Documenting the latest changes to dotAccount
dotAccount now supports signing in through the use of authentication codes sent by email. This is especially useful for users who usually have their inboxes open and would rather not have to memorize yet another password - the access to the email address associated with the account is used as the authentication factor.
When faced with the sign in page, users can simply enter their username or email address then press the "email me a code to sign in" link below the password field. An email with a code is sent to their inbox, and users should enter it in the page that comes next.
If the Google Authenticator two-factor auth method is enabled for the account, the user will be prompted for it. If no second authentication method is enabled for the account, or if that method is E-mail (redundant, since the user already proved it has access to its inbox), users are signed in straight away.
This new sign in method does not weaken the account security: if an attacker had access to the user's inbox in the first place, then it could already issue and complete an account recovery request - as is the case with most website accounts.
The password-less sign in simply makes things easier for users who tend to forget their passwords, and who would be going through account recoveries frequently in order to sign in to their accounts. In fact, users can now set a stronger password without fear of not remembering it - as long as they can access their email, they can sign in.
Starting today, all the websites of the TNY network which allow user authentication use dotAccount. If you haven't already, please migrate your tny. account.
Even though dotAccount is not yet supported by all the websites of the TNY network, the tool for migrating tny. accounts to dotAccounts is now available.
By migrating your account, you'll be able to keep using the tny. accounts service until it is shut down, and simultaneously sign in to new services which only support dotAccount, such as Clouttery.
To migrate an account, you only need to enter its credentials. The new dotAccount will be activated automatically.
tny. accounts was our previous single sign on system. It was becoming a bit dated, in terms of looks and security practices.
For a start, the new dotAccount system introduces much awaited improvements like two-factor authentication support and a responsive design.
The previous system had users input their credentials on the websites they were signing in to, and this had some disadvantages:
On the technical side, passwords were hashed using SHA-1 and a salt. This method, while not blatantly insecure, has been demonstrated vulnerable to attack. There are better alternatives available, and the new system makes use of the superior bcrypt algorithm. This ensures that in the event of a database leak, passwords are safe.
In terms of communication between servers, the current system is vastly superior, relying not only on communication encryption but also on single-use and time-limited tokens. Also, less information about users is shared between services in the first place (for example, it is now impossible for a service to know the users' passwords, even if hacked).