TradeKing definitely needs to be added to this list. They should be prominently featured at the top in a security hall of shame for their cartoonish security.
Edit, examples:
No 2 factor authentication
Displaying the answers to your security questions in multiple choice form (with a none of the above option, but usually including your answer).
Requiring your password to be entered with mouse clicks at an on-screen keyboard. Not kidding.
Yes. I am aware, thank you. I was planning to send a pull request to add tradeking if it isn't already there when I get home. I doubt they want a hall of shame pull request -- it seems to be a well structured list.
I worked on an open source CMS called Airship and we decided to include 2FA in our v1.0 release. After a bit of research (mostly to conclusively rule out SMS-based 2FA), I found that it was actually very easy to implement.
I started working on a vendor-agnostic 2FA implementation for PHP projects.
I would argue that Namecheap shouldn't be on that list. They send out a 6 digit code and then immediately tell you what number it begins with, reducing the code to effectively 5 digits. Their continued refusal to support RFC 6238 shows they don't take this seriously in my opinion.
Does it matter whether it's 6 digits or five? Surely any rate limiting is going to make either effectively impossible to brute force before the code expires and a new one is generated.
It's great that this exists. Many typical users are still befuddled by multifactor authentication, and the one thing that helps is practice. Unfortunately, by having all these islands of identity, the frequency of interaction for many of them ends up being low, resulting in users forgetting they enabled MFA and the associated recovery costs.
There have been technologies to try to bridge the identity islands -- social login (which previously created trust issues through OAuth abuse - many resolved, but trust is hard to win back), Mozilla persona and others. But, at the end, the hostility of end user identity is still a problem that needs to be solved in such a way that end users have good authentication choices (no more bad security questions, for example) with good security attributes (low replay, discoverability and guessability, for example) with good usability. Ideally, an end user should be able to choose an identity provider, trust them, and then use that identity provider across multiple services. I know that some companies are working on this, but it still tends to be in islands, rather than an industry group, for example, dedicated to making it work. At this point, a de facto standard may be the best thing.
I've been in meetings with IAM architects at large banks who scoff at social login because they don't want to trust social login security, yet their own end user security is marginal. Some honest conversations need to happen in this space to help move things forward.
Better identity infrastructure for end users will help service providers.
Great points. I love TFA (e.g. Google Authenticator) but I recognize that ~95% of Internet users will never care as long as it is as hard to use as it currently is.
OT: Just in case webdevs reads this: you might want to markup clickable things as clickable (<a>). If you need a datapoint: I'm using Vimium for Chrome.
Also, I think there should be an option to show all of the websites. I don't want to keep clicking to see which websites I use, I just want to browse by scrolling.
Hmmm, what are you seeing that's not clickable? I don't use vimium and I can click on the site name, docs links, and tell-them-to-two-factor-via-twitter.
Whoop. Looks like the tiling system is relying on JavaScript instead of <a> tags for links:
I wish there was a service like this for IPv6. And I mean proper IPv6, and not the bullshit that for example Digital Ocean is peddling: 16 addresses per server my foot.
Also, proper HTTPS and HTTPS-only support. There are still way too many sites that offer HTTP as a valid option.
Why do you want the place that keeps all your money to support an unencrypted, unauthenticated, over-the-air token delivered by an insecure provider over an insecure protocol?
Banks have rules and regulations to adhere to. You'll notice almost all banks have universally the same additional types of security (like the security image/security phrase) and such. Because those fit within the industry standards.
Usually they have an Identity & Access Management solution in place to authenticate users. It does more than just the security image & secret phrase. It also uses hundreds of unique identifiers about your browser & OS to rank if you are the same user that usually logs in. If it's too low they can take additional actions like ask you additional challenge questions, flag your account for review, or lock your account.
I see that Charles Schwab is listed as having 2-factor authentication via hardware token, and Citibank is listed as not having it. Both of these are only partially correct. For example, Charles Schwab allows it on their brokerage accounts, but if your company sets up your 401k with them, then it's not supported.
Citibank does support it, but only on their "Gold" accounts.
I wonder about those banking sites.. my bank only lists hardware token. However, that internet bank is by default 2FA, because I need a password and code card which I possess and which they give out to every user. Not only for login I need some code from that card but also for each payment via internet bank.
If I'm understanding you correctly you're confused why only the hardware column is checked--is that right? That's, unfortunately, a common complaint. The columns _should_ correspond to only the second factor, with an assumption that username/password (a "knowledge" factor) is likely the first factor.
Some backstory on that decision: the site originally had columns for each 2fa company/product you could use; e.g., Google Authenticator, Authy, etc. Listing all the options was not scalable as the number of options grew, so twofactorauth.org went with a more abstract classification based on the second factor interaction. A few examples where that matters:
* If you refuse to use an easily misplaced fob then you might avoid sites that only offer hardware 2fa.
* Not everyone can receive SMS, but maybe they can download an app (software) or reuse their hardware token.
* Some people prefer a voice call, so they might choose a bank that allows for 2fa-over-voice.
Thanks for the reference. For end-users, they claim that their app will work on multiple devices whereas Google Authenticator only works on one. That would be a big advantage - I'm worried about losing my phone even with backup codes in my wallet. Worst case situation is that I'm robbed and have to hand over phone and wallet!
Also, I'm not aware of Google Authenticator being updated. Which makes me concerned that it's not a priority for Google and might be end-of-lifed.
TOTP as an open spec is implemented in Google Authenticator's open source version on GitHub. (It's old, but works great.) I recommend not using proprietary apps or services for security purposes.
Things with backup or sync are risky, they add additional ways your authenticator can be compromised. There's an alternative that's similarly useful, but far more secure. When you add a 2FA code, print the QR code presented by the website and store it somewhere very secure in real world space. You can later scan it with any TOTP app, and it'll add the identical authenticator to another device.
I replaced Google Authenticator with Authy precisely because Google Authenticator doesn't back up correctly. I've found Authy an excellent replacement, and definitely worth the purchase price. Hope that helps.
Google Authenticator is a TOTP client. TOTP is an open spec.
If you use a different client, you can probably find one that will let you back up codes (I'm sure Authy supports TOTP). Also note that all you need for that backup is a "seed", which is a hash. IIRC Google Authenticator uses SQLite to store its data, I bet it's not hard to get the seeds out and back them up manually.
> The TOTP stuff will never be widly used. Its just a total pain to work with.
I'm not sure I agree with that.
Generating a code:
<?php
use ParagonIE\MuiltiFactor\Vendor\GoogleAuth;
use ParagonIE\MultiFactor\OTP\TOTP;
$seed = random_bytes(20);
/** Then persist $seed into the database for a user **/
$gauth = new GoogleAuth($seed, new TOTP());
header("Content-Type: image/png");
$gauth->makeQRCode();
Validating a code:
<?php
use ParagonIE\MuiltiFactor\Vendor\GoogleAuth;
use ParagonIE\MultiFactor\OTP\TOTP;
if (\password_verify($_POST['password'], $storedHash)) {
$seed = /** Get seed from database for this user **/;
$gauth = new GoogleAuth($seed, new TOTP());
if ($gauth->validateCode($_POST['2facode'])) {
// Login successful
}
}
Then you can just use the 2FA app of your choice (Authy, Google Authenticator, etc.), scan the QR code, and you're good to go.
I have implemented this before. I have it in production right now.
The fact is people hate typing stuff from their phone into their computer. Specially if you phone is not always within reaching distance. If you have to do it with tons of different logins you will be annoyed. As long as you have 1-2 accounts its fine, but if we really want to role it out everywhere, we need something better.
People can get used to it. In China, it's very common to require either (i) entry of a 6-digit code sent by SMS or (ii) using a mobile app to scan a QR code, to complete a web site login.
It turns out that (outside of FB employees), Instagram 2FA is only enabled for users with more than 1,000 followers. So, if you don't have more than 1,000 followers, they don't care if your account is hacked.
Are you sure it's rolled out for everyone? I have been trying to find it (web & mobile app) for weeks and can't find it... I know there was a bunch of press about it in February 2016, but I don't see it in the UI.
Edit, examples:
No 2 factor authentication
Displaying the answers to your security questions in multiple choice form (with a none of the above option, but usually including your answer).
Requiring your password to be entered with mouse clicks at an on-screen keyboard. Not kidding.
Those ridiculous "anti-phishing" pics.
TradeKing is the definition of security theatre.
Do not use TradeKing.