perhaps for the API users. if you choose to opt out you are forced to provide an IP range which IB only allows you to connect on. iv been hoping for this feature since i only trade from a single IP address.
Walter, Good point... there are PLENTY of ways to provide a second form of identification. This should not be the only route IB uses. This is going to really complicate things for api users.
from the sounds of it they are offering a few different devices, up to 150$ deposit? perhaps they are going to offer a hardware dongle or something along those lines.
This decision is absolutely brilliant. While IB could have done something to allow for automated logins (generate a public/private key, have an x509 cert signed, etc), the complexity for the average customer would have been phenomenal. Forget about your firewall, anti-virus software, etc. there are hundreds of new vulnerabilities discovered every day. (Security Focus for just one list--look how many new were discovered just today) Just last week, a new trojan was discovered that had been in the wild for 6 months. No antivirus software at all caught it. It captured every username, password, account number and shipped it off to a server in Russia to be sold to the highest bidder. Security is no longer a dalliance that you can "do without". When seatbelts were first mandated, people argued they "cramped their style". Arguing against strong security is equivalent to arguing against seatbelts.
I have used the current secure keyfob since they've been offered. They are annoying (tiny buttons!!), and sometimes the places on the website that require their use don't work after you enter the generated password (the website responds with a blank page and nothing else). The thing I'm very concerned about is losing the keyfob (or if the house burns down and the keyfob goes with it). IB should offer additional, identical keyfobs as an option. I would keep them in separate locations like I do with car keys.
I am making NO argument against strong security. Working for a network security company I know all too well the attacks that are out there. I am only making an argument about the way they are implementing it. There are ways to do this without causing problems for API users. Especially for API users who will always be logging in from the same box and same ip address. As for as my manual trading goes, I think this is a great idea and I have no complaints to requiring this to login... My complaint is strickly as it relates to auto trading with the API
Recording and transmitting screenshots could presents another level of difficulty for the hacker, but assuming they can do it, then yes. This is why a device/method of password or key distribution/generation totally external to the computer system is the best solution.
frostengine, There is a unique dilemma for API customers. I will see if we can allow the IP restriction in place of the device.
Since the new secure token will be a requirement, I hope IB takes the opportunity to fix a major annoyance with the current system. Right now, if you use a part of the website that requires the token challenge, you need to enter it. If, in the same session, you go to another area in the website that requires a token challenge, you have to do this again! Very annoying! You should only need to do it once per login.