Most people who care about two factor already have Google Authenticator installed on their phone. Having the user install another app is tedious and a lot of users won't enable two factor because of it.
I think most people who care about it would either (a) already have Authy installed, or (b) care enough that downloading another app isn't going to prevent them.
When it's opt-in you're really not going to get a lot of people saying "Okay, I guess I'll do it if you make it really easy for me." It's either important or it's not. Most folks on HN would probably say it is and enable it as a matter of course, especially for a service with as much business value as Stripe.
> I think most people who care about it would either (a) already have Authy installed, or (b) care enough that downloading another app isn't going to prevent them.
I care, and I have Google Authenticator installed but not Authy.
In fact, it's because I care that I don't have Authy installed - from their comments on HackerNews yesterday, I didn't get much confidence that the Authy folks understand security enough for me to trust them with something this important.
Guy who brought up several of the concerns in yesterday's thread here - and I'm in the same situation.
Actually, I went so far as to download the app just to see if I could crack the backups I was criticizing (i.e., are they actually using a key strengthening algorithm or was the founder just straight-up lying after all of the concern was made public), but when I couldn't get past an SMS-based login-wall to test, most of my initial fears were confirmed.
My concerns and irritations about Google Authenticator also still stand; they half-implemented the spec[1] and have potentially limited everyone's security as a result. However, they didn't misimplement it, so they just limited the gains rather than actually made things worse. I think the QRCode to import the key is, uh, less safe than it could be, but assuming someone hasn't gone and posted screenshots of it to the internet or scanned it with multiple devices, it's not too bad.
I started building a replacement a couple weekends ago to address some of these issues (though primarily because it hasn't been updated to support retina displays, never mind iPhone5), so Authy's timing is rather unfortunate as I've been in the thick of the spec and care deeply about security (I work for WePay; yes, we also have a public rollout of 2FA in the works, it's in internal beta right now). My plan is to give it away for free, if not open-source it completely.
[1] the flexible options for the number of digits, time window, and hashing algorithm are all hardcoded in GA, despite their TOTP implementation actually supporting the full spec. The UI simply ignores all fields beside the label and secret, presumably because they decided to make a screen-wide counter rather than entry-wide. Why it's still forced to SHA1 and 6 digits is beyond me.
> Authy's timing is rather unfortunate as I've been in the thick of the spec and care deeply about security (I work for WePay; yes, we also have a public rollout of 2FA in the works, it's in internal beta right now). My plan is to give it away for free, if not open-source it completely.
I'd be very interested in this, Authy's timing notwithstanding. I think my email is in my profile - please let me know if/when you have something available (whether in beta or general release).
When it's opt-in you're really not going to get a lot of people saying "Okay, I guess I'll do it if you make it really easy for me." It's either important or it's not. Most folks on HN would probably say it is and enable it as a matter of course, especially for a service with as much business value as Stripe.