
Two Factor Auth List - wglb
https://twofactorauth.org/
======
scrollaway
My Hearthstone account has better security than my Paypal account.

Here are some fun websites that do not support decent TOTP 2FA or U2F:

    
    
        - Ebay
        - Paypal
        - Most banking websites apparently because regulations *shrugs*
        - Twitter. The thing the POTUS uses to communicate.
    
    

And here is just some utter nonsense:

\- Facebook supports TOTP 2fa... but you need a phone number linked to the
account

\- Wikipedia has TOTP 2fa... but only for sysadmins

\- Steam is one of the rare oddballs in the gaming space, with an idiotic
email-based 2fa system, which by the way constantly gets hit by massive
delays.

~~~
evgen
You only need a phone number linked to the FB account during setup. Once 2fa
is turned on you can unlink the phone number.

~~~
jlgaddis
A lot of sites are like this but they miss the point... which is that I don't
want to give them my mobile phone number in the first place.

I might, if I could reasonably trust that they really do delete it, but I
think experience shows that we can't completely trust most companies nowadays.

~~~
technofiend
Sign up with any voip provider and get an SMS-capable number for one month.
That's what I did for gandi.net.

------
e0m
I no longer tell many of my less tech-savvy to use 2FA for most sites. The
notable exception being their primary email and a few others. I instead push
them to use a system like 1Password that will let them generate unique strong
passwords.

For a huge majority of people, the odds of them losing, breaking, or wiping
their phones and misplacing or forgetting to save their backup codes is MUCH
higher than getting hacked while using a 1Password system.

~~~
stusmall
2FA and unique passwords aren't an either or thing. There is a lot of overlap
in what they protect against but it's not complete. Having a strong, unique
password won't help again being phished but 2FA can help mitigate the dangers
of password reuse.

I get that everyone's exposure to and acceptance of risk is different. I
understand that sometimes the best you can hope for out of a non-technical
friend is that they accept maybe one piece of advice at most, but I'd disagree
with the priority. 2FA is extremely powerful.

------
oxplot
I'm constantly disappointed by lack of support for U2F keys, especially by
domain name registrars (ghandi is there only one but unfortunately they come
with their own questionable t ToS). No matter how well protected your accounts
are, if you lose your domain, they're all toast.

~~~
oxplot
Replying to myself here. I've asked Namecheap to consider it (as I'm sure many
others have too) but received to ETA. I'd really like to stay with them but
lack of U2F is becoming a deal breaker for me, considering how prevalent phone
account hijacking has become recently.

------
krrrh
For years Deutsche Bank and other European banks have relied on TAN, which
typically is a printed sheet of 100 numbers that are required at random [1].
There are also various electronic TANs that have been introduced over the
years. The list doesn't seem to include paper tokens, which are a valid 2FA.

[1] See image here - [http://explipedia.de/online-banking-verfahren-
erklaert/](http://explipedia.de/online-banking-verfahren-erklaert/)

Edit: Deutsche Bank isn't actually listed, changed comment to reflect that,
but left it up because a lot of people may find the paper TAN system
interesting.

~~~
frik
Unfortunately iTAN's are no more.

iTAN is solid secure concept, if you take normal post service for granted,
handle the paper with care, and don't fall for "phishing attacks" where the
attacker tricks the user into logging into a forged copy of the bank's
website.

From a security point of view (imho, please correct me) is iTAN more secure
than SMS-token (mTAN), email-token and app-token. You simply cannot beat
analog offline security, as the iTAN-list exists only in two places on the
server and printed out on paper (user).

[https://en.wikipedia.org/wiki/Transaction_authentication_num...](https://en.wikipedia.org/wiki/Transaction_authentication_number#Indexed_TAN)

iTAN (Indexed_TAN) article:

 _" Indexed TANs reduce the risk of phishing. To authorize a transaction, the
user is not asked to use an arbitrary TAN from the list but to enter a
specific TAN as identified by a sequence number (index). As the index is
randomly chosen by the bank, an arbitrary TAN acquired by an attacker is
usually worthless.

However, iTANs are still susceptible to man-in-the-middle attacks, including
phishing attacks where the attacker tricks the user into logging into a forged
copy of the bank's website and man-in-the-browser attacks which allow the
attacker to secretly swap the transaction details in the background of the PC
as well as to conceal the actual transactions carried out by the attacker in
the online account overview.

Therefore, in 2012 the European Union Agency for Network and Information
Security advised all banks to consider the PC systems of their users being
infected by malware by default and use security processes where the user can
cross-check the transaction data against manipulations like for example
(provided the security of the mobile phone holds up) mTAN or smartcard readers
with an own screen including the transaction data into the TAN generation
process while displaying it beforehand to the user (chipTAN)."_

~~~
blattimwind
iTAN has been replaced with ChipTAN which I personally find easier to handle
since I frequently misplaced my TAN lists :)

Plus the advantages that are already mentioned at the end of your quote - the
TAN generator shows the IBAN and the amount, essentially acting as a secure
display device for the transaction.

------
cflewis
It would be rad if a Chrome extension was written that checked the website
against this list and notified you that 2FA was available for it.

GitHub is a good example of a web site that has 2FA, that you really want 2FA
on, and yet the 2FA setup is kinda buried.

------
exabrial
Off-topic: I recently bought a u2f token. It registers as a HID device. I
wanted to play around with using it for other purposes, but I can't find a usb
protocol specification anywhere. Anyone have a link?

------
BoppreH
I've been crusading against two factor auth for a while now, including being
against email as recovery/revocation fallback.

\- SMS is insecure, both from a protocol and from a social engineering point
of view. Google Authenticator is better, but still has fatal flaws.

\- We use email for casual communication _and_ security-sensitive account
changes. This is a disaster. What happens if Google bans your account by
mistake, or a thief steals your phone and decides to data-mine/destroy your
online life?

\- I have yet to see a two factor auth protocol with decent recovery ("I lost
my phone") and revocation ("the thief used my phone to login and kick me
out"). The instructions are usually "make a new backup for every new account
if the site supports" and "tough luck", respectively.

Our online lives are more important than ever. Hearing "I'm sorry, you lost
every single online account you ever had" is going to become recurrent unless
we change our ways.

IMHO I think the best solution would look something like SQRL
([https://www.grc.com/sqrl/sqrl.htm](https://www.grc.com/sqrl/sqrl.htm)).

EDIT: I'm not against adding two-factor to a website that only has
username+password. I personally use two-factor everywhere I can. My point is
that this is not a good combo, from a security and usability point of view.
But still better than just passwords.

~~~
jlgaddis
Any time someone mentions Steve Gibson, the "Security Now" podcast, or any of
his "work" I feel obligated to point them to
[http://attrition.org/errata/charlatan/steve_gibson/](http://attrition.org/errata/charlatan/steve_gibson/)

~~~
BoppreH
The stuff on that page is old, and I don't find it all that damning. Gibson is
a character indeed, and I disagree with some of his stuff (e.g. writing
security code in assembly and posting screenshots online in lieu of open
source), but I wouldn't put scary quotes around the word "work" as you did.

And note I said "something _like_ SQRL".

~~~
jgowdy
But support for raw sockets is going to destroy the internet! Steve Gibson
warned us! Now it’s too late!

------
graystevens
Got a pull request in for our startup to say we do software 2fa. Will be
looking into supporting hardware 2fa too when we get the chance.

If you’ve got or know of a site using 2fa, definitely put in a pull request to
show your support.

------
captn3m0
Was just using it today to setup my Yubikey everywhere possible.

