While this is all good(and it is, no sarcasm intended).
What I really want/care about is banking sites/companies. If this website could also compile a list for these institutions that would be awesome. It truly amazes me how most major banks lack 2fa.
A long while back, American Express through it's Blue card line actually proposed the use of a card reader and physical token (the card for internet purchases). It never took off.
I feel that I should point out that nearly every UK banking site uses 2fa for transactions, and many as an option for login. This only comes with chip & pin.
I setup a bank account in Germany in 2007 that issued me a hardware token generator (I forget the name of the bank). It was my first experience with 2 factor auth, and I'm a little surprised that I have yet to see it implemented with banks in the US.
Today, these usually work by transmitting some code via a flickering field on the website. You insert your bank card into the generator, hold it to your screen and type the number it shows on the device.
You are right, but the end of that article alluded to a bit of an interchangeability.
> They're adding support in the next few weeks for Google Authenticator tokens to their system as well. That way you can use Authy's great UI to access your Google codes through one app.
So I got looking, and it looks like now you can always use Authy for google authenticator tokens [1].
It's only a few lines of code and other than having sync'ed clocks does not require any other running services. At one point I implemented it as a second factor for my most important servers that I ssh to so that my IP would be unlocked for 45 minutes after the initial connection.
That's exactly what I was going to say. I finally put 2FA on my Dropbox account a while ago. Scanned the QR code in Authy, and everything worked just ifne.
I use two factor authentication apps on my phone to generate my one time passwords. This works great for me but I always wonder what I will do if I lose my phone.
I've backed up the authenticator apps. I am correct in assuming I can restore the one time password generators from the back-ups? Is there anything else I should do?
If you have a phone and a tablet, install Google Authenticator and Authy on each, and scan the QR code with each app (a total of 4 times). As long as the clocks are in sync it will work fine, and protects access in case of:
- loss of 1 device, and
- one of the apps not being available (e.g. during a stuck iOS app update)
I have used Titanium Backup to restore Google Authenticator and Battle.net Mobile Authenticator onto a different device and both apps have retained my accounts with no problem at all. So yes, you are correct in assuming that you can restore OTP generators from backups.
I can also confirm this. AS well as local, I have set Titanium Backup to send an additional (encrypted) backup to a cloud storage service as well (in my case Google Drive). I have restored from Titanium Backup many times with different ROMS and different phones.
I tried to setup Facebook Two Factor Auth and it says: "Make sure you have the latest version of the Facebook app on your device." According to your site, Facebook supports Google Auth but I am clueless on how to set this up without installing the FB android app.
Evernote's documentation says they "recommend" Google Authenticator, but I've never managed to set it up because their setup process requires SMS. (Is the TOTP support premium only?)
This is a great resource. However, the SMS column might require some expansion as although some of the companies on this list support SMS two-factor auth, they don't support it outside of the US. Paypal, for example, does not support Finland (checked last week).
Great site. Is there a way (as a user) to mandate two-factor authentication on sites that don't natively offer it? I recognize that the obvious answer is no, but I'm curious to know if anyone has tried workarounds.
Sites didn't have a standard to follow and not everyone has the resources of Google to roll their own. Now that the Fido Alliance has big names on it, I hope to see companies use it.
That's a great resource! The first step before increased security is to increase awareness. Big service providers must be put on spot about two factor authentication IMHO.
Even non-SAML sites can get 2FA support via Google Auth -our company Meldium (https://www.meldium.com/) now supports over 1,000 web apps, while there are only a few dozen major SaaS apps with SAML support.
Neat idea for a site.