Hacker News new | comments | ask | show | jobs | submit login
2FA Notifier – Know when a site supports 2FA (2fanotifier.org)
74 points by dceddia 9 months ago | hide | past | web | favorite | 47 comments

The problem here is that it uses twofactorauth.org

I submitted two PRs for sites that have 2FA that they didn’t have.

One they argued about whether it’s a big enough site to include (a commercial vps/server hosting company across ~5 countries) and never approved, the other they complained that the site doesn’t document it well enough so it must not exist (despite me using it).

I gave up when they then got a bad reply from the company in question (saying they only support sms) and changed my PR despite me telling them it’s wrong (because customer service reps never get anything wrong?)

That is frustrating. I have been contributing to the twofactorauth.org project, but I am still new to the community there.

It is a really great resource of information with over 1,000 sites as of today. I am not aware of any other data sources that could provide similar information, but if you know of any, please do share!

2FA Notifier uses twofactorauth.org as a data feed, but does not rely on that data alone. I have made updates to the data already to help it work better for the use-case that 2FA Notifier is trying to solve.

I am looking to create a community around the support of data for 2FA Notifier. We would still use the twofactorauth.org data as a main source and contribute changes back to that project. However, I can see 2FA Notifier having a different set of criteria and processes so that we could move more quickly to get the data into production so that it is useful for users of 2FA Notifier.

Will you contribute data to the 2FA Notifier project? I can reach out to you offline if you're interested. I'd love to chat!

> Will you contribute data to the 2FA Notifier project?

Given that's its a chrome extension, and I neither use Chrome or have it installed, that seems unlikely.

You're free to merge my PR's (linked below in the reply to @davis) into your data set, but honestly I'd say at this point unless something changes they are a dubious choice of data (see further response to @davis below)

Gotcha. If you happen to use Firefox, I published the extension to the FF store yesterday too [1].

I will definitely take a look at your PRs. I see that you linked them below. I plan to review all of the outstanding PRs in the twofactorauth.org project to see if there are good data cleanup/improvements that I can take advantage of too.

[1] https://addons.mozilla.org/en-US/firefox/addon/2fa-notifier/

Sorry - Safari here. If you get to the point of a Safari version, I'd definitely try it out.

Gotcha. It will likely be...a while before I get around to writing a Safari extension, but I am certainly open to it!

I honestly don't know the first thing about creating an extension for Safari. I wish they would just get on board and support the WebExtension standard #wishfulthinking

"they argued about whether it’s a big enough site to include"

Wow. That sounds ridiculous. But if you try and track that site ...

From https://twofactorauth.org/ "Made with tea by Josh Davis..." Then you follow this "Josh Davis" link to https://joshldavis.com/

... and you find this:

" Splootysplotty: Open Source Alternative to Lewis Carroll’s Jabberwocky"

" 'Twas haplex and kuffle problem. Projects Dalo and Jotts voluck. It's not folazy as Lablem, But merely fosts toontruck. "


> Wow. That sounds ridiculous.

Tell me about it. They literally just had to click "Merge PR", but instead chose to go looking at the sites rank on Alexa.

When I suggested that they should codify their "only top 200K on Alexa" guideline, I got zero response, predictably.

Haha. That's a satirical article I created to poke fun at open source naming schemes. I buried the lede on that article (which is confusing in retrospect).

+1 their maintainers have been horrible to deal with in my experience

I registered 2factor.io a few years ago to build a chrome / FF extension to do what this site does and wanted to put it on GH for the community to maintain cos i knew there were sites I didn’t know exist. Just ended up doing other things instead :( I think the domain has lapsed now.

A fork of this site/data has crossed my mind. The extra data being removed/refused is all there, it just has to be mereged, or the delete reverted.

Hey Stephen. I created twofactorauth.org but am no longer the maintainer but if you send me links to the pull requests, I'll take a look.

Hey again, so I got curious about this "Alexa ranking" requirement - and it's fucking crazy bananas at this point.

The current maintainers are actively removing data that doesn't meet the "Alexa 200K" "requirement", and other PRs have been closed as "not in Alexa 100K".


If this were a project I'd started and saw the new maintainers doing what they are, I'd be livid.

I cannot fathom the scenario where it makes sense to remove correct, useful information like this.

Given how popular this became, it's starting to sound like 2factorauth shouldn't be a Github project at all. A semantic type wiki sounds more appropriate.

Seen this sort of stuff before. I'm betting that the maintainers are just overwhelmed with PRs for something that is essentially a side project for everyone involved. The solution to this sort of thing is to reduce maintenance burden.

In theory that sounds like a possible reason. But I dont see it playing out that way.

They're given a PR with all the information needed, exactly as they requested it. They literally just have to click merge, and it's done.

Instead, they add their own manual steps of arbitrary Alexa ranking checks, and now, going back through existing entries to check them against Alexa, not just now, but in the past as well.

This whole exercise is creating work for them, not reducing it.

Hey, the two PR's are here: https://github.com/2factorauth/twofactorauth/pulls?utf8=&q=i...

As mentioned, one has been merged, but with incorrect information. The company in question (VentraIP) has actually got a better document about this now (https://ventraip.com.au/faq/article/two-factor-authenticatio...), but I'm honestly beyond done with the current maintainers of that repo so I'm not willing to add further info to the PRs.

We need some guidelines for proper 2FA implementation. The Instagram 2FA has a quirk were they don't prompt the user to write the phone number registered on the account before sending the SMS. This means I get like 20 password resets on my phone daily. In an ideal world I would use a token 2FA instead of SMS but that is not supported also. If anybody from Facebook/Instagram can pass this feedback along, it will be appreciated.

> We need some guidelines for proper 2FA implementation.

I could not agree more. I write a lot about 2FA on my site, All Things Auth [1], and do teardowns of 2FA implementations for sites.

In March, we featured Zapier [2] in a screencast episode and a 5 post series digging deep into their 2FA implementation and related topics. I highlighted some things they are doing well and also made suggestions on how they could improve.

I plan to continue doing teardowns for 2FA implementations from many different types of sites. I plan to create a definitive guide to aggregate 2FA implementation best practices.

[1] https://www.allthingsauth.com/tag/2fa/

[2] https://www.allthingsauth.com/zapier

Hey everyone! I created 2FA Notifier with my friend, Ray.

We noticed that many people enable 2FA after they realize the services they already use support it! So, we made 2FA Notifier [1], an open source web extension that notifies you when sites you visit support 2FA. Anytime you visit a site that supports 2FA, you'll get a notification. Click it to go straight to the docs that explain how to enable 2FA!

Let me know if you take it for a spin! Any and all feedback is helpful to improve the functionality and UX.

Shout with questions and I'll do my best to answer!

[1] https://2fanotifier.org

Nice idea! Will you add support for Firefox?

I am in the process of getting into the FF store as we speak! Stay tuned!

The extension is now accessible in the Firefox store [1]!

Please shout if there are any weird bugs in FF. I do test it in Firefox before publishing, but Chrome is my main browser so I catch things there more quickly.

[1] https://addons.mozilla.org/en-US/firefox/addon/2fa-notifier/

I submitted 2FA Notifier to the FF store and got approved, but it still stuck in "Awaiting Review" state. This is my first time working with the FF store, so figuring things out as I go. If you've got any tips/resources/etc that might be helpful, shoot them my way!

I'll post here again once the extension is available to install via the FF store.

Great news. Was going to ask same question :)

Really love the idea! The extension is a bit buggy for me on facebook.com but otherwise seems to run smoothly.

I released an update that fixes the notification on www.facebook.com. Check it out and let me know what you think!

A few examples of sites that do have 2FA but the extensions cannot tell for "silly" reasons:

mycompany.slack.com: "No 2FA here :(" inbox.google.com: "No 2FA here :(" docs.google.com: "No 2FA here :("

Thanks for the feedback!

Clean data is definitely going to be a challenge for this project moving forward. I've discussed several ideas in other comments in this thread, so check those out if you are interested.

It does look like inbox.google.com is missing from our data set. We have an open issue to make sure that all of the Google products are added [1].

The messaging that is currently shown there is definitely wrong too because inbox.google.com does support 2FA. We have another issue for handling the "unknown" state when the domain simply is not in our data set [2].

What type of messaging and UI do you expect to see when the extension is unsure whether a given site supports 2FA or not?

Feedback from the community will really help improve the extension! Thanks for sharing your thoughts!

[1] https://github.com/conorgil/2fa-notifier/issues/61

[2] https://github.com/conorgil/2fa-notifier/issues/39

Can you indicate more than only yes/no for a measure of how secure the 2FA can be?

The choice of some site's 2FA implementations are known to be problematic, such as SMS only (easily hijacked), or supporting TOTP and/or HOTP, but also requiring you to allow SMS or "security questions", reducing the degree of security.

That is a great idea! I am 100% in favor of helping the users understand the security tradeoffs between the 2FA methods.

We definitely have it on the roadmap to update 2FA Notifier to include more educational content. Thanks for the feedback!

I am currently writing a series on 2FA on my site All Things Auth [1] that gets into the details explaining how each method works and exploring the security and usability tradeoffs of each. I want to put together a summary and/or infographic highlighting the main takeaways and hopefully like to something like that from 2FA Notifier.

Currently, we use the data from twofactorauth.org [2] as our main data feed. I definitely encourage you to check out their community on GitHub and propose your idea there too!

[1] https://www.allthingsauth.com/tag/2fa/

[2] https://github.com/2factorauth/twofactorauth

Great thing the blog posts. I wrote about security keys working on ios recently, feel free to grab material if you need.


Thanks for the positive feedback! There are 2 main articles in the 2FA series left to write (Push 2FA and U2F/WebAuthN), but there are a ton of other posts I have bouncing around in my head. Join the email list if you're interested in getting updates!

I'll definitely give your post a read too!

Have you found it effective publishing on Medium vs your own blog? I've been considering cross posting my articles for additional exposure. Curious to hear your thoughts.

Medium infinitely, Linkedin is also gaining popularity if you want/need to boost your network.

Feel free to write me via email if you’d like to talk more, but between hn and hackernoon, with medium any of my posts gets at least a thousand reads. This one is currently at 4.6k views/1.9k reads. There’s no way I’d get this reach with my own blog.

+1 on the great idea!

(I'm the other half of this team. I tackle the UX/UI parts)

@encyclic, i'm curious about how you typically approach enabling 2FA. - How do you typically choose which services to enable 2FA for? - What do you do now if a service doesn't have 2FA OR doesn't have the type of 2FA appropriate for your situation?

As Conorgil145 mentioned, we have this on our roadmap and have some ideas about how to approach this. But understanding how you approach things now will definitely help us to craft a more effective solution.

Great idea for an extension.

One thing I noticed straight away that I thought was worth mentioning is that a notification doesn't popup when visiting the regional Amazon websites like Amazon.co.uk/.de/.es/.it, despite it being possible to enable 2FA for these sites through Amazon.com.

Screenshot: https://vgy.me/UaHJm1.png

This is also mentioned on twofactorauth.org...

Enabling on Amazon.com activates 2FA on other regional Amazon sites, such as UK and DE.

Thanks for the feedback! We use the data from twofactorauth.org as our main data feed, so that is where we pick up the domains.

I am definitely open to augmenting those entries, but trying to think about ways to either automate (ideal) or crowdsource contributions on the data side.

Any thoughts? Would you be interested in contributing data updates like this?

Do you think twofactorauth.org would be willing to list the regional Amazon websites separately so that your extension can pick them up automatically?

I am not a core committer for twofactorauth.org (yet! I hope to become one!), so I cannot say whether they will accept a PR like that. However, there is an open issue discussing this topic that is worth reading over [1].

2FA Notifier has a bit of an easier job since we don't have to render anything or make it searchable (as of today). I would happily review any PRs along these lines! The data is currently hard coded in a Typescript file, which makes it really easy to update [2].

I plan to document criteria for contributing data to 2FA Notifier like this, but just haven't had the time. One entry per PR would be ideal if you are motivated to contribute!

[1] https://github.com/2factorauth/twofactorauth/issues/1025

[2] https://github.com/conorgil/2fa-notifier/blob/master/src/typ...

I like this idea, it's definitely missing a few major sites though. google.com, facebook.com for example.

Thanks for the feedback! I just released an update that correctly supports www.google.com and www.facebook.com.

Nitpick: “2FA Notifier let’s you know”

That should be “lets”.

Whoops! Good catch. Fixed.

I also fixed it on the chrome store description as well. :) Thx for catching that!

This addon is useless:

No 2FA here :( But you can better protect your inbox.google.com account if you follow these steps:

Create a unique password Use a password manager

It does look like inbox.google.com is missing from our data set. We have an open issue to make sure that all of the Google products are added [1].

The messaging that is currently shown there is definitely wrong too because inbox.google.com does support 2FA. We have another issue for handling the "unknown" state when the domain simply is not in our data set [2].

What type of messaging and UI do you expect to see when the extension is unsure whether a given site supports 2FA or not?

Also, have you had the chance to see the UX for a site that does support 2FA? We currently have over 1,000 domains in our data set, so there is bound to be a service that you use. Feedback from the community will really help improve the extension! Thanks for sharing your thoughts.

[1] https://github.com/conorgil/2fa-notifier/issues/61

[2] https://github.com/conorgil/2fa-notifier/issues/39

LastPass + Duo = MFA Everywhere :-)

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact