Hacker News new | ask | show | jobs
by encyclic 2955 days ago
Can you indicate more than only yes/no for a measure of how secure the 2FA can be?

The choice of some site's 2FA implementations are known to be problematic, such as SMS only (easily hijacked), or supporting TOTP and/or HOTP, but also requiring you to allow SMS or "security questions", reducing the degree of security.
1 comments
conorgil145 2955 days ago
That is a great idea! I am 100% in favor of helping the users understand the security tradeoffs between the 2FA methods.

We definitely have it on the roadmap to update 2FA Notifier to include more educational content. Thanks for the feedback!

I am currently writing a series on 2FA on my site All Things Auth [1] that gets into the details explaining how each method works and exploring the security and usability tradeoffs of each. I want to put together a summary and/or infographic highlighting the main takeaways and hopefully like to something like that from 2FA Notifier.

Currently, we use the data from twofactorauth.org [2] as our main data feed. I definitely encourage you to check out their community on GitHub and propose your idea there too!

[1] https://www.allthingsauth.com/tag/2fa/

[2] https://github.com/2factorauth/twofactorauth

link
ecesena 2955 days ago
Great thing the blog posts. I wrote about security keys working on ios recently, feel free to grab material if you need.

http://medium.com/@0x0ece/googles-advanced-protection-progra...

link
conorgil145 2955 days ago
Thanks for the positive feedback! There are 2 main articles in the 2FA series left to write (Push 2FA and U2F/WebAuthN), but there are a ton of other posts I have bouncing around in my head. Join the email list if you're interested in getting updates!

I'll definitely give your post a read too!

Have you found it effective publishing on Medium vs your own blog? I've been considering cross posting my articles for additional exposure. Curious to hear your thoughts.

link
ecesena 2955 days ago
Medium infinitely, Linkedin is also gaining popularity if you want/need to boost your network.

Feel free to write me via email if you’d like to talk more, but between hn and hackernoon, with medium any of my posts gets at least a thousand reads. This one is currently at 4.6k views/1.9k reads. There’s no way I’d get this reach with my own blog.

link
designedbinary 2955 days ago
+1 on the great idea!

(I'm the other half of this team. I tackle the UX/UI parts)

@encyclic, i'm curious about how you typically approach enabling 2FA. - How do you typically choose which services to enable 2FA for? - What do you do now if a service doesn't have 2FA OR doesn't have the type of 2FA appropriate for your situation?

As Conorgil145 mentioned, we have this on our roadmap and have some ideas about how to approach this. But understanding how you approach things now will definitely help us to craft a more effective solution.

link