We all know that 2FA SMS is bad, because a phone number isn’t really a second factor.
Mobile phone 2FA apps are pretty good. Google Authenticator is okay, Authy is way more convenient (if you trust them - if you don’t, then you probably can’t use any 2FA app, but what’s your threat model anyway? Nation states?).
YubiKeys are most excellent, and well worth the money.
Google (think Gmail), Facebook (think OAuth), and Github (obvious) all have great 2FA support because they’re so critical to business. But some other websites are terrible! I do think 2FA support can tell you how professional/enterprise-y an organisation is, and I would think twice about using some of these:
- Namecheap: Namecheap pretends to have 2FA app support, but instead of supporting standard apps, I have to download your shitty app? And you don’t support hardware keys? No thanks!
- GitLab: To register a new mobile app, I had to disable and then re-enable 2FA, which also wiped out all my hardware keys. Way to make it difficult guys. It’s a known issue.
- Kickstarter: I had to disable and then re-enable 2FA, although they don’t support hardware keys. Also, they wanted me to verify my email address, which I did not have to do last time.
- Patreon: By far the worst. They used to support 2FA apps, but have now reverted to 2FA SMS only. What a step backwards! If you depend on Patreon for your livelihood, beware.