I submitted two PRs for sites that have 2FA that they didn’t have.
One they argued about whether it’s a big enough site to include (a commercial vps/server hosting company across ~5 countries) and never approved, the other they complained that the site doesn’t document it well enough so it must not exist (despite me using it).
I gave up when they then got a bad reply from the company in question (saying they only support sms) and changed my PR despite me telling them it’s wrong (because customer service reps never get anything wrong?)
It is a really great resource of information with over 1,000 sites as of today. I am not aware of any other data sources that could provide similar information, but if you know of any, please do share!
2FA Notifier uses twofactorauth.org as a data feed, but does not rely on that data alone. I have made updates to the data already to help it work better for the use-case that 2FA Notifier is trying to solve.
I am looking to create a community around the support of data for 2FA Notifier. We would still use the twofactorauth.org data as a main source and contribute changes back to that project. However, I can see 2FA Notifier having a different set of criteria and processes so that we could move more quickly to get the data into production so that it is useful for users of 2FA Notifier.
Will you contribute data to the 2FA Notifier project? I can reach out to you offline if you're interested. I'd love to chat!
Given that's its a chrome extension, and I neither use Chrome or have it installed, that seems unlikely.
You're free to merge my PR's (linked below in the reply to @davis) into your data set, but honestly I'd say at this point unless something changes they are a dubious choice of data (see further response to @davis below)
I will definitely take a look at your PRs. I see that you linked them below. I plan to review all of the outstanding PRs in the twofactorauth.org project to see if there are good data cleanup/improvements that I can take advantage of too.
I honestly don't know the first thing about creating an extension for Safari. I wish they would just get on board and support the WebExtension standard #wishfulthinking
Wow. That sounds ridiculous. But if you try and track that site ...
"Made with tea by Josh Davis..."
Then you follow this "Josh Davis" link to https://joshldavis.com/
... and you find this:
Splootysplotty: Open Source Alternative to Lewis Carroll’s Jabberwocky"
'Twas haplex and kuffle problem.
Projects Dalo and Jotts voluck.
It's not folazy as Lablem,
But merely fosts toontruck.
Tell me about it. They literally just had to click "Merge PR", but instead chose to go looking at the sites rank on Alexa.
When I suggested that they should codify their "only top 200K on Alexa" guideline, I got zero response, predictably.
The current maintainers are actively removing data that doesn't meet the "Alexa 200K" "requirement", and other PRs have been closed as "not in Alexa 100K".
If this were a project I'd started and saw the new maintainers doing what they are, I'd be livid.
I cannot fathom the scenario where it makes sense to remove correct, useful information like this.
Seen this sort of stuff before. I'm betting that the maintainers are just overwhelmed with PRs for something that is essentially a side project for everyone involved. The solution to this sort of thing is to reduce maintenance burden.
They're given a PR with all the information needed, exactly as they requested it. They literally just have to click merge, and it's done.
Instead, they add their own manual steps of arbitrary Alexa ranking checks, and now, going back through existing entries to check them against Alexa, not just now, but in the past as well.
This whole exercise is creating work for them, not reducing it.
As mentioned, one has been merged, but with incorrect information. The company in question (VentraIP) has actually got a better document about this now (https://ventraip.com.au/faq/article/two-factor-authenticatio...), but I'm honestly beyond done with the current maintainers of that repo so I'm not willing to add further info to the PRs.
I could not agree more. I write a lot about 2FA on my site, All Things Auth , and do teardowns of 2FA implementations for sites.
In March, we featured Zapier  in a screencast episode and a 5 post series digging deep into their 2FA implementation and related topics. I highlighted some things they are doing well and also made suggestions on how they could improve.
I plan to continue doing teardowns for 2FA implementations from many different types of sites. I plan to create a definitive guide to aggregate 2FA implementation best practices.
We noticed that many people enable 2FA after they realize the services they already use support it! So, we made 2FA Notifier , an open source web extension that notifies you when sites you visit support 2FA. Anytime you visit a site that supports 2FA, you'll get a notification. Click it to go straight to the docs that explain how to enable 2FA!
Let me know if you take it for a spin! Any and all feedback is helpful to improve the functionality and UX.
Shout with questions and I'll do my best to answer!
Please shout if there are any weird bugs in FF. I do test it in Firefox before publishing, but Chrome is my main browser so I catch things there more quickly.
I'll post here again once the extension is available to install via the FF store.
mycompany.slack.com: "No 2FA here :("
inbox.google.com: "No 2FA here :("
docs.google.com: "No 2FA here :("
Clean data is definitely going to be a challenge for this project moving forward. I've discussed several ideas in other comments in this thread, so check those out if you are interested.
It does look like inbox.google.com is missing from our data set. We have an open issue to make sure that all of the Google products are added .
The messaging that is currently shown there is definitely wrong too because inbox.google.com does support 2FA. We have another issue for handling the "unknown" state when the domain simply is not in our data set .
What type of messaging and UI do you expect to see when the extension is unsure whether a given site supports 2FA or not?
Feedback from the community will really help improve the extension! Thanks for sharing your thoughts!
The choice of some site's 2FA implementations are known to be problematic, such as SMS only (easily hijacked), or supporting TOTP and/or HOTP, but also requiring you to allow SMS or "security questions", reducing the degree of security.
We definitely have it on the roadmap to update 2FA Notifier to include more educational content. Thanks for the feedback!
I am currently writing a series on 2FA on my site All Things Auth  that gets into the details explaining how each method works and exploring the security and usability tradeoffs of each. I want to put together a summary and/or infographic highlighting the main takeaways and hopefully like to something like that from 2FA Notifier.
Currently, we use the data from twofactorauth.org  as our main data feed. I definitely encourage you to check out their community on GitHub and propose your idea there too!
I'll definitely give your post a read too!
Have you found it effective publishing on Medium vs your own blog? I've been considering cross posting my articles for additional exposure. Curious to hear your thoughts.
Feel free to write me via email if you’d like to talk
more, but between hn and hackernoon, with medium any of my posts gets at least a thousand reads. This one is currently at 4.6k views/1.9k reads. There’s no way I’d get this reach with my own blog.
(I'm the other half of this team. I tackle the UX/UI parts)
@encyclic, i'm curious about how you typically approach enabling 2FA.
- How do you typically choose which services to enable 2FA for?
- What do you do now if a service doesn't have 2FA OR doesn't have the type of 2FA appropriate for your situation?
As Conorgil145 mentioned, we have this on our roadmap and have some ideas about how to approach this. But understanding how you approach things now will definitely help us to craft a more effective solution.
One thing I noticed straight away that I thought was worth mentioning is that a notification doesn't popup when visiting the regional Amazon websites like Amazon.co.uk/.de/.es/.it, despite it being possible to enable 2FA for these sites through Amazon.com.
This is also mentioned on twofactorauth.org...
Enabling on Amazon.com activates 2FA on other regional Amazon sites, such as UK and DE.
I am definitely open to augmenting those entries, but trying to think about ways to either automate (ideal) or crowdsource contributions on the data side.
Any thoughts? Would you be interested in contributing data updates like this?
2FA Notifier has a bit of an easier job since we don't have to render anything or make it searchable (as of today). I would happily review any PRs along these lines! The data is currently hard coded in a Typescript file, which makes it really easy to update .
I plan to document criteria for contributing data to 2FA Notifier like this, but just haven't had the time. One entry per PR would be ideal if you are motivated to contribute!
That should be “lets”.
No 2FA here :( But you can better protect your inbox.google.com account if you follow these steps:
Create a unique password
Use a password manager
Also, have you had the chance to see the UX for a site that does support 2FA? We currently have over 1,000 domains in our data set, so there is bound to be a service that you use. Feedback from the community will really help improve the extension! Thanks for sharing your thoughts.