'll all sit back and say: "Phew, it could have been worse! I could have had to carry an RSA SecureID token with me wherever I went. Aren't we lucky we only have to log on to HA six times a day to reply to our inquiries."
Nope, not trolling - just trying to think through logical ways to cover the extremes. No one has even come close to suggesting that a physical token would be a requirement for everyone - but it might be a fall-back solution for the few that cannot make use of a simpler method of validation.
"....... Aren't we lucky we only have to log on to HA six times a day to reply to our inquiries."
I don't understand. Do you log in and out of your email 6 times a day, or do you just keep it open all day long? I keep mine open all day. I also keep my HomeAway open all day. As long as no-one can physically take over my physical PC, it's safe to leave open.
Is the issue that some people only have access at public / shared PC's? I'd say that they're a small minority these days, but wouldn't they have to log in and out of their email account to check and respond to inquiries just the same as if they did their communication through a dashboard application? Same number of log ins / log outs either way. Seems like a red herring to me, but maybe I'm missing something.
I never log out of email. Ever.
I always log out of any Web Site and clear cookies regularly (as should anyone who is concerned about phishing or theft of identity).
In the course of a day, I will use three different computers (home, work and portable), one tablet and one smart phone. All devices lock tight after several minutes of inactivity.
All devices are permanently logged into email but actual device access is controlled by strong passwords and aggressive timeouts. I am always on the go and continually swapping devices depending where I am or what I am doing. I work in high tech and security is paramount. I use RSA softtoken and VPN to log on and test the largest routers in the world using these same devices... I can not stay logged in to HA.
My situation will not be unique. Most people these days have multiple devices with always-on email.
The proposed system will often mean an 8-hr delay until I get home after work before I can log on and reply to my inquiries (where now I simply hit reply and it's done within a few minutes). I am busy enough during the day that 5 minutes I can barely spare but 10 minutes is a no-go and I'll need to do it later.
For some of us, this proposal could kill our businesses.
@ Info -
Do you consider your email safe enough to not ever exit because it is a native app, not a browser based interface?
I won't question your logic of logging out of web sites even when you consider your device to be secure. Those are policies you've set for yourself, and in your security circles consider it a necessary step. There are those who differ with you, but it's a sideroad we don't need to travel in this conversation.
The one thing I noticed is that the smart phone is a constant throughout your day.
What if you were able to access your inquiries from a native iOS or Android app (not browser) without constant log in. Just like with your native email client, the device itself, and the security on the device, is all the authentication needed. So just like your email, it could remain open, albeit behind your device's security measures.
With constant, easy access from your secure smart phone, you would be able to see all the new guests' inquiry contact info and email it to yourself. You could then use your native email client, on whatever device met your fancy at the time, to communicate with the client. This of course assumes we can convince HomeAway to display the guest contact info from within their secure environment. Could this work for you?
I sincerely think your case is unique. And if HomeAway makes changes that require us to gather initial guest info through a special gateway, it may add additional steps for you. But, I believe the vast majority of homeowners access their guest communications from one or at best 2 different, yet secure locations through the day. And the promise of being able to do all their business via a smart phone app would be a new, easier option altogether for most. Although tempted, I won't repeat the old Spock quote....
No. Smartphone is unacceptable for running a business with often long emails. Yes, logging off is more secure despite device being physically secure (and is good security habit to get into for all logins). No an IOS and Android apps will not help (I don't have either one and I'm sure others also don't). There is no way my situation is unique. I REQUIRE consistency and efficiency in running my business. Period. Any extra steps imposed by HA will prompt me to seek another solution.
If I speak only for myself, then they can just ignore me. But I think HA ignores this feedback at their peril.
I've made my position clear and suggested alternatives. I think I'm done here.
Is this where we are headed?
NEW YORK (AP) — In yet another change that upset users, Facebook has replaced the email addresses users chose to display on their profile pages with (at)facebook.com addresses.
The changes raised users’ suspicions. By hiding other email addresses Facebook can keep its already-captive audience even more captive. Sending an email to a Facebook.com address will land the email in the messages section of a user’s Facebook profile. The more people use Facebook to communicate, the more the company can target ads based on the conversations they have on its platform – just as Google targets ads to Gmail users based on text in their emails.
"It's pretty emblematic of Facebook's mode of operation. Take action and apologize later," said Debra Aho Williamson, an analyst at research firm eMarketer. "They seem like they pulled the trigger without telling everybody. It's going back to the way they were operating a few years ago."
Not sure how you ended up in the mud! Not sure how this is "drama". Examples of what happens to others might help open the eyes of some. Who is to decide what is drama and what is not? Who is to decide what we should or shouldn't say at all?
To me it is another example of how companies make decisions that "they" think are the best for their customers. Sometimes they get away with it and sometimes not! Sometimes decisions are made that are best for the company but not always best for all the customers! It is a risk they take!
One more time. How about a simple statement of the business problem they (HA) perceive exists and a simple statement of their proposed solution. I still don't think it is clear what is the risk and what is our reward.
For me, don't make it take me any longer to respond to my guests and don't capture any private information that is exchanged between me and my guests.
I agree! My reviews (for 4 properties) have already become almost non-existant since guests are now required to set up a Travelers Account. For the the guests that have responded to my query as to why they didn't provide a review...each and everyone of them has stated that they do not want to sign-up!!!
I have notified HA of these replies numerous times. They just say that they are keeping track of how the requirement effects reviews..