
How to add Two-Factor Authentication to your website with Google Authenticator - jf
http://www.twilio.com/blog/2013/04/add-two-factor-authentication-to-your-website-with-google-authenticator-and-twilio-sms.html
======
harshreality
Note: Duo Security's app (for android) is better. It supports TOTP and lets
you rearrange accounts. With more websites adopting TOTP 2-factor, rearranging
accounts is a mandatory feature.

Google Authenticator's bug on this issue (android specific) has made no
progress. The iOS Google Authenticator app rearranges accounts just fine.

[https://code.google.com/p/google-
authenticator/issues/detail...](https://code.google.com/p/google-
authenticator/issues/detail?id=118)

Disclaimer: I don't work for, or have any stake in, Duo Security. None of this
implies a preference for Duo's service (I prefer TOTP wherever it makes
sense).

~~~
stock_toaster
On the ios version of GA you have to hit the "legal information" button,
before the "edit" button will work and you are able to rename/rearrange
things.

No clue why, and you have to do it any time you restart the app (I think it
works across backgrounding, but I can't remember). Pretty weird bug.

------
natosaichek
Wow. This is thorough. Well done!

~~~
seany
What else would you be expecting from joel? :)

Nice work.

------
Goopplesoft
I created a service here: <https://www.gauthify.com> , although its production
ready I haven't really announced it anywhere (100% uptime between the servers
the last 4 months with heavy testing going on 24x7) . Anyway, it essentially
Google Authenticator as a service paired with SMS and Email as alternative
authentication methods. Plus it has libraries in python, ruby and PHP.

The best part? Read the docs, you can implement email, sms & Google
Authenticator OTP/2FA it in as little as 4 lines of code.

------
jaredonline
I made a RubyGem for implementing this with Rails not too long ago:
<https://github.com/jaredonline/google-authenticator>

------
josh2600
Just wanna say, met jf once at a panel, could not be a nicer fellow. Lots of
fun to talk to and he writes awesome posts.

------
bithive123
I wrote some example Ruby code to do the same thing (we use Google
Authenticator on the web and for our VPNs via the Perl hooks in FreeRADIUS) if
anyone is interested: <https://github.com/bithive/example-totp-vault>

------
js4all
TFA is great. But it seems like a lot of work doing it that way. Just use
Google as a login provider and get all that stuff on top.

~~~
philsnow
Specifically, if you set things up as in the linked article, no traffic or
other information is going to Google (unless you think that the Google
Authenticator app is leaking info to Google for whatever reason).
Specifically, Google doesn't see how many logins your app gets.

If you're trying to sneak up on a market, or if for some reason you're trying
to hide from Google the number of active users you have, you might see this as
an advantage.

~~~
fusiongyro
I might consider it an advantage if Google isn't able to snuff out my user's
accounts/access with impunity. I don't understand the technology enough to
know whether that is the case, but I wouldn't _rely_ on Google for
authentication at this point for this reason.

~~~
jf
TOTP is surprisingly easy to understand and implement. I do my best to explain
how it works in the "Understanding TOTP" section of this article. Take a look
at that section and let me know if it makes sense.

~~~
fusiongyro
What's ambiguous about it is whether or not I need a Google account (and
whether Google having taken away that account, I can still log into your
service). The "Understanding TOTP" section seems to be saying that you don't
and they can't, in which case there's nothing to object to.

~~~
jf
Great feedback, thanks. I've updated the "Adding Google Authenticator" section
with a note that should make that less ambiguous.

