top | item 17087082

(no title)

encyclic | 7 years ago

Can you indicate more than only yes/no for a measure of how secure the 2FA can be?

The choice of some site's 2FA implementations are known to be problematic, such as SMS only (easily hijacked), or supporting TOTP and/or HOTP, but also requiring you to allow SMS or "security questions", reducing the degree of security.

discuss

conorgil145|7 years ago

That is a great idea! I am 100% in favor of helping the users understand the security tradeoffs between the 2FA methods.

We definitely have it on the roadmap to update 2FA Notifier to include more educational content. Thanks for the feedback!

I am currently writing a series on 2FA on my site All Things Auth [1] that gets into the details explaining how each method works and exploring the security and usability tradeoffs of each. I want to put together a summary and/or infographic highlighting the main takeaways and hopefully like to something like that from 2FA Notifier.

Currently, we use the data from twofactorauth.org [2] as our main data feed. I definitely encourage you to check out their community on GitHub and propose your idea there too!

[1] https://www.allthingsauth.com/tag/2fa/

[2] https://github.com/2factorauth/twofactorauth

ecesena|7 years ago

Great thing the blog posts. I wrote about security keys working on ios recently, feel free to grab material if you need.

http://medium.com/@0x0ece/googles-advanced-protection-progra...

designedbinary|7 years ago

+1 on the great idea!

(I'm the other half of this team. I tackle the UX/UI parts)

@encyclic, i'm curious about how you typically approach enabling 2FA. - How do you typically choose which services to enable 2FA for? - What do you do now if a service doesn't have 2FA OR doesn't have the type of 2FA appropriate for your situation?

As Conorgil145 mentioned, we have this on our roadmap and have some ideas about how to approach this. But understanding how you approach things now will definitely help us to craft a more effective solution.