

How to keep your users safe - landakram
http://blog.clef.io/post/40530686153/how-to-keep-your-users-safe

======
sehrope
"Two-factor ... These devices can be expensive ... "

This is not true at all (the expensive part). The hardware component for
setting up two-factor auth for users is effectively free if your users have
smart phones (i.e. Google Authenticator and equivalents). Honestly, users that
don't probably have smart phones probably aren't going to use two-factor auth
anyway.

Similarly the server software side isn't that complicated to implement either.
In my experience with implementing it, most of the complexity is in handling
emergency codes for resets as implementing the TOTP/HOTP parts are pretty
straight forward.

I remember hearing that single purpose two-factor hardware token (i.e.
something like those RSA SecurID keychains) are on the order of $5-10 per user
(was a couple years ago, price is probably lower now). If you're dealing with
less sophisticated users but the cost of compromising a user's account is high
(ex: you're a financial institution) then I think that price is well worth it.

~~~
brennenHN
Many companies still charge $50/user/year for two-factor authentication (Wells
Fargo wanted to charge me $180/year for it) and even programs that use
smartphones can be expensive. What you're suggesting is that companies do it
in-house, which is possible with a sophisticated IT department, but still
takes significant time (cost) to implement and manage.

You're right that this technology is getting much better, but cost is still a
barrier to entry for this space.

~~~
gregdodd111
I'm a programmer and it took me about an hour to implement and test a basic
Two-Factor authentication algorithm using Google Authenticator. That includes
creating the QR code, creating the secret string and calculate the current one
time password. If you have a decent programmer for your web application then
the one time cost involved is very minimal for the benefit that it provides.

------
seangransee
Really looking forward to seeing Clef on more sites

