
2FA Notifier – Know when a site supports 2FA - dceddia
https://2fanotifier.org/
======
stephenr
The problem here is that it uses twofactorauth.org

I submitted two PRs for sites that have 2FA that they didn’t have.

One they argued about whether it’s a big enough site to include (a commercial
vps/server hosting company across ~5 countries) and never approved, the other
they complained that the site doesn’t document it well enough so it must not
exist (despite me using it).

I gave up when they then got a bad reply from the company in question (saying
they only support sms) and _changed_ my PR despite me telling them it’s wrong
(because customer service reps never get anything wrong?)

~~~
carterehsmith
"they argued about whether it’s a big enough site to include"

Wow. That sounds ridiculous. But if you try and track that site ...

From [https://twofactorauth.org/](https://twofactorauth.org/) "Made with tea
by Josh Davis..." Then you follow this "Josh Davis" link to
[https://joshldavis.com/](https://joshldavis.com/)

... and you find this:

" Splootysplotty: Open Source Alternative to Lewis Carroll’s Jabberwocky"

" 'Twas haplex and kuffle problem. Projects Dalo and Jotts voluck. It's not
folazy as Lablem, But merely fosts toontruck. "

...interesting.

~~~
stephenr
> Wow. That sounds ridiculous.

Tell me about it. They literally just had to click "Merge PR", but instead
chose to go looking at the sites rank on Alexa.

When I suggested that they should codify their "only top 200K on Alexa"
guideline, I got zero response, predictably.

------
lalos
We need some guidelines for proper 2FA implementation. The Instagram 2FA has a
quirk were they don't prompt the user to write the phone number registered on
the account before sending the SMS. This means I get like 20 password resets
on my phone daily. In an ideal world I would use a token 2FA instead of SMS
but that is not supported also. If anybody from Facebook/Instagram can pass
this feedback along, it will be appreciated.

~~~
conorgil145
> We need some guidelines for proper 2FA implementation.

I could not agree more. I write a lot about 2FA on my site, All Things Auth
[1], and do teardowns of 2FA implementations for sites.

In March, we featured Zapier [2] in a screencast episode and a 5 post series
digging deep into their 2FA implementation and related topics. I highlighted
some things they are doing well and also made suggestions on how they could
improve.

I plan to continue doing teardowns for 2FA implementations from many different
types of sites. I plan to create a definitive guide to aggregate 2FA
implementation best practices.

[1]
[https://www.allthingsauth.com/tag/2fa/](https://www.allthingsauth.com/tag/2fa/)

[2]
[https://www.allthingsauth.com/zapier](https://www.allthingsauth.com/zapier)

------
conorgil145
Hey everyone! I created 2FA Notifier with my friend, Ray.

We noticed that many people enable 2FA after they realize the services they
already use support it! So, we made 2FA Notifier [1], an open source web
extension that notifies you when sites you visit support 2FA. Anytime you
visit a site that supports 2FA, you'll get a notification. Click it to go
straight to the docs that explain how to enable 2FA!

Let me know if you take it for a spin! Any and all feedback is helpful to
improve the functionality and UX.

Shout with questions and I'll do my best to answer!

[1] [https://2fanotifier.org](https://2fanotifier.org)

~~~
kiwijamo
Nice idea! Will you add support for Firefox?

~~~
conorgil145
I am in the process of getting into the FF store as we speak! Stay tuned!

~~~
conorgil145
The extension is now accessible in the Firefox store [1]!

Please shout if there are any weird bugs in FF. I do test it in Firefox before
publishing, but Chrome is my main browser so I catch things there more
quickly.

[1] [https://addons.mozilla.org/en-US/firefox/addon/2fa-
notifier/](https://addons.mozilla.org/en-US/firefox/addon/2fa-notifier/)

------
ithkuil
A few examples of sites that do have 2FA but the extensions cannot tell for
"silly" reasons:

mycompany.slack.com: "No 2FA here :(" inbox.google.com: "No 2FA here :("
docs.google.com: "No 2FA here :("

~~~
conorgil145
Thanks for the feedback!

Clean data is definitely going to be a challenge for this project moving
forward. I've discussed several ideas in other comments in this thread, so
check those out if you are interested.

It does look like inbox.google.com is missing from our data set. We have an
open issue to make sure that all of the Google products are added [1].

The messaging that is currently shown there is definitely wrong too because
inbox.google.com does support 2FA. We have another issue for handling the
"unknown" state when the domain simply is not in our data set [2].

What type of messaging and UI do you expect to see when the extension is
unsure whether a given site supports 2FA or not?

Feedback from the community will really help improve the extension! Thanks for
sharing your thoughts!

[1] [https://github.com/conorgil/2fa-
notifier/issues/61](https://github.com/conorgil/2fa-notifier/issues/61)

[2] [https://github.com/conorgil/2fa-
notifier/issues/39](https://github.com/conorgil/2fa-notifier/issues/39)

------
encyclic
Can you indicate more than only yes/no for a measure of how secure the 2FA can
be?

The choice of some site's 2FA implementations are known to be problematic,
such as SMS only (easily hijacked), or supporting TOTP and/or HOTP, but also
requiring you to allow SMS or "security questions", reducing the degree of
security.

~~~
conorgil145
That is a great idea! I am 100% in favor of helping the users understand the
security tradeoffs between the 2FA methods.

We definitely have it on the roadmap to update 2FA Notifier to include more
educational content. Thanks for the feedback!

I am currently writing a series on 2FA on my site All Things Auth [1] that
gets into the details explaining how each method works and exploring the
security and usability tradeoffs of each. I want to put together a summary
and/or infographic highlighting the main takeaways and hopefully like to
something like that from 2FA Notifier.

Currently, we use the data from twofactorauth.org [2] as our main data feed. I
definitely encourage you to check out their community on GitHub and propose
your idea there too!

[1]
[https://www.allthingsauth.com/tag/2fa/](https://www.allthingsauth.com/tag/2fa/)

[2]
[https://github.com/2factorauth/twofactorauth](https://github.com/2factorauth/twofactorauth)

~~~
ecesena
Great thing the blog posts. I wrote about security keys working on ios
recently, feel free to grab material if you need.

[http://medium.com/@0x0ece/googles-advanced-protection-
progra...](http://medium.com/@0x0ece/googles-advanced-protection-program-with-
iphone-and-ipad-5f30802885e7)

~~~
conorgil145
Thanks for the positive feedback! There are 2 main articles in the 2FA series
left to write (Push 2FA and U2F/WebAuthN), but there are a ton of other posts
I have bouncing around in my head. Join the email list if you're interested in
getting updates!

I'll definitely give your post a read too!

Have you found it effective publishing on Medium vs your own blog? I've been
considering cross posting my articles for additional exposure. Curious to hear
your thoughts.

~~~
ecesena
Medium infinitely, Linkedin is also gaining popularity if you want/need to
boost your network.

Feel free to write me via email if you’d like to talk more, but between hn and
hackernoon, with medium any of my posts gets at least a thousand reads. This
one is currently at 4.6k views/1.9k reads. There’s no way I’d get this reach
with my own blog.

------
arthurfm
Great idea for an extension.

One thing I noticed straight away that I thought was worth mentioning is that
a notification doesn't popup when visiting the regional Amazon websites like
Amazon.co.uk/.de/.es/.it, despite it being possible to enable 2FA for these
sites through Amazon.com.

Screenshot: [https://vgy.me/UaHJm1.png](https://vgy.me/UaHJm1.png)

This is also mentioned on twofactorauth.org...

 _Enabling on Amazon.com activates 2FA on other regional Amazon sites, such as
UK and DE._

~~~
conorgil145
Thanks for the feedback! We use the data from twofactorauth.org as our main
data feed, so that is where we pick up the domains.

I am definitely open to augmenting those entries, but trying to think about
ways to either automate (ideal) or crowdsource contributions on the data side.

Any thoughts? Would you be interested in contributing data updates like this?

~~~
arthurfm
Do you think twofactorauth.org would be willing to list the regional Amazon
websites separately so that your extension can pick them up automatically?

~~~
conorgil145
I am not a core committer for twofactorauth.org (yet! I hope to become one!),
so I cannot say whether they will accept a PR like that. However, there is an
open issue discussing this topic that is worth reading over [1].

2FA Notifier has a bit of an easier job since we don't have to render anything
or make it searchable (as of today). I would happily review any PRs along
these lines! The data is currently hard coded in a Typescript file, which
makes it really easy to update [2].

I plan to document criteria for contributing data to 2FA Notifier like this,
but just haven't had the time. One entry per PR would be ideal if you are
motivated to contribute!

[1]
[https://github.com/2factorauth/twofactorauth/issues/1025](https://github.com/2factorauth/twofactorauth/issues/1025)

[2] [https://github.com/conorgil/2fa-
notifier/blob/master/src/typ...](https://github.com/conorgil/2fa-
notifier/blob/master/src/typescript/utils/dataService.ts)

------
coastal-fiesta
I like this idea, it's definitely missing a few major sites though.
google.com, facebook.com for example.

~~~
conorgil145
Thanks for the feedback! I just released an update that correctly supports
www.google.com and www.facebook.com.

------
ovao
Nitpick: “2FA Notifier let’s you know”

That should be “lets”.

~~~
conorgil145
Whoops! Good catch. Fixed.

~~~
designedbinary
I also fixed it on the chrome store description as well. :) Thx for catching
that!

------
tlund
This addon is useless:

No 2FA here :( But you can better protect your inbox.google.com account if you
follow these steps:

Create a unique password Use a password manager

~~~
conorgil145
It does look like inbox.google.com is missing from our data set. We have an
open issue to make sure that all of the Google products are added [1].

The messaging that is currently shown there is definitely wrong too because
inbox.google.com does support 2FA. We have another issue for handling the
"unknown" state when the domain simply is not in our data set [2].

What type of messaging and UI do you expect to see when the extension is
unsure whether a given site supports 2FA or not?

Also, have you had the chance to see the UX for a site that does support 2FA?
We currently have over 1,000 domains in our data set, so there is bound to be
a service that you use. Feedback from the community will really help improve
the extension! Thanks for sharing your thoughts.

[1] [https://github.com/conorgil/2fa-
notifier/issues/61](https://github.com/conorgil/2fa-notifier/issues/61)

[2] [https://github.com/conorgil/2fa-
notifier/issues/39](https://github.com/conorgil/2fa-notifier/issues/39)

------
yawgmoth
LastPass + Duo = MFA Everywhere :-)

