Hacker News new | comments | show | ask | jobs | submit login
Cloudflare introduces two-factor authentication (cloudflare.com)
25 points by spindritf 1820 days ago | hide | past | web | 11 comments | favorite

Looks like a lot of comments on the original article are asking why Cloudflare didn't go with Google Authenticator, and I have to admit I'm curious about that myself.

Edit: Cloudflare left an answer in the comments of their blog about why they chose Authy, so I'm copy/pasting it here:

"Thanks everyone for your comments, we appreciate the feedback. Some insight on why we chose Authy (more on this in a blog post to follow)...

1. Authy app will support google authenticator tokens within the next 2 weeks.

2. We chose Authy to solve many of the problems with Google Authenticator. Once you start using Authy you'll notice everything works seamlessly. Google Authenticator on the other hand has a few problems:

- If you lose your phone, there is no way to revoke access to your token.

- Google Authenticator depends on the time of the phone to be right for it to work correctly (same as Authy). But Authy will automatically sync this time for you in the background so you never have to worry, your tokens will always work. - If you change your phone, Google Authenticator requires you to go and reconfigure all of your accounts. With Authy all your accounts are synced, so when you upgrade and re-install Authy everything will be setup the way you expect it.

- Authy uses 256 bit keys, while Google uses 128 bit keys.

- Last year RSA was compromised and all their clients had to manually reset their keys. Google Authenticator has the same issue, if the keys were ever compromised everyone would have to manually reset the keys. Authy has a built-in reset mechanism that will automatically reset the keys for you if they are ever compromised."

> Cloudflare left an answer in the comments

They made a whole new post to address that — http://blog.cloudflare.com/choosing-a-two-factor-authenticat...

I can't wait for the day that someone implementing two-factor authentication doesn't call for a Hacker News post. It's a little frightening how easy it would be for major damage to be done to a business or individual with just a single stolen password when you consider how many important services don't offer two-factor authentication (banks, brokerages, registrars, DNS providers, VPS hosts, Heroku).

Agree. This is happening, slowly but surely. Hopefully we at authy can help make it faster.

From authy.com (the service provider for two-factor cloudflare is using):

> It's like magic, except it's math.

What's wrong with that?

We take security seriously, and our product is rock-solid. That doesn't mean we need to act as if we were distant/dead.

If you ever contact support or read our documentation etc you'll notice we are very approchable and don't bother appearing serious/distant like other enterprises do - our product speaks for itself.

I have no clue why one would want to use Authy over plain TOTP (as implemented by Google Authenticator, for example). Or, if Authy also relies on TOTP, why make a big thing out of it?

Been waiting for the text message to arrive for the past 15 minutes or so! I hope this is rolled out to all countries.

We do support almost every country, but depending on network congestion SMS is not that reliable.

If you are waiting for the registration PIN? Click the text-me the pin again (if you do so twice) the button changes to call me. Then we will instantly call you. Let me know if that works.

Who are you using for messaging? When I registered this morning (in Australia), each message was sent to me twice. First from BulkSMS and then from an Australian mobile (cell) number.

There wasn't too much of a delay however (less then 1 minute)

We use twilio(first), then bulksms then clickatell and finally nexmo. Sometimes we send 2 SMS's because the carrier takes too long to confirm if the SMS arrived.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact