Open abhisekp opened 10 years ago
I agree. What's out there?
You can see a list of two factor authentication enabled sites from here https://en.wikipedia.org/wiki/Google_Authenticator#Usage
Here is a list of multifactor authentication technologies https://helpdesk.lastpass.com/security-options/#Multifactor+Authentication+Options
I see two issues with providing this list:
Maybe we could add a bit of metadata to each site -- "supports 2FA over SMS", "supports 2FA over Authenticator apps", "supports 2FA over calling", Yubikey, etc...
yes. That seems to be a better option
I think the JSON might look something like this...
{
"name": "Google",
"url": "...",
"howto": "...",
"sms": true,
"app": true,
"call": true,
"hardware": true
}
Is there other data we'd add?
Obviously we'd show this data on the page somehow.
that seems nice :+1:
It's a bit of an endeavor to add these, but I'll start adding the data here and there.
We should make it more like this
{ "name": "Google", "url": "...", "howto": "...", "info": "...", "sms": true, "call": true, "email": false, "app": true, "hardware": true }
I could start adding this data on most of them.
@jamcat22 That looks good -- feel free to add the data! I'll add the relevant information.
Ok so should I add the data in that format? Also should we include a "paid-only":
That way for some providers cough Enjin, SecureSafe, and others cough that require a paid plan to enable 2fa, everyone knows.
I think I'd like the following keys:
methods
: an array of authenticator methods supported by the service (options: sms
, email
, call
, authenticator
, hardware
, onetime
...others?)countries
: an array of two-letter country codes where 2FA is supported. If this key isn't there, it's assumed that every method is supported.paidOnly
: a boolean if it only offers a paid plan. If there's a paid 2FA and an unpaid 2FA, this should be false
.So, for example:
{
"name": "GitHub",
"url": "...",
"howto": "...",
"methods": ["authenticator", "sms", "onetime"],
"countries": ["us", "gb", "kr"],
"paidOnly": false
}
Sorry to keep changing my mind on this.
Five questions:
authenticator
to app
and from onetime
to backup
for printed backup codes to avoid confusion.push
is the Twitter app, where you either approve or deny the request from the app after a push notification is sent to your phone. I no longer think we need to add this since we have authenticator
/app
already (was kind of confused on what that was at first).1: I agree about backup
but isn't "app" more ambiguous?
2-5: Okay!
Maybe make it something like mobileauthenticator
/softauth
because hardware
is also an authenticator.
Sure. You can start adding those if you like! Thanks for doing it (and putting up with my weird nitpicky-ness).
So just so I can make sure, the final should be:
methods
: call
, sms
, email
, hardware
, backup
, softauth
(any suggestions to change that one?)
countries
: two letter country codes like us
(leave blank if worldwide)
paidOnly
(should we make the "o" lowercase to avoid syntax problems?): true
or false
I'd abandon this -- I think we're going to merge with http://twofactorauth.org/.
Can I help with merging?
I think we should add a link to their site in the introduction; it seems like an all-around better site.
Sorry I'm so wishy-washy about this; I've been terribly busy with other stuff and haven't dedicated enough thought to this list.
It would be nice if you add a list of authenticator apps in various types of smartphones.