[3np]

> Are you looking for something like Authy or Google Authenticator here?

Precisely! Both are implementations of TOTP[0] - it's a simple protocol which doesn't rely on any particular implementation.

The other common one with that same characteristic would be Fido U2F[1] (for hardware keys such as Yubikey and Google Titan). If/when you do implement it, make sure to support adding more than one token to facilitate users sorting out their own backups.

Both are open standards that are well-supported with both proprietary and open implementations across platforms.

If you have to initially only pick one of the two I'd go with TOTP.

[0]: https://en.wikipedia.org/wiki/Time-based_one-time_password

[1]: https://en.wikipedia.org/wiki/Universal_2nd_Factor

[pkavanagh]

Cool, we should be able to do this. Thank you for your feedback.

[donalhunt]

In addition, for regular users, consider providing free or subsidised hardware keys (yubikey, Google titan).

While many will raise concern with the UX of having to carry around hardware, in the fintech world I think it's a good tradeoff and raises the bar for the industry (I always shudder when I see "we use industry-standard protection"). :)