2FA fails

30 Jul '17

We all know that 2FA SMS is bad, because a phone number isn’t really a second factor.

Mobile phone 2FA apps are pretty good. Google Authenticator is okay, Authy is way more convenient (if you trust them - if you don’t, then you probably can’t use any 2FA app, but what’s your threat model anyway? Nation states?).

YubiKeys are most excellent, and well worth the money.

Google (think Gmail), Facebook (think OAuth), and Github (obvious) all have great 2FA support because they’re so critical to business. But some other websites are terrible! I do think 2FA support can tell you how professional/enterprise-y an organisation is, and I would think twice about using some of these:

rant, infosec

Newer Older