
Two Factor Auth List of Websites - Flimm
https://twofactorauth.org/
======
daveguy
TradeKing definitely needs to be added to this list. They should be
prominently featured at the top in a security hall of shame for their
cartoonish security.

Edit, examples:

No 2 factor authentication

Displaying the answers to your security questions in multiple choice form
(with a none of the above option, but usually including your answer).

Requiring your password to be entered with mouse clicks at an on-screen
keyboard. Not kidding.

Those ridiculous "anti-phishing" pics.

TradeKing is the definition of security theatre.

Do not use TradeKing.

~~~
cpach
Please consider sending them a pull request:
[https://github.com/2factorauth/twofactorauth/pulls](https://github.com/2factorauth/twofactorauth/pulls)

~~~
daveguy
Yes. I am aware, thank you. I was planning to send a pull request to add
tradeking if it isn't already there when I get home. I doubt they want a hall
of shame pull request -- it seems to be a well structured list.

------
CiPHPerCoder
I worked on an open source CMS called Airship and we decided to include 2FA in
our v1.0 release. After a bit of research (mostly to conclusively rule out
SMS-based 2FA), I found that it was actually very easy to implement.

I started working on a vendor-agnostic 2FA implementation for PHP projects.

[https://github.com/paragonie/multi_factor](https://github.com/paragonie/multi_factor)

It's far from complete, but hopefully it makes it easier for others to add 2FA
to their projects.

If anyone's interested in the open source CMS I mentioned:
[https://github.com/paragonie/airship](https://github.com/paragonie/airship)

~~~
laurencei
FYI - the correct link is:
[https://github.com/paragonie/multi_factor](https://github.com/paragonie/multi_factor)

~~~
CiPHPerCoder
Thanks! I'm not sure why I didn't copy/paste. :)

------
RKearney
I would argue that Namecheap shouldn't be on that list. They send out a 6
digit code and then immediately tell you what number it begins with, reducing
the code to effectively 5 digits. Their continued refusal to support RFC 6238
shows they don't take this seriously in my opinion.

~~~
superuser2
Does it matter whether it's 6 digits or five? Surely any rate limiting is
going to make either effectively impossible to brute force before the code
expires and a new one is generated.

------
petejansson
It's great that this exists. Many typical users are still befuddled by
multifactor authentication, and the one thing that helps is practice.
Unfortunately, by having all these islands of identity, the frequency of
interaction for many of them ends up being low, resulting in users forgetting
they enabled MFA and the associated recovery costs.

There have been technologies to try to bridge the identity islands -- social
login (which previously created trust issues through OAuth abuse - many
resolved, but trust is hard to win back), Mozilla persona and others. But, at
the end, the hostility of end user identity is still a problem that needs to
be solved in such a way that end users have good authentication choices (no
more bad security questions, for example) with good security attributes (low
replay, discoverability and guessability, for example) with good usability.
Ideally, an end user should be able to choose an identity provider, trust
them, and then use that identity provider across multiple services. I know
that some companies are working on this, but it still tends to be in islands,
rather than an industry group, for example, dedicated to making it work. At
this point, a de facto standard may be the best thing.

I've been in meetings with IAM architects at large banks who scoff at social
login because they don't want to trust social login security, yet their own
end user security is marginal. Some honest conversations need to happen in
this space to help move things forward.

Better identity infrastructure for end users will help service providers.

~~~
cpach
Great points. I love TFA (e.g. Google Authenticator) but I recognize that ~95%
of Internet users will never care as long as it is as hard to use as it
currently is.

------
chelmertz
OT: Just in case webdevs reads this: you might want to markup clickable things
as clickable (<a>). If you need a datapoint: I'm using Vimium for Chrome.

~~~
slazaro
Also, I think there should be an option to show all of the websites. I don't
want to keep clicking to see which websites I use, I just want to browse by
scrolling.

~~~
smholloway
Does something like
[https://twofactorauth.org/data.json](https://twofactorauth.org/data.json)
satisfy? It's not the most usable interface, but it should have all the data.

------
lorenzhs
There's a similar list for U2F (the USB / NFC dongles) support at
[http://www.dongleauth.info/](http://www.dongleauth.info/) \- I'm not entirely
sure how up to date it is

------
IgorPartola
I wish there was a service like this for IPv6. And I mean proper IPv6, and not
the bullshit that for example Digital Ocean is peddling: 16 addresses per
server my foot.

Also, proper HTTPS and HTTPS-only support. There are still way too many sites
that offer HTTP as a valid option.

------
akerro
It always wondered me why my bank can't offer my 2FA with SMS code, but Steam
or Github can?

~~~
peterwwillis
Why do you want the place that keeps all your money to support an unencrypted,
unauthenticated, over-the-air token delivered by an insecure provider over an
insecure protocol?

~~~
akerro
Because is still better than login + password?

------
vitd
I see that Charles Schwab is listed as having 2-factor authentication via
hardware token, and Citibank is listed as not having it. Both of these are
only partially correct. For example, Charles Schwab allows it on their
brokerage accounts, but if your company sets up your 401k with them, then it's
not supported.

Citibank does support it, but only on their "Gold" accounts.

------
jve
I wonder about those banking sites.. my bank only lists hardware token.
However, that internet bank is by default 2FA, because I need a password and
code card which I possess and which they give out to every user. Not only for
login I need some code from that card but also for each payment via internet
bank.

~~~
smholloway
If I'm understanding you correctly you're confused why only the hardware
column is checked--is that right? That's, unfortunately, a common complaint.
The columns _should_ correspond to only the second factor, with an assumption
that username/password (a "knowledge" factor) is likely the first factor.

Some backstory on that decision: the site originally had columns for each 2fa
company/product you could use; e.g., Google Authenticator, Authy, etc. Listing
all the options was not scalable as the number of options grew, so
twofactorauth.org went with a more abstract classification based on the second
factor interaction. A few examples where that matters: * If you refuse to use
an easily misplaced fob then you might avoid sites that only offer hardware
2fa. * Not everyone can receive SMS, but maybe they can download an app
(software) or reuse their hardware token. * Some people prefer a voice call,
so they might choose a bank that allows for 2fa-over-voice.

Hope this helps.

------
borski
If you use Rails and want to integrate two factor auth into Devise, we built a
gem / devise strategy for that: [https://github.com/tinfoil/devise-two-
factor](https://github.com/tinfoil/devise-two-factor)

------
DiabloD3
2FA is trivial to add.

[https://www.authy.com/](https://www.authy.com/)

Just do it.

~~~
jdeibele
Thanks for the reference. For end-users, they claim that their app will work
on multiple devices whereas Google Authenticator only works on one. That would
be a big advantage - I'm worried about losing my phone even with backup codes
in my wallet. Worst case situation is that I'm robbed and have to hand over
phone and wallet!

Also, I'm not aware of Google Authenticator being updated. Which makes me
concerned that it's not a priority for Google and might be end-of-lifed.

~~~
scrollaway
Google Authenticator is a TOTP client. TOTP is an open spec.

If you use a different client, you can probably find one that will let you
back up codes (I'm sure Authy supports TOTP). Also note that all you need for
that backup is a "seed", which is a hash. IIRC Google Authenticator uses
SQLite to store its data, I bet it's not hard to get the seeds out and back
them up manually.

~~~
solarkennedy
I wrote a program to extract the seeds out of the sqlite and back into QR
codes for easy transfer. You are right it wasn't that hard:
[https://github.com/solarkennedy/tfa_auth_dump](https://github.com/solarkennedy/tfa_auth_dump)

~~~
xorcist
Do you need to root your phone in order to extract the sqlite database?

------
zhte415
Sticky table headers would be useful.

------
csomar
Some interesting things:

1\. Banks and finance sites do not implement 2FA enough.

2\. All crypto sites have 2FA.

3\. No airline website has 2FA.

------
nickik
The TOTP stuff will never be widly used. Its just a total pain to work with.
SMS is also very suboptimal.

I have more hope for U2F as second factors go. That is at least easy to work
with once you have bought the token. I find it a joy to use.

~~~
CiPHPerCoder
> The TOTP stuff will never be widly used. Its just a total pain to work with.

I'm not sure I agree with that.

Generating a code:

    
    
      <?php
      use ParagonIE\MuiltiFactor\Vendor\GoogleAuth;
      use ParagonIE\MultiFactor\OTP\TOTP;
      
      $seed = random_bytes(20);
      /** Then persist $seed into the database for a user **/
      
      $gauth = new GoogleAuth($seed, new TOTP());
      header("Content-Type: image/png");
      $gauth->makeQRCode();  
    

Validating a code:

    
    
      <?php
      use ParagonIE\MuiltiFactor\Vendor\GoogleAuth;
      use ParagonIE\MultiFactor\OTP\TOTP;
      
      if (\password_verify($_POST['password'], $storedHash)) {
          $seed = /** Get seed from database for this user **/;
          $gauth = new GoogleAuth($seed, new TOTP());
          if ($gauth->validateCode($_POST['2facode'])) {
              // Login successful
          }
      }
    

Then you can just use the 2FA app of your choice (Authy, Google Authenticator,
etc.), scan the QR code, and you're good to go.

~~~
nickik
I have implemented this before. I have it in production right now.

The fact is people hate typing stuff from their phone into their computer.
Specially if you phone is not always within reaching distance. If you have to
do it with tons of different logins you will be annoyed. As long as you have
1-2 accounts its fine, but if we really want to role it out everywhere, we
need something better.

~~~
CiPHPerCoder
What are your thoughts about SQRL?

~~~
nickik
I don't know enougth about it. I have stumbled on it before, but I need to get
into it.

------
znpy
I think this really should also list which sites will let you download a
series of tokens to use in case of mobile phone loss.

I recently forgot my phone at university and realized that I was potentially
locked out of many websites.

------
libeclipse
Still waiting on Amazon UK to enable two-factor authentication.

~~~
waldfee
login on amazon.com, enable 2fa there. now 2fa is also active on amazon uk,
and the option also appears in the settings.

stupid but works

~~~
gore90-
Ah. I didn't know that. I just got it setup. Thanks.

------
camiller
Thanks for posting this. Apparently some time in the last couple months (since
the last time I checked) my bank added 2FA. Just went and activated it.

------
olivier_martel
Instagram does have 2FA...

~~~
sib
Are you sure it's rolled out for everyone? I have been trying to find it (web
& mobile app) for weeks and can't find it... I know there was a bunch of press
about it in February 2016, but I don't see it in the UI.

~~~
olivier_martel
I do have it since the beginning of 2016... I have 16k followers so it might
explain the 1k+. It's in the options, right under "Posts You've Liked".

------
bluesign
Soon will be scraped/exported to a Google docs I hope

~~~
uptown
It's open source:
[https://github.com/2factorauth/twofactorauth](https://github.com/2factorauth/twofactorauth)

------
mondoshawan
JS required? For a list? Seems rather excessive.

~~~
tomclancy
Honestly! The nerve of that webmaster!

------
drcreed
Your site works with neither Vimium, NoScript or adblockers, so I can't use
it.

~~~
pc86

      s/can't/won't
    

Not saying you don't have a valid complaint, but let's not forget what _can
't_ means.

