Hacker News new | past | comments | ask | show | jobs | submit login
Two Factor Authentication for Hybrid and Private Cloud (aerofs.com)
23 points by yurisagalov on Aug 5, 2014 | hide | past | favorite | 11 comments



This is great. More companies should do this and build it in as a recommended security feature. If you use rails, you can use the two factor auth gem we built: https://github.com/tinfoil/devise-two-factor

For more info check it out here: https://www.tinfoilsecurity.com/blog/two-factor-authenticati...

Also, for a list of services that provide 2FA, check out http://twofactorauth.org. It's a pretty extensive list, and hopefully more companies start adding 2FA.


I'm sort of a caveman about this, but I prefer physical 2fa tokens for a lot of things. It would be nice if you could accept user input of a seed (in case I've bought a gemalto or something online) and want to register it.


As long as you don't mind using the service provider's seed value, Yubikey can do OATH TOTP.

http://www.yubico.com/applications/internet-services/gmail/


Not a bad idea, I'll file it as a feature request and see if we can do it in some easy-to-use fashion. The AWS example you mention in the thread below is good, but AWS is super complicated for a random user to use :\


Yeah, the thing IAM is missing is "sensible defaults", i.e. pre-populated templates. They have this, but it's not the default.

I suspect there's probably a career (for a while) in being an IAM/VPC/etc. configuration specialist.


This is actually a great idea. Do you know of anyone that actually does this?


AWS IAM, which is kind of the gold standard in configurable xaas authentication roles (although maybe a but overly complex).

I'm looking to emulate them on this (ie shamelessly copy) whenever I have an auth system for a similarly complex multi user system to spec or implement.

I also think there are other forms of 2fa besides totp/hotp which are worth adding, and the general amazon strategy of "multiple levels of logged in stet per user" for various actions on their retail shopping site has much broader applicability too.

In general I think Amazon has done an exceptional job here across multiple products.


2FA should IMHO be standard and not make headlines!

On the other hand and with the latest Synology private cloud hacks, I am not sure if 2FA makes that much of a difference for private cloud servers. 2FA cannot be used for all logins and the solution therefore are usually additional passwords with limited user rights, however, if there is a security issue, such limited user rights are usually sufficient …

Your mileage might vary, of course, but I agree more and more that hosting your own data is probably not the right solution for most users (and maybe even for most HN folks).

Recommended reading: http://tante.cc/2013/05/20/host-your-own-is-cynical/


What's depressing is that bank and mutual fund websites don't generally have OAUTH or 2FA and they're the ones with the worst consequences they get hijacked.


Definitely depends on the bank, I'm lucky enough that Bank of America provides 2FA.


I want to like AeroFS but the "Searching for dinosaurs" and "Performing some magic" messages during install and sign in seem really unprofessional..




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: