
List of websites and whether or not they support 2FA - chatmasta
https://twofactorauth.org
======
modeless
This site should call out common 2FA implementation mistakes, like requiring a
special app or device instead of using standard TOTP, not providing revokable
printable recovery codes, not allowing SMS to be disabled when other 2FA
methods are added, or not supporting multiple hardware keys.

~~~
woodruffw
Here’s a decent list: [https://blog.trailofbits.com/2019/06/20/getting-2fa-
right-in...](https://blog.trailofbits.com/2019/06/20/getting-2fa-right-
in-2019/)

(FD: I wrote it)

------
avip
This is a great opportunity to bash Spotify. For their abuse of credentials is
abysmal. Not only there's no 2FA, but there's no email confirmation for
password reset.

Yes, I've said it - if you leave an open Spotify running somewhere, someone
can walk by and takeover your account.

~~~
supernova87a
I experienced this in a different way! For some reason I had duplicate user
names or something tied to my old email address that I could no longer receive
emails at (or wasn't receiving, on requesting a reset link). I opened a chat
(I recall?) with the customer service, and after explaining, the person typed,
"ok I have reset your account email address to xyz@hotmail.com" (which I
provided).

What!? Without any verification or corroborating proof of me being the account
holder? This is really shady.

------
ctab
Good idea. Unfortunately any 2FA using a phone number (SMS or phone call) is
highly insecure -- see Jack Dorsey having his Twitter hijacked, or any number
of people having bitcoins stolen from Coinbase. That implementation should be
marked with a big red X, not a green checkmark.

~~~
progval
> see Jack Dorsey having his Twitter hijacked

His account was hijacked because his phone number was a single factor.

~~~
NotSammyHagar
I think a better description is using your phone number for 2 factor auth and
account means if you steal someone's phone number (via simhacking usually)
then you can do anything, because you can reset the account through the phone
number, and then you can set the password, and now you control 2 factors
(phone + password).

~~~
progval
That sounds like a bad way to implement 2FA, indeed.

------
kirab
This is a useful site for me. Though not (only) because of the intended usage,
but because of having a list of websites and services by topic curated by the
developer community (who else adds a website by pull request?)

~~~
stephenr
Their policy is to reject otherwise-fine PRs if the site in question is not in
the Alexa top 200K, so no this is not a good resource for either the stated
purpose or for your stated purpose.

~~~
echelon
The Alexa top 200k seems like a good bar. Beyond that you're going to get a
lot of noise.

HN ranks pretty highly, and we're a "niche" community.

~~~
stephenr
I’m sorry but how is “site xyz supports 2FA” noise, given that you essentially
need to search, regardless of what site you want to check?

Are you saying only the top 200K sites are important enough to warrant 2FA at
all?

------
ken
I'd be more enthusiastic about this if it were about more than just 2FA.
That's not the end-all-be-all of website security, and there's sites here
which get the "green checkmark" of approval but I'm suspicious of for other
reasons. Security is complex, and I wouldn't want my website to be shamed for
not having someone's one pet feature. Especially if some other site got a
thumbs-up for a flawed implementation.

A site like this would be great if it included columns for other security
features so I can see whether they take security seriously overall.

------
psanford
Didn't this page used to say whether or not a site supported U2F specifically
or was that some other very similar looking page?

Its unfortunate that they don't have this information. I would switch services
to a site that specifically supports U2F/FIDO/FIDO2 but not to a site that
uses a random proprietary hardware token that is still vulnerable to phishing.

~~~
cmg
Wouldn't that fall under the "Hardware Token" column, or is that a different
technology?

~~~
psanford
I'm trying to say that all hardware tokens are not created equally. A hardware
RSA TOTP-esque fob offers no phishing protection where as a FIDO key does. Its
unfortunate this site doesn't distinguish between those two cases.

~~~
cmg
Ah, thanks for the clarification. I didn't read/parse your original comment
properly.

------
aasasd
Google is rumored to support TOTP, only I have to first provide my phone
number to find out. Which means their ‘2fa support’ is useless to me and looks
more like those ‘put in your phone number to download the pdf’ websites.

