What sort of hardware token?

[candlerb]

I wonder if it's possible to give more detailed information than is currently shown by a tick under the "hardware token" column. In particular:

• Can use a token that I already own? Or will the organisation issue me with a new token for use with my account? (The latter is typical with banks)
• If I can use my own token, which type(s) of device does the service support? (e.g. Yubikey standard, U2F, Gemalto, ...)
• Is it a hardware token that I plug in, or one which displays a code that I have to type in?
• Does it require a PIN entry to unlock?
• Do I need to install any additional software or browser plugins to work with it? (e.g. U2F)

This is all helpful in making decisions as to whether I want to use the service or not.

Suppose I want to use three services which have ticks next to them. Currently I might need to carry between 1 and 3 tokens, and I might need to buy between 0 and 3 of them, and I don't know without researching each of the service providers individually. Of course I can do this by following the Doc link, but I think this reduces the usefulness of this site.

[smholloway]

It would be nice to provide more information without having to click into the docs links, but we have not found a way to do so. PRs are welcome.

A naive solution is to create five new columns to answer your five questions. Unfortunately, that doesn't scale and we'd still be missing something that someone would find useful--plus, we'd need to give the same treatment to the other columns (SMS, software, etc) resulting in an incomprehensible sea of checkmarks. I'd rather the site be sparse and usable than complete and unusable.

[mxxcon]

These are all legitimate questions that would be nice to address, however with the current structure of the site we would end with constantly-growing-mile-long-list of check boxes. @candlerb If you have any suggestions on how we can represent all this info considering our current fully-static hosting limitations, feel free to share.

We intentionally decided to condense the site's layout to provide just the most critical info and put the onus of figuring out specific implementation on users.

Again, if you have specific ideas on how to represent it, please share.

[Walkman100]

Can't we add different kinds of ticks, like different colours ()or an intermittent tick? or even different shapes?

[Carlgo11]

Haven't we talked about this a few times already?

[mxxcon]

@Carlgo11 we have but this issue still comes up and we still haven't found a reasonable solution.

@Walkman100 what would they show?

Perhaps we could keep primary layout as is, but then have an expanding button that would show more technical details...And perhaps those could be fetched on-demand from category specific json files?

[Walkman100]

So you choose what categories/columns you want to see?

[candlerb]

@mxxcon:

I propose replacing the tick with different icons representing a Yubikey Standard (black), a U2F key, a Gemalto key, a dedicated bank key etc. I'm sure key vendors would be happy to allow use of their icons. If a site supports more than one, then show multiple icons in the column. That answers my questions 1-2.

Each icon can be a link to the vendor's page giving more information on the product - or a local page with summary info, which in turn links to vendor page. In some cases like U2F, that could link to the FIDO page and/or multiple vendors. That is sufficient for my questions 3-5.

In the case of dedicated keys supplied by a bank, there could be an icon saying "custom" or "dedicated". Or maybe there could be a few generic icons showing the token type, e.g. token with display, token with display + PIN entry, USB-attached token.

Alternative proposal: retain the tick, but you can hover over it for more details (this is a simple tooltip, fine with a static site).

Personally I'd like to see at a glance how many sites are supporting each different token type.

@smholloway: I fully agree, the same is required for soft tokens too. I would certainly like to know which sites I can access using Google Authenticator app, for example.

[mxxcon]

@candlerb This is exactly what we had before and switched back to the current layout.

Then we are going to list every single 2FA provider that is compatible with Google Authenticator's system for every single site that supports it? Look how many we already have https://twofactorauth.org/providers/ and this is not the complete list.

[smholloway]

Custom icons require a legend and a custom tooltip and ... Ugh. Scope creep. It's additional work that will lead to more additional work and it will displease as many people as it pleases. Worse usability and harder to maintain? :-1:

We'd also like the site to remain easy to contribute to. I think that adding a lot of custom data hurts the usability for contributors (on the backend) and users (on the frontend).

[candlerb]

@mxxcon

Then we are going to list every single 2FA provider that is compatible with Google Authenticator's system for every single site that supports it? Look how many we already have https://twofactorauth.org/providers/ and this is not the complete list.

If there are a bunch of implementations of the same protocol (e.g. Google Authenticator) then I think they should be grouped under "Google Authenticator". Otherwise, it's unclear if the provider list represents a baffling profusion of different and incompatible OTP systems, or whether it's just a large number of vendors implementing a smaller set of standards.

As an end user, my main concern is: which sort of OTP system should I buy into? i.e. which one is implemented by the web sites that I care about? In fact, the reason I came to this site was after having obtained a U2F token to experiment with, I wanted to find out what sites other than Gmail I could use it with, and hence whether U2F is getting any traction (or will go the way of Google Wave).

Maybe I'm not your target audience, in which case, please excuse the noise.

[RichJeanes]

We already show details about specific sites with the "exceptions" tag. Would it be possible to do something similar with the check mark in the Hardware column? If not, or if that's too much work, then I believe that end-users are better off going through the doc links themselves. If you're interested enough in TFA to be using the site, you are obviously not too perverse to the idea of doing some research yourself.

[rugk]

We already show details about specific sites with the "exceptions" tag. Would it be possible to do something similar with the check mark in the Hardware column?

I also would think this is the best solution. :+1: Just a kind of tooltip/popup, which is shown on mouseover with all useful information in a short way. The same of course also applies to "software implementation" - there are many kinds how 2FA can be implemented. For example: TOTP: yes/no HOTP: yes/no own app: yes/no

And like this list it could be showed in the tooltip. As instead of "yes/no" you can of course also use the tick/cross images. (This would also address https://github.com/jdavis/twofactorauth/issues/993)

I think this way we can keep the actual look as it is and users can still simply get more information if they are interested by just hovering the mouse over the feature.

[RichJeanes]

If anyone would like to implement anything mentioned in this thread, feel free to submit a PR. Closing this for house keeping.