(2017-07-10) Twofactor Authentication Is A Mess

Two-Factor Authentication is a mess

For much of the last five years, the center of the campaign for two-factor has been twofactorauth.org, a site run by Carl Rosengren that’s dedicated to naming and shaming any product that doesn’t offer two-factor.

But victory has been messier than anyone expected. There are dozens of different varieties of two-factor now, expanding far beyond the site’s ability to catalog them.

The promise of two-factor began to unravel early on. By 2014, criminals targeting Bitcoin services were finding ways around the extra security, either by intercepting software tokens or more elaborate account-recovery schemes.

Here’s a rundown of which varieties are better, and which should be avoided altogether.

The most secure form of two-factor is a hardware token. The most popular is the Yubikey

If you don’t want to shell out for a security key, your best bet is a dedicated app like Authy or Google Authenticator.

Avoid... SMS.