As johnmaguire2013 guessed, we will have a browser extension which will request a 2FA code from the mobile app. The mobile app will receive a push notification and ask the user whether they would like to allow or deny the request for a second factor of authentication. The user only needs to click one button on their phone and the 2FA code is securely sent to the browser where everything else related to submitted the 2FA code can be automated.
The browser extension can integrate with any site that currently supports 2FA without any integration or changes required on the part of the sites.
Let me know if you have any more questions! Do you think you be willing to change your 2FA workflow to the one described above? If no, what are some of your concerns, thoughts, etc? Any and all feedback is appreciated!
Yup, you nailed it. That is exactly the plan. Any thoughts on that approach? Do you think you might be willing to update your current 2FA workflow to the one described above?
I think it's a very cool idea! The other big UX issue with 2FA (in my opinion) is backup & restore -- nail both and you'll have a pretty solid product.
For disclosure, I work for Duo, so I'm a big believer in push-based 2FA. (Consider applying if you're interested in usable security!)
Ah! Duo is definitely one of the incumbents in the space that we looked at during our competitive analysis. As far as I understand it, your push based 2FA solution only works for sites which use Duo as the 2FA provider. Is that correct?
I am hoping to build a solution which has a similar sounding UX to Duo Push, but works for any site that currently implements 2FA without requiring the site to make any changes at all. I think that this will provide more comprehensive coverage of sites that developers and other users interact with on a regular basis. For example, Github will not update their backend to use a 2FA service that I write because they already have a good solution in place, but by using a browser extension I can build the UX that I want without any changes required on Github's end.
Admittedly, I had some trouble getting started with actually trying out Duo to get a feel for the UX, but I will definitely have to check out the features that you provide to see what competitors in the space are already doing.
I agree that Backup & Restore is another prime part of the 2FA UX that needs some TLC. We've got some thoughts on improving that as well, but the first step is to nail the UX of actually being productive with 2FA and then come back to add enhancements.
Yep, we have integrations for many services, but software must integrate or support SAML (as Github Business/Enterprise does) for us to do 2FA. Our core product isn't really 2FA however, and we have different target markets: Duo primarily targets businesses looking to protect the services their employees access, while it sounds like you're trying to provide better UX for any consumers of 2FA.
I completely understand your approach and think it's a really neat idea. Looking forward to seeing it. :) Feel free to connect with me via email, I'd love to beta your product.
