
Show HN: Authentimate – Two-Factor Authentication API - KevinMcGovern
https://www.authentimate.com
======
KevinMcGovern
Hey HN!

We’re building Authentimate, a simple two-factor authentication API. We were
frustrated with other 2FA solutions that couldn’t give us clear, consistent
pricing, and tended to overcomplicate what should be a very simple feature.

We started off with SMS-based two-factor auth because it is the most widely
available and easily understood by users, which makes them more likely to
enable it.

In the very near future we will be rolling out more secure TOTP-based
authentication so that users can use something like Google Authenticator to
handle their second factor.

We would love get some early feedback and thoughts on what you think is
missing from current third-party auth solutions.

Thanks!

~~~
stephenr
I think you need to re-visit your SMS support decision. SMS for 2FA is not
secure, at all.

~~~
KevinMcGovern
We are working on other authentication methods and we'll be releasing OTP auth
within the next few weeks, however the decision to start with SMS was based
primarily on accessibility. Adoption of other authentication methods has been
slow (despite warnings from agencies like NIST), and I don't believe the
solution to that is to force it and drop SMS immediately and entirely. It's
going to require education over time to convince both users and developers
that other methods of authentication need to be adopted. In the meantime, I
think we need to meet them where they're currently looking, get them to start
using _some_ form of 2FA, and convince them of the benefits of moving to more
secure methods from there.

As we've been working on this we've been brainstorming different approaches we
could take to help facilitate that adoption. It could be in the form of more
favourable pricing, or even just a content strategy that encourages more
secure methods, but I'd love to hear your thoughts on the subject.

~~~
stephenr
Given that SMS is already considered insecure, my thoughts are that it's too
late to be starting a _new_ service offering it, saying "we need to educate
users first".

