
2-Factor Authentication – A monster guide to securing accounts with 2FA - hussamz
https://blog.shakepay.com/2-factor-authentication/
======
hussamz
Hey everyone!

I work at Shakepay (we help Canadians buy bitcoin) - we put together a guide
on 2-factor authentication for our customers and figured the broader tech
community would find it useful.

If you have any feedback we'd love to hear it! Thanks!

~~~
T3OU-736
A good write-up. Thank you for taking the time and the effort. Complex topic,
and l believe, well covered, with a delicate balance struck between very deep
details and keeping it accessible.

Some thoughts:

If possible, adding other TOTP apps to the list by name as examples of non-
Google apps (which, for a long time, did not back up the entries, causing
annoyance, gnashing of teeth, and despair) may be in order? Or at least
mention that not all TOTP apps support backups?

Around the SMS topic and use of cells phones for auth - no mention of push-
based setups? Authy and Duo come to mind. More secure than SMS (when SSL certs
are _properly_ setup), and they do use the biometric auth to validate auth
request. The option to indicate the authentication context (like location of
the request origin from GeoIP) does help in reasoning about the request
validity.

As an aside, I really do wish U2F tokens would have an option, on the device,
to indicate which URL (or some other, harder-to-fake ID) of what is requesting
auth. The use case I have seen is that people leave their U2F tokens plugged
in, and effectively condition themselves to simply tap the button every time
it blinks.

A side project for my "copious spare time" /s

 _Edit_ : fixed skipped words.

