> Yes. Google and Facebook aren't the only ones. > You don't need a valid phone ...

rovr138 · on Nov 27, 2016

It could be a myriad of things.

- A physical device that you need to plug in

- A physical device that generates a token

- It could also be a token that gets sent to your phone or email and you input (like Facebook, Google, banks)

- An action you need to perform on another device (another bank)

- Google Authenticator (and other authenticator apps)

- I have also seen a message encrypted with your GPG public key that you decrypt and submit.

I have seen all of the above in different circumstances. The only one I have never seen is biometrics and it's usually because of the cost. Also, you can't change chop your finger of so it's harder to recall if there are issues unlike the rest.

> most people are not referring to this when they are talking about 2FA.

I only know what I have seen and have worked with.

I use Authenticator for SSH'ing into servers. My banks send me a code or I need to launch their app (CapitalOne) on my phone. My business account had a physical device that generated a token that I had to input in order to login. I have used software in the past that required a key. GPG I have seen in some questionable sites when crawling them.

auno · on Nov 28, 2016

> Are your referring to AWS Multi-Factor Authentication (MFA)? It's indeed a good implementation, but it's usage is very limited and most people are not referring to this when they are talking about 2FA.

AWS is using TOTP (Time-based One-time Password) as specified by RFC 6238. Off the top of my head, the same protocol is supported by Google, Lastpass, Dropbox, Fastmail, Github, Wordpress, Evernote and Outlook.com. So it stands to argue that this is, in fact, one of the schemes most people are referring to when they are talking about 2FA.