Note that this is not a new service, but the discount percentage has been increased:
“Previously, we gave a 2% discount, which was probably only significant for high volume senders. 10% makes it significant for everybody.”
However, I'm still not doing it – too much hassle. Instead, I just have 1Password create unique passwords for each service I use and change the passwords once in a while.
That said: I'm a satisfied MailChimp customer and I really appreciate that they continue to improve their service.
The cyclical password change for my dozens of accounts would be a constant pain. Some of these accounts also need to be used on mobile devices where 1password doesn't auto-fill (ie, iPad). Add to that sharing certain of these accounts with spouse/family and you have serious friction to constant credentials updates.
LastPass for iOS will do autofill if you browse through their app. It's not the best UX, but it's nice for when you just need to check something and aren't doing a lot of heavy browsing.
My company uses lastpass to share passwords. Any passwords that is saved to the 'shared accounts' folder is automatically shared to everyone on the team.
MailChimp founder here. Here's a little back story to Alter Ego, since it does tend to confuse people. There was a time, not long ago, when email providers were under attack and suffering from some major breaches (http://www.cauce.org/2011/04/epsilon-interactive-breach-the-...). It's hard to describe the feeling of helplessness when you watch industry peers get systematically attacked like that. We wanted to do whatever we could to prevent that by providing 2FA protection to our customers. We researched RSA and other solutions. It seemed way too costly to ship key fobs to millions of users (our larger users could afford it, but not our vast majority of small business users, who are the ones who need the most help w/security). Still, we ordered the RSA hardware and fobs to try it out. While the equipment was all en route, RSA was breached (http://blogs.rsa.com/anatomy-of-an-attack/). To be safe, they told us we had to wait for new hardware to be re-issued. There's that feeling of helplessness again. We decided not to wait, and to just roll our own 2F app because we could make it free and easier than most (2 critical requirements for our SMB user base).
It's important to note that Google Authenticator wasn't yet open for integration (trust me--we badly wished for it). There were only rumors that they might open it up, and frankly, we couldn't wait for them to decide. Now we all know that it's been opened up, which is nice. And fwiw, in the next couple days we'll be announcing support in Alter Ego for Google Authenticator and Yubi Key pass-through.
Someone mentioned Duo. That's an impressive app. We didn't know it existed until after we launched AlterEgo (their CEO introduced himself in the comments when we launched AlterEgo). I was blown away by what a thorough app it was. Still, it wasn't "free enough" for our users (Gasp! How dare they charge money?!?). Remember, we wanted maximum usage, so it was important to make a free app. We could theoretically and happily do a pass-through integration for Duo users too.
Someone mentioned the uncertainty of relying on a Google service, considering Google's recent "spring cleaning" of Google Reader. Roughly around the time we launched AlterEgo, I don't remember all that much spring cleaning going on at Google, so I can't say we had concerns they'd kill their 2FA service. I vaguely recall them deprecating the Google Translate API (which we heavily relied on) and I vividly remember them sending us a ginormous bill for using their Maps API. Larry Page hadn't yet made his "more wood behind fewer arrows" statement, but the writing was on the wall that we can't all just feast off of Google's generosity and altruism forever. So at that time, I think we were more concerned about Google eventually charging us for the service (God forbid, right?). If we had even tens of thousands of users activating, that would be a bit expensive.
I was a lead engineer at one of the larger email service providers when that attack started. I wasn't at Epsilon, but I did have all my projects put on the backburner and teplaced by two-factor auth, fraud detection etc. that incident helped shape my career (even if it has thrown it totally off track). It is awful to immediately face the full brunt of spear phishing attacks on your business. It suddenly makes you value those security and IT practices that are easy to set aside in the name of moving forward with the product. I didn't have nearly your level of commitment to the company, but I cared about it and didn't want to see us lose the reputation we had worked so hard to gain disappear in a public incident.
Happy to hear MailChimp is investing in data protection. You can bet Ill be enabling it. Keep up the great work.
For the record, Google Authenticator has always been open source and is based on open HOTP and TOTP standards. You could always add arbitrary accounts to the mobile app using the key URI format:
https://code.google.com/p/google-authenticator/wiki/KeyUriFo...
> Someone mentioned the uncertainty of relying on a Google service, considering Google's recent "spring cleaning" of Google Reader.
Google Authenticator is not a service that Google can even shut down. It's an open-source implementation of open standard protocols.
You install a library + few tens lines of code on your server, and users install the app on their phone. After this, no Google server or service is ever touched in the authentication process.
Even if Google decides to pull the app from the store, it's open source: you can build it from source and put a copy up yourself.
Lead engineer at MailChimp here. Funny you should mention it, but tomorrow we're going to be launching Google Authenticator and YubiKey integrations with AlterEgo so you can use those as you like. We're also working on a Duo integration, but no ETA there.
There's a page[1] describing why they created AlterEgo.
They basically claim everything else was too difficult for people to use - which is funny considering the other companies[2] using Google Authenticator. They also call it "1.5-factor authentication", which is kind of unsettling.
AlterEgo is a closed-source online-only service provided by MailChimp, while Google Authenticator is an offline, open-source, standards-based, two-factor security solution that anyone can implement on a wide range of platforms. You'd have to want less compatibility, less reliability and less security to use AlterEgo.
It's funny they say that, because google authenticator's git repo has commits going back to 2010, and AlterEgo was launched in 2011. Could be a coincidence though.
Edit: Nope. Just confirmed Google Authenticator was released in February 2011 [1], and AlterEgo was released May 2011 [2].
GA is just the better known implementation of OATH/TOTP. There are independent third-party implementations; I use a J2ME one, which works fine even with Google's own webapps.
If you follow that rationale your going to enter a spiral of reinventing wheels ad infinitum.
Just make sure that whatever you rely on can be substituted for another system and you're good to go. You depend on that service but on the off chance that it's discontinued your business is not at risk.
The idea of rewarding customers who behave in a responsible way is very interesting. I'm tempted to see if we can offer discounts to users who use a password with high entropy. Do any other SaaS or ecommerce sites do anything like this? I recall one site adding an "IE tax" (rather than offering a Firefox / Chrome discount). Trying to think if there's any other metrics that could be used to apply discounts.
How important is a high entropy password for web services that properly encode passwords and limit brute force attempts? It's my understanding that the biggest issue is stolen passwords or captured login cookies that cause the most problems.
Not that common for me. I know several users who have 1 simple & 1 complicated password that's used depending on the site's requirements. Those two password are used repeatedly.
“Previously, we gave a 2% discount, which was probably only significant for high volume senders. 10% makes it significant for everybody.”
However, I'm still not doing it – too much hassle. Instead, I just have 1Password create unique passwords for each service I use and change the passwords once in a while.
That said: I'm a satisfied MailChimp customer and I really appreciate that they continue to improve their service.