Hacker News new | past | comments | ask | show | jobs | submit login
Two Factor Auth List of Websites (twofactorauth.org)
109 points by Flimm on July 12, 2016 | hide | past | favorite | 64 comments



TradeKing definitely needs to be added to this list. They should be prominently featured at the top in a security hall of shame for their cartoonish security.

Edit, examples:

No 2 factor authentication

Displaying the answers to your security questions in multiple choice form (with a none of the above option, but usually including your answer).

Requiring your password to be entered with mouse clicks at an on-screen keyboard. Not kidding.

Those ridiculous "anti-phishing" pics.

TradeKing is the definition of security theatre.

Do not use TradeKing.


> Displaying the answers to your security questions in multiple choice form (with a none of the above option, but usually including your answer).

Kill it before it lays eggs.

> Requiring your password to be entered with mouse clicks at an on-screen keyboard. Not kidding.

  [x] Bad security
  [x] Bad usability
  (Edit: apparently unicode checkmarks are filtered out on input now)
This is like the personification of a lose-lose interpretation of AviD's rule of usable security.


Please consider sending them a pull request: https://github.com/2factorauth/twofactorauth/pulls


Yes. I am aware, thank you. I was planning to send a pull request to add tradeking if it isn't already there when I get home. I doubt they want a hall of shame pull request -- it seems to be a well structured list.


I worked on an open source CMS called Airship and we decided to include 2FA in our v1.0 release. After a bit of research (mostly to conclusively rule out SMS-based 2FA), I found that it was actually very easy to implement.

I started working on a vendor-agnostic 2FA implementation for PHP projects.

https://github.com/paragonie/multi_factor

It's far from complete, but hopefully it makes it easier for others to add 2FA to their projects.

If anyone's interested in the open source CMS I mentioned: https://github.com/paragonie/airship



Thanks! I'm not sure why I didn't copy/paste. :)


I would argue that Namecheap shouldn't be on that list. They send out a 6 digit code and then immediately tell you what number it begins with, reducing the code to effectively 5 digits. Their continued refusal to support RFC 6238 shows they don't take this seriously in my opinion.


Does it matter whether it's 6 digits or five? Surely any rate limiting is going to make either effectively impossible to brute force before the code expires and a new one is generated.


Please consider sending them a pull request: https://github.com/2factorauth/twofactorauth/pulls


It's great that this exists. Many typical users are still befuddled by multifactor authentication, and the one thing that helps is practice. Unfortunately, by having all these islands of identity, the frequency of interaction for many of them ends up being low, resulting in users forgetting they enabled MFA and the associated recovery costs.

There have been technologies to try to bridge the identity islands -- social login (which previously created trust issues through OAuth abuse - many resolved, but trust is hard to win back), Mozilla persona and others. But, at the end, the hostility of end user identity is still a problem that needs to be solved in such a way that end users have good authentication choices (no more bad security questions, for example) with good security attributes (low replay, discoverability and guessability, for example) with good usability. Ideally, an end user should be able to choose an identity provider, trust them, and then use that identity provider across multiple services. I know that some companies are working on this, but it still tends to be in islands, rather than an industry group, for example, dedicated to making it work. At this point, a de facto standard may be the best thing.

I've been in meetings with IAM architects at large banks who scoff at social login because they don't want to trust social login security, yet their own end user security is marginal. Some honest conversations need to happen in this space to help move things forward.

Better identity infrastructure for end users will help service providers.


Great points. I love TFA (e.g. Google Authenticator) but I recognize that ~95% of Internet users will never care as long as it is as hard to use as it currently is.


OT: Just in case webdevs reads this: you might want to markup clickable things as clickable (<a>). If you need a datapoint: I'm using Vimium for Chrome.


I agree with your sentiment, but a minor nitpick: [Stop using anchors as buttons!][1]

An anchor would be good here if the clicking the icons also triggered a URL change, but as it stands a button would be semantically most appropriate

[1]: (http://blogs.ancestry.com/techroots/buttons-vs-anchors/)


Also, I think there should be an option to show all of the websites. I don't want to keep clicking to see which websites I use, I just want to browse by scrolling.


Does something like https://twofactorauth.org/data.json satisfy? It's not the most usable interface, but it should have all the data.


Hmmm, what are you seeing that's not clickable? I don't use vimium and I can click on the site name, docs links, and tell-them-to-two-factor-via-twitter.

Whoop. Looks like the tiling system is relying on JavaScript instead of <a> tags for links:

``` <div id="communication" class="category column" style="display: block;"> <h5 class="ui icon header"> <i class="circular chat icon"></i> <small>Communication</small> </h5> </div> ```

The contributors are pretty responsive, so I'd recommend noting the issue: https://github.com/2factorauth/twofactorauth/issues


There's a similar list for U2F (the USB / NFC dongles) support at http://www.dongleauth.info/ - I'm not entirely sure how up to date it is


I wish there was a service like this for IPv6. And I mean proper IPv6, and not the bullshit that for example Digital Ocean is peddling: 16 addresses per server my foot.

Also, proper HTTPS and HTTPS-only support. There are still way too many sites that offer HTTP as a valid option.


It always wondered me why my bank can't offer my 2FA with SMS code, but Steam or Github can?


Why do you want the place that keeps all your money to support an unencrypted, unauthenticated, over-the-air token delivered by an insecure provider over an insecure protocol?


Because is still better than login + password?


Banks have rules and regulations to adhere to. You'll notice almost all banks have universally the same additional types of security (like the security image/security phrase) and such. Because those fit within the industry standards.


Usually they have an Identity & Access Management solution in place to authenticate users. It does more than just the security image & secret phrase. It also uses hundreds of unique identifiers about your browser & OS to rank if you are the same user that usually logs in. If it's too low they can take additional actions like ask you additional challenge questions, flag your account for review, or lock your account.


I see that Charles Schwab is listed as having 2-factor authentication via hardware token, and Citibank is listed as not having it. Both of these are only partially correct. For example, Charles Schwab allows it on their brokerage accounts, but if your company sets up your 401k with them, then it's not supported.

Citibank does support it, but only on their "Gold" accounts.


I wonder about those banking sites.. my bank only lists hardware token. However, that internet bank is by default 2FA, because I need a password and code card which I possess and which they give out to every user. Not only for login I need some code from that card but also for each payment via internet bank.


If I'm understanding you correctly you're confused why only the hardware column is checked--is that right? That's, unfortunately, a common complaint. The columns _should_ correspond to only the second factor, with an assumption that username/password (a "knowledge" factor) is likely the first factor.

Some backstory on that decision: the site originally had columns for each 2fa company/product you could use; e.g., Google Authenticator, Authy, etc. Listing all the options was not scalable as the number of options grew, so twofactorauth.org went with a more abstract classification based on the second factor interaction. A few examples where that matters: * If you refuse to use an easily misplaced fob then you might avoid sites that only offer hardware 2fa. * Not everyone can receive SMS, but maybe they can download an app (software) or reuse their hardware token. * Some people prefer a voice call, so they might choose a bank that allows for 2fa-over-voice.

Hope this helps.


If you use Rails and want to integrate two factor auth into Devise, we built a gem / devise strategy for that: https://github.com/tinfoil/devise-two-factor


2FA is trivial to add.

https://www.authy.com/

Just do it.


Thanks for the reference. For end-users, they claim that their app will work on multiple devices whereas Google Authenticator only works on one. That would be a big advantage - I'm worried about losing my phone even with backup codes in my wallet. Worst case situation is that I'm robbed and have to hand over phone and wallet!

Also, I'm not aware of Google Authenticator being updated. Which makes me concerned that it's not a priority for Google and might be end-of-lifed.


TOTP as an open spec is implemented in Google Authenticator's open source version on GitHub. (It's old, but works great.) I recommend not using proprietary apps or services for security purposes.

Things with backup or sync are risky, they add additional ways your authenticator can be compromised. There's an alternative that's similarly useful, but far more secure. When you add a 2FA code, print the QR code presented by the website and store it somewhere very secure in real world space. You can later scan it with any TOTP app, and it'll add the identical authenticator to another device.


I replaced Google Authenticator with Authy precisely because Google Authenticator doesn't back up correctly. I've found Authy an excellent replacement, and definitely worth the purchase price. Hope that helps.


Google Authenticator is a TOTP client. TOTP is an open spec.

If you use a different client, you can probably find one that will let you back up codes (I'm sure Authy supports TOTP). Also note that all you need for that backup is a "seed", which is a hash. IIRC Google Authenticator uses SQLite to store its data, I bet it's not hard to get the seeds out and back them up manually.


I wrote a program to extract the seeds out of the sqlite and back into QR codes for easy transfer. You are right it wasn't that hard: https://github.com/solarkennedy/tfa_auth_dump


Do you need to root your phone in order to extract the sqlite database?


Neat!


Shameless plug: I've been running a 2FA service since 2011 now called GAuthify (https://www.gauthify.com/) that makes it pretty trivial as well!


Sticky table headers would be useful.


Some interesting things:

1. Banks and finance sites do not implement 2FA enough.

2. All crypto sites have 2FA.

3. No airline website has 2FA.


The TOTP stuff will never be widly used. Its just a total pain to work with. SMS is also very suboptimal.

I have more hope for U2F as second factors go. That is at least easy to work with once you have bought the token. I find it a joy to use.


> The TOTP stuff will never be widly used. Its just a total pain to work with.

I'm not sure I agree with that.

Generating a code:

  <?php
  use ParagonIE\MuiltiFactor\Vendor\GoogleAuth;
  use ParagonIE\MultiFactor\OTP\TOTP;
  
  $seed = random_bytes(20);
  /** Then persist $seed into the database for a user **/
  
  $gauth = new GoogleAuth($seed, new TOTP());
  header("Content-Type: image/png");
  $gauth->makeQRCode();  
Validating a code:

  <?php
  use ParagonIE\MuiltiFactor\Vendor\GoogleAuth;
  use ParagonIE\MultiFactor\OTP\TOTP;
  
  if (\password_verify($_POST['password'], $storedHash)) {
      $seed = /** Get seed from database for this user **/;
      $gauth = new GoogleAuth($seed, new TOTP());
      if ($gauth->validateCode($_POST['2facode'])) {
          // Login successful
      }
  }
Then you can just use the 2FA app of your choice (Authy, Google Authenticator, etc.), scan the QR code, and you're good to go.


I have implemented this before. I have it in production right now.

The fact is people hate typing stuff from their phone into their computer. Specially if you phone is not always within reaching distance. If you have to do it with tons of different logins you will be annoyed. As long as you have 1-2 accounts its fine, but if we really want to role it out everywhere, we need something better.


People can get used to it. In China, it's very common to require either (i) entry of a 6-digit code sent by SMS or (ii) using a mobile app to scan a QR code, to complete a web site login.

Neither of these things is a barrier.


What are your thoughts about SQRL?


I don't know enougth about it. I have stumbled on it before, but I need to get into it.


I think this really should also list which sites will let you download a series of tokens to use in case of mobile phone loss.

I recently forgot my phone at university and realized that I was potentially locked out of many websites.


Still waiting on Amazon UK to enable two-factor authentication.


login on amazon.com, enable 2fa there. now 2fa is also active on amazon uk, and the option also appears in the settings.

stupid but works


Ah. I didn't know that. I just got it setup. Thanks.


Stupid indeed but certainly works as described. Thanks for the tip!


Thanks for posting this. Apparently some time in the last couple months (since the last time I checked) my bank added 2FA. Just went and activated it.


Instagram does have 2FA...


Please inform the team via GitHub issue: https://github.com/2factorauth/twofactorauth/issues


It turns out that (outside of FB employees), Instagram 2FA is only enabled for users with more than 1,000 followers. So, if you don't have more than 1,000 followers, they don't care if your account is hacked.


Are you sure it's rolled out for everyone? I have been trying to find it (web & mobile app) for weeks and can't find it... I know there was a bunch of press about it in February 2016, but I don't see it in the UI.


I do have it since the beginning of 2016... I have 16k followers so it might explain the 1k+. It's in the options, right under "Posts You've Liked".


Soon will be scraped/exported to a Google docs I hope



JS required? For a list? Seems rather excessive.


Honestly! The nerve of that webmaster!


The raw data is available without a JS requirement, if you're into that sort of thing: https://twofactorauth.org/data.json


It ain´t no website today, until there are a bunch of JS frameworks involved.


Your site works with neither Vimium, NoScript or adblockers, so I can't use it.


  s/can't/won't
Not saying you don't have a valid complaint, but let's not forget what can't means.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: