

Two Factor Auth List - davis
http://twofactorauth.org/

======
gergles
You should probably rename Google Auth to "TOTP" since that's what is actually
supported.

Neat idea for a site.

~~~
nacs
Agreed. I don't see why they list Google Auth and Authy separately when they
both support the same TOTP system.

~~~
richbradshaw
Authy also supports (it's own?) TFA system that is incompatible with the
google app.

~~~
bdcravens
Yes, but you include TOTP sites in the Authy app and have them all in one
place.

------
jug6ernaut
While this is all good(and it is, no sarcasm intended).

What I really want/care about is banking sites/companies. If this website
could also compile a list for these institutions that would be awesome. It
truly amazes me how most major banks lack 2fa.

~~~
alexchamberlain
I feel that I should point out that nearly every UK banking site uses 2fa for
transactions, and many as an option for login. This only comes with chip &
pin.

~~~
joe_inferno
I setup a bank account in Germany in 2007 that issued me a hardware token
generator (I forget the name of the bank). It was my first experience with 2
factor auth, and I'm a little surprised that I have yet to see it implemented
with banks in the US.

~~~
luchs
Today, these usually work by transmitting some code via a flickering field on
the website. You insert your bank card into the generator, hold it to your
screen and type the number it shows on the device.

The German Wikipedia has some pictures:
[http://de.wikipedia.org/wiki/Transaktionsnummer#chipTAN_comf...](http://de.wikipedia.org/wiki/Transaktionsnummer#chipTAN_comfort.2FSmartTAN_optic_.28Flickering.29)

------
martiuk
I would change custom to not show red if it doesn't exist.

It gives off an impression that it's bad that they don't have their own custom
solution to 2FA.

------
jonesetc
1\. I thought Google auth and Authy were interchangeable.

2\. [https://library.linode.com/linode-manager-
security](https://library.linode.com/linode-manager-security) for the dev
section.

~~~
sp332
Not sure of the details, but according to
[https://blog.cloudflare.com/choosing-a-two-factor-
authentica...](https://blog.cloudflare.com/choosing-a-two-factor-
authentication-system) they are not (always) interchangeable.

~~~
jonesetc
You are right, but the end of that article alluded to a bit of an
interchangeability.

> They're adding support in the next few weeks for Google Authenticator tokens
> to their system as well. That way you can use Authy's great UI to access
> your Google codes through one app.

So I got looking, and it looks like now you can always use Authy for google
authenticator tokens [1].

[http://blog.authy.com/authenticator](http://blog.authy.com/authenticator)

------
IgorPartola
Random: I really like how simple the Google Authenticator's TOTP algorithm is:
[https://github.com/tadeck/onetimepass/blob/master/onetimepas...](https://github.com/tadeck/onetimepass/blob/master/onetimepass/__init__.py)

It's only a few lines of code and other than having sync'ed clocks does not
require any other running services. At one point I implemented it as a second
factor for my most important servers that I ssh to so that my IP would be
unlocked for 45 minutes after the initial connection.

~~~
StavrosK
Nitpick: It's not Google's, it's an open standard (OATH):
[http://tools.ietf.org/html/rfc6238](http://tools.ietf.org/html/rfc6238)

There's also HOTP.

~~~
IgorPartola
You are right, I should have elaborated. Just like most people, I first
learned about it from using the Google Authenticator app.

~~~
StavrosK
Sure, I'm just clarifying that it's a standard (and thus awesome).

------
brady8
If it works with Google Auth, it also works with Authy - same algorithm.

~~~
hoov
That's exactly what I was going to say. I finally put 2FA on my Dropbox
account a while ago. Scanned the QR code in Authy, and everything worked just
ifne.

------
torbjorn
I use two factor authentication apps on my phone to generate my one time
passwords. This works great for me but I always wonder what I will do if I
lose my phone. I've backed up the authenticator apps. I am correct in assuming
I can restore the one time password generators from the back-ups? Is there
anything else I should do?

~~~
kramerc
I have used Titanium Backup to restore Google Authenticator and Battle.net
Mobile Authenticator onto a different device and both apps have retained my
accounts with no problem at all. So yes, you are correct in assuming that you
can restore OTP generators from backups.

~~~
da_n
I can also confirm this. AS well as local, I have set Titanium Backup to send
an additional (encrypted) backup to a cloud storage service as well (in my
case Google Drive). I have restored from Titanium Backup many times with
different ROMS and different phones.

------
mercnet
I tried to setup Facebook Two Factor Auth and it says: "Make sure you have the
latest version of the Facebook app on your device." According to your site,
Facebook supports Google Auth but I am clueless on how to set this up without
installing the FB android app.

~~~
sp332
Head to
[https://www.facebook.com/settings?tab=security&section=code_...](https://www.facebook.com/settings?tab=security&section=code_generator&view)
and click "Set up another way to get security codes."

------
dunham
Evernote's documentation says they "recommend" Google Authenticator, but I've
never managed to set it up because their setup process requires SMS. (Is the
TOTP support premium only?)

------
deanclatworthy
This is a great resource. However, the SMS column might require some expansion
as although some of the companies on this list support SMS two-factor auth,
they don't support it outside of the US. Paypal, for example, does not support
Finland (checked last week).

------
markhall
Great site. Is there a way (as a user) to mandate two-factor authentication on
sites that don't natively offer it? I recognize that the obvious answer is no,
but I'm curious to know if anyone has tried workarounds.

------
mindstab
[http://aws.amazon.com/iam/details/mfa/](http://aws.amazon.com/iam/details/mfa/)

amazon supports MFA, but the site seems to not know that...

~~~
nacs
Thats for AWS which is listed as supported further down the page as Amazon Web
Services under the "Developer" section.

The Amazon they list above it is for the consumer store which AFAIK doesn't
support MFA yet.

------
amalag
Sites didn't have a standard to follow and not everyone has the resources of
Google to roll their own. Now that the Fido Alliance has big names on it, I
hope to see companies use it.

------
caio1982
That's a great resource! The first step before increased security is to
increase awareness. Big service providers must be put on spot about two factor
authentication IMHO.

------
batman0219
or [http://evanhahn.com/2fa/](http://evanhahn.com/2fa/)

------
thrush
There are sites that allow you to add 2FA to practically any site. Okta for
example has this feature.

~~~
bradleybuda
Even non-SAML sites can get 2FA support via Google Auth -our company Meldium
([https://www.meldium.com/](https://www.meldium.com/)) now supports over 1,000
web apps, while there are only a few dozen major SaaS apps with SAML support.

------
malandrew
Is there a decent hacker-friendly domain name provider that supports 2FA?

~~~
footpath
There's Dynadot:
[http://www.dynadot.com/domain/security.html](http://www.dynadot.com/domain/security.html)

Also NearlyFreeSpeech, though the domain selection is very limited, as it's
primarily a hosting company:
[https://blog.nearlyfreespeech.net/2014/02/28/price-cuts-
more...](https://blog.nearlyfreespeech.net/2014/02/28/price-cuts-more-
security-and-recovery-options/)

------
DomBlack
This could do with a column for Yubikey support.

