

Cloudflare introduces two-factor authentication - spindritf
http://blog.cloudflare.com/2-factor-authentication-now-available

======
Matt_Cutts
Looks like a lot of comments on the original article are asking why Cloudflare
didn't go with Google Authenticator, and I have to admit I'm curious about
that myself.

Edit: Cloudflare left an answer in the comments of their blog about why they
chose Authy, so I'm copy/pasting it here:

"Thanks everyone for your comments, we appreciate the feedback. Some insight
on why we chose Authy (more on this in a blog post to follow)...

1\. Authy app will support google authenticator tokens within the next 2
weeks.

2\. We chose Authy to solve many of the problems with Google Authenticator.
Once you start using Authy you'll notice everything works seamlessly. Google
Authenticator on the other hand has a few problems:

\- If you lose your phone, there is no way to revoke access to your token.

\- Google Authenticator depends on the time of the phone to be right for it to
work correctly (same as Authy). But Authy will automatically sync this time
for you in the background so you never have to worry, your tokens will always
work. \- If you change your phone, Google Authenticator requires you to go and
reconfigure all of your accounts. With Authy all your accounts are synced, so
when you upgrade and re-install Authy everything will be setup the way you
expect it.

\- Authy uses 256 bit keys, while Google uses 128 bit keys.

\- Last year RSA was compromised and all their clients had to manually reset
their keys. Google Authenticator has the same issue, if the keys were ever
compromised everyone would have to manually reset the keys. Authy has a built-
in reset mechanism that will automatically reset the keys for you if they are
ever compromised."

~~~
spindritf
> Cloudflare left an answer in the comments

They made a whole new post to address that —
[http://blog.cloudflare.com/choosing-a-two-factor-
authenticat...](http://blog.cloudflare.com/choosing-a-two-factor-
authentication-system)

------
travisp
I can't wait for the day that someone implementing two-factor authentication
doesn't call for a Hacker News post. It's a little frightening how easy it
would be for major damage to be done to a business or individual with just a
single stolen password when you consider how many important services don't
offer two-factor authentication (banks, brokerages, registrars, DNS providers,
VPS hosts, Heroku).

~~~
danielpal
Agree. This is happening, slowly but surely. Hopefully we at authy can help
make it faster.

------
xxdiamondxx
From authy.com (the service provider for two-factor cloudflare is using):

> It's like magic, except it's math.

~~~
danielpal
What's wrong with that?

We take security seriously, and our product is rock-solid. That doesn't mean
we need to act as if we were distant/dead.

If you ever contact support or read our documentation etc you'll notice we are
very approchable and don't bother appearing serious/distant like other
enterprises do - our product speaks for itself.

------
dochtman
I have no clue why one would want to use Authy over plain TOTP (as implemented
by Google Authenticator, for example). Or, if Authy also relies on TOTP, why
make a big thing out of it?

------
Brajeshwar
Been waiting for the text message to arrive for the past 15 minutes or so! I
hope this is rolled out to all countries.

~~~
danielpal
We do support almost every country, but depending on network congestion SMS is
not that reliable.

If you are waiting for the registration PIN? Click the text-me the pin again
(if you do so twice) the button changes to call me. Then we will instantly
call you. Let me know if that works.

~~~
anthonys
Who are you using for messaging? When I registered this morning (in
Australia), each message was sent to me twice. First from BulkSMS and then
from an Australian mobile (cell) number.

There wasn't too much of a delay however (less then 1 minute)

~~~
danielpal
We use twilio(first), then bulksms then clickatell and finally nexmo.
Sometimes we send 2 SMS's because the carrier takes too long to confirm if the
SMS arrived.

