

Two Factor Authentication for Hybrid and Private Cloud - yurisagalov
http://blog.aerofs.com/two-factor-authentication-for-hybrid-and-private-cloud/

======
borski
This is great. More companies should do this and build it in as a recommended
security feature. If you use rails, you can use the two factor auth gem we
built: [https://github.com/tinfoil/devise-two-
factor](https://github.com/tinfoil/devise-two-factor)

For more info check it out here: [https://www.tinfoilsecurity.com/blog/two-
factor-authenticati...](https://www.tinfoilsecurity.com/blog/two-factor-
authentication)

Also, for a list of services that provide 2FA, check out
[http://twofactorauth.org](http://twofactorauth.org). It's a pretty extensive
list, and hopefully more companies start adding 2FA.

------
rdl
I'm sort of a caveman about this, but I prefer physical 2fa tokens for a lot
of things. It would be nice if you could accept user input of a seed (in case
I've bought a gemalto or something online) and want to register it.

~~~
yurisagalov
Not a bad idea, I'll file it as a feature request and see if we can do it in
some easy-to-use fashion. The AWS example you mention in the thread below is
good, but AWS is super complicated for a random user to use :\

~~~
rdl
Yeah, the thing IAM is missing is "sensible defaults", i.e. pre-populated
templates. They have this, but it's not the default.

I suspect there's probably a career (for a while) in being an IAM/VPC/etc.
configuration specialist.

------
chmars
2FA should IMHO be standard and not make headlines!

On the other hand and with the latest Synology private cloud hacks, I am not
sure if 2FA makes that much of a difference for private cloud servers. 2FA
cannot be used for all logins and the solution therefore are usually
additional passwords with limited user rights, however, if there is a security
issue, such limited user rights are usually sufficient …

Your mileage might vary, of course, but I agree more and more that hosting
your own data is probably not the right solution for most users (and maybe
even for most HN folks).

Recommended reading: [http://tante.cc/2013/05/20/host-your-own-is-
cynical/](http://tante.cc/2013/05/20/host-your-own-is-cynical/)

~~~
fatbob
What's depressing is that bank and mutual fund websites don't generally have
OAUTH or 2FA and they're the ones with the worst consequences they get
hijacked.

~~~
leetNightshade
Definitely depends on the bank, I'm lucky enough that Bank of America provides
2FA.

------
ztnewman
I want to like AeroFS but the "Searching for dinosaurs" and "Performing some
magic" messages during install and sign in seem really unprofessional..

