Hacker News new | ask | show | jobs
by bpatrianakos 4673 days ago
These are exactly the issues I'm dealing with in re-implementing two-factor auth in my own app. On the one hand you can easily roll your own SMS based TFA with the option to use Google Authenticator with a negligible amount of work. Google's app is pretty reliable and most people trust Google (rightly or wrongly is beside the point here).

But then what if Google pulls the rug out from under apps that rely on it and what if knowledgeable users like you don't like the idea of a third party having access to their second factor?

I'm starting to think that unless you're willing to build your own authenticator apps for multiple mobile OSes SMS-only is the best way to go.
2 comments
SEMW 4673 days ago
> But then what if Google pulls the rug out from under apps that rely on it

As has been pointed out, it's open source (specifically, Apache 2.0)[1]. So, fork the code[2], if necessary find&replace any google trademarks, and republish as a dedicated authenticator for your own app. Or use one of the existing apps which have forked off gauthenticator, e.g. https://github.com/kaie/otp-authenticator-android .

[1] Except for some bits specific to gmail's 2-factor workflow added after v2.21

[2] git clone https://code.google.com/p/google-authenticator/

link
bri3d 4673 days ago
Why not just support both? As a savvy user I can choose SMS-only without ever letting Google anywhere near my shared secret.

Or I can implement or build from source a TFA app I trust and use that.

I really hate sites that support TFA and don't support authentication apps as I have very poor phone service at both my home and place of work and hence SMS is a frustrating experience for me.

link
IgorPartola 4673 days ago
SMS is not a secure channel. For example transmitting patient info over SMS violates HIPPA.
link
bri3d 4662 days ago
Wait - I was disagreeing with the GP's assertion that SMS-only was a good idea, so I think we very much agree. Maybe you meant to respond to my parent post?

IMO a shared-secret OTP app is certainly not unbreakable but is more secure than SMS.

SMS is known to be easily subpoenaed and universally stored while believing in a widespread OTP app trojan-horse requires some form of tinfoil-hattery. Both are still orders of magnitude more secure than single-factor authentication anyway and hence I believe both should be included in a reasonable 2-factor authentication solution.

Personally I can't adopt an SMS-only 2-factor solution due to service issues anyway.

link