Separate software implementions into standard and non-standard.

[WhyNotHugo]

There's basically two types of software implementations:

• Standard ones (like TOTP). These are used by google, github, etc.
• Non-standard ones like twitter's, which require specific software (twitter uses iOS push notifications).

The first group is usable by anyone with a TOTP device, almost any mobile phone, desktop implementations, etc. The latter is only usable on a limited set of devices/platforms.

I'd like to propose distinguishing which belong to the second group and add some sort of indicator for this. If the idea is acceptable, I can go through each one and double check this myself.

[smholloway]

This has come up a few times (for example, see https://github.com/jdavis/twofactorauth/issues/493, https://github.com/jdavis/twofactorauth/issues/842) and we have decided not to proceed because the information is hard to convey cleanly and concisely. Average users are not familiar with 2FA, so introducing concepts like open standards, TOTP, RFC 6238, HOTP, and RFC 4226 would overwhelm people and hurt the cause.

Here are a few ways I've thought to convey this information:

• create a new page for sites that support RFC 6238
• extend the current idea of "exceptions"
• add a tooltip hover in the software column
• use a new icon for the different software options (perhaps an asterisk in addition to the question mark)

I am not in love with any of those options, but I'll omit the reasons for brevity. I'm open to other suggestions.

My rant: I work for Toopher, a 2FA provider that makes the second factor invisible. I don't want you to use OTPs--it is dated technology that should be eclipsed by more usable solutions. There are a number of modern approaches that are every bit as secure while also being easier to use and more informative. As with all things security related, I'd rather companies use an open standard than to invent their own, but for 2FA I'd rather companies use a modern approach and remove the need for people to understand OTP generators.

[Carlgo11]

Closing the PR since we've agreed not to do this a few times before, just like @smholloway said.

[WhyNotHugo]

This has come up a few times (for example, see #493, #842) and we have decided not to proceed because the information is hard to convey cleanly and concisely. Average users are not familiar with 2FA, so introducing concepts like open standards, TOTP, RFC 6238, HOTP, and RFC 4226 would overwhelm people and hurt the cause.

It's true users don't understand all these concepts, but they do understand "this will work on any token generator" vs "you need a specific OS and a specific software to enable this", which is basically what I'm saying is relevant to the user.

As with all things security related, I'd rather companies use an open standard than to invent their own, but for 2FA I'd rather companies use a modern approach and remove the need for people to understand OTP generators.

You've sparked my curiosity: what sucessor do we have to all these OTP mechanisms?

[mxxcon]

It's true users don't understand all these concepts, but they do understand "this will work on any token generator" vs "you need a specific OS and a specific software to enable this", which is basically what I'm saying is relevant to the user.

But then we are coming back to the original issue of how do you show what each service/provider supports..Until we come up with some usable system, we'll have a mile long table with columns listing every 2fa provider for every entry.

[smholloway]

You've sparked my curiosity: what sucessor do we have to all these OTP mechanisms?

The solutions I know of, like Toopher, require a smartphone, which you said you don't have. The best alternative I can think of for users without smartphones would be something like Yubikey, which fits into the USB drive and generates OTPs with the push of a button.

As for adding the information about supporting open standards, I understand that you and others would like the information. We have not been able to think of a simple, clean way to display the additional information. If you have an idea about how we could satisfy your requirements without sacrificing usability, please let us know.

[WhyNotHugo]

[...] Until we come up with some usable system, we'll have a mile long table with columns listing every 2fa provider for every entry. [...] We have not been able to think of a simple, clean way to display the additional information. [...]

Some icon on the "software implementation" column (indicating there's some caveat for this provider) with a tooltip sounds rather simple. This should not interfere with user experience: There should be little to no difference at a first glance, but provides the slightly more detailed information for those users interested. Data-wise, I'd just keep a boolean field which says "requires specialized/non-standard software", and a have the tooltip say something close to that too.

Tooltip should be trigerabble by touching the device on touch devices.

How does that sound?

The solutions I know of, like Toopher [...]

Interesting. It's sort of a fourth factor: location (eg: "where you are"). An interesting concept. I'm curious as to how it works for those who travel a lot, and what happens those days when you go somewhere without your phone.

The best alternative I can think of for users without smartphones would be something like Yubikey [...]

I'm familiar with yubikey, and have a few laying around, as well as a few other generators, but mostly use a software implementation one (and rely on the OS's full-disk-encryption AND gpg to protect it's secrets). But yubikey is still OTP.