Paper codes based two-factor?

[miohtama]

Would there be sense to add an option paper codes based for two-factor (HOTP: An HMAC-Based One-Time Password Algorithm)? E.g. you print / receive by mail a set of one-time codes which you need to enter for two-factor actions. Maybe an icon to custom column?

All banks in Scandinavia use this (probably a requirement by regulation).

LocalBitcoins does this: https://localbitcoins.com/forums/#!/general-discussion#paper-codes-based-two-facto

This works everywhere (no smartphone needed) and is resilent against mobile malware attacks where your two-factor SMS is hijacked: http://blog.kaspersky.com/an-android-that-robbed-your-bank-account/

However I don't know how popular paper codes are around the globe.

Related Python project which does both Google Authenticator and paper codes based two-factor: https://github.com/miohtama/django-twofactor

[RichJeanes]

I know paper codes are used by Google, but they're meant as backup codes for situations when you temporarily lose access to your authenticator, like when your phone dies, and other sites (so h as Dropbox) offer a single "recovery code" in case you lose your authenticator. I'd never actually heard of it as a primary source of OTPs.

[jdavis]

Yeah, I agree with @RichJeanes. Paper codes aren't the primary mechanism for 2FA. They are for if the 2FA device/phone stops working and access is still needed. Since this has to do with 2FA recovery options, I don't think we hae a place for it on 2FA.org.

Thanks for bringing it up though but I'm closing this for now.

[kangasbros]

Only maybe 1/10th of the human population has access to smartphones, and SMS 2FA is expensive. Paper 2FA codes could be very potential innovation for large part of the world. I really don't like that you dismiss it like that.

[jdavis]

Dismissing it? I'm not dismissing the idea, just the fact that it isn't being used now except for backup.

[mpdavis]

@kangasbros Do you have any sort of evidence that paper 2FA codes are in use anywhere in the world?

[thanksmister]

In Argentina we use a version of this for banking, they provide the codes on a plastic credit card. It's used for online transactions, though not exactly the same I think it does demonstrate a low-tech solution.

[kangasbros]

mpdavis, every bank in Finland uses paper based 2FA auth - ok, its a small country, but still.

Also our startup LocalBitcoins.com uses them, we have about 200k users (growing currently at a rate of about 600 new users daily).

[mpdavis]

Is it a card with multiple codes on it or is it a single code?

What do you do when the card runs out?

[kangasbros]

mpdavis, when you are using the last codes new paper is sent by mail. Or you can grab a new paper from local bank branch.

We use print-only solution currently, which isn't optimal, but are planning to moving to mailing the codes.

[miohtama]

I think the proper term is "Transaction authentication numbers" or "Hardcopy one-time password"

http://en.wikipedia.org/wiki/Transaction_authentication_number

The WikiPedia article cites German banks. That's somewhat larger country than Finland. Also I think in Asia two-factor codes are commonly spread. I guess only angloamerican countries are those were banks do not offer adequate protection for their customers.

[thanksmister]

We receive a card with sort of a code look up, like a chessboard. If you lose it you just get another one because its only one piece of the required authentication. It same principle though a using a list of transaction authentication numbers.

[mpdavis]

Huh, TIL.

However, I would argue that it doesn't warrant anything more than maybe a mention in the custom column.

[miohtama]

I assume you are open for pull requests :)