[benchestnut]

MailChimp founder here. Here's a little back story to Alter Ego, since it does tend to confuse people. There was a time, not long ago, when email providers were under attack and suffering from some major breaches (http://www.cauce.org/2011/04/epsilon-interactive-breach-the-...). It's hard to describe the feeling of helplessness when you watch industry peers get systematically attacked like that. We wanted to do whatever we could to prevent that by providing 2FA protection to our customers. We researched RSA and other solutions. It seemed way too costly to ship key fobs to millions of users (our larger users could afford it, but not our vast majority of small business users, who are the ones who need the most help w/security). Still, we ordered the RSA hardware and fobs to try it out. While the equipment was all en route, RSA was breached (http://blogs.rsa.com/anatomy-of-an-attack/). To be safe, they told us we had to wait for new hardware to be re-issued. There's that feeling of helplessness again. We decided not to wait, and to just roll our own 2F app because we could make it free and easier than most (2 critical requirements for our SMB user base).

It's important to note that Google Authenticator wasn't yet open for integration (trust me--we badly wished for it). There were only rumors that they might open it up, and frankly, we couldn't wait for them to decide. Now we all know that it's been opened up, which is nice. And fwiw, in the next couple days we'll be announcing support in Alter Ego for Google Authenticator and Yubi Key pass-through.

Someone mentioned Duo. That's an impressive app. We didn't know it existed until after we launched AlterEgo (their CEO introduced himself in the comments when we launched AlterEgo). I was blown away by what a thorough app it was. Still, it wasn't "free enough" for our users (Gasp! How dare they charge money?!?). Remember, we wanted maximum usage, so it was important to make a free app. We could theoretically and happily do a pass-through integration for Duo users too.

Someone mentioned the uncertainty of relying on a Google service, considering Google's recent "spring cleaning" of Google Reader. Roughly around the time we launched AlterEgo, I don't remember all that much spring cleaning going on at Google, so I can't say we had concerns they'd kill their 2FA service. I vaguely recall them deprecating the Google Translate API (which we heavily relied on) and I vividly remember them sending us a ginormous bill for using their Maps API. Larry Page hadn't yet made his "more wood behind fewer arrows" statement, but the writing was on the wall that we can't all just feast off of Google's generosity and altruism forever. So at that time, I think we were more concerned about Google eventually charging us for the service (God forbid, right?). If we had even tens of thousands of users activating, that would be a bit expensive.

Hope that explains things.

[pfarrell]

I was a lead engineer at one of the larger email service providers when that attack started. I wasn't at Epsilon, but I did have all my projects put on the backburner and teplaced by two-factor auth, fraud detection etc. that incident helped shape my career (even if it has thrown it totally off track). It is awful to immediately face the full brunt of spear phishing attacks on your business. It suddenly makes you value those security and IT practices that are easy to set aside in the name of moving forward with the product. I didn't have nearly your level of commitment to the company, but I cared about it and didn't want to see us lose the reputation we had worked so hard to gain disappear in a public incident.

Happy to hear MailChimp is investing in data protection. You can bet Ill be enabling it. Keep up the great work.

[sweis]

For the record, Google Authenticator has always been open source and is based on open HOTP and TOTP standards. You could always add arbitrary accounts to the mobile app using the key URI format: https://code.google.com/p/google-authenticator/wiki/KeyUriFo...

For example, here's a debug tool written in Javascript that has been online since early 2011: https://google-authenticator.googlecode.com/git/libpam/totp....

[ProblemFactory]

> Someone mentioned the uncertainty of relying on a Google service, considering Google's recent "spring cleaning" of Google Reader.

Google Authenticator is not a service that Google can even shut down. It's an open-source implementation of open standard protocols.

You install a library + few tens lines of code on your server, and users install the app on their phone. After this, no Google server or service is ever touched in the authentication process.

Even if Google decides to pull the app from the store, it's open source: you can build it from source and put a copy up yourself.

[Create]

Current Version of the Android app is now proprietary and it isn't clear whether the source code repository will be getting any more updates.