2 Factor Authentication
2 Factor Authentication
-
Anonymous commented
In any case, the implementation should support TOTP, since it's the standard used by almost every server and client implementation. U2F should be supported for those who wish to use a key-holding physical token like a Yubikey, who seem to be a lot of people judging from the comments below.
Please don't recommend Google Authenticator or Authy, since they are proprietary software. We don't want to trust an application with source code we cannot see for account security. If an application must be recommended for mobile devices, I suggest FreeOTP.[1]
Even though people might think otherwise, two-factor authentication with a phone is not necessarily more secure than with a personal computer. Don't assume in the interface, like so many websites unfortunately do, that people will necessarily use a phone when there are actually many other ways to use two-factor authentication! This also means not asking for a phone number, and instead just providing a QR code and the shared OTP secret, in base32 or hexadecimal format. Most TOTP implementations can work with those.
Finally, don't support two-factor authentication with SMS because SMS is absolutely not a secure communication protocol and was not designed with such uses in mind. In particular, allowing password recovery with SMS would make the current account system less secure than it is now, because email is actually more secure than SMS for this (in most cases, unfortunately most email servers fall back to an unencrypted connection if the server they're communicating with claims not to support SSL).
-
Cathal commented
First off, I would like to thank and commend your team on your excellent work during the recent attacks on your service. I would also like to suggest that you consider offering two factor authentication.
Regards,
Cathal -
J Gohman commented
Add support for software 2FA (i.e., Google Authenticator)
-
Anonymous commented
I would like this but also the ability to be asked random characters from a long pass phrase. Some people don't have a fixed mobile phone and travel a lot.
-
Anonymous commented
BitID or SQRL as other 2 Factor implementations.
-
Þorvaldur Stefánsson commented
Please add Yubikey support
-
Anonymous commented
Please include Authy for 2FA.
-
Anonymous commented
Yubikey is awesome
-
Anonymous commented
These days, I honestly believe that two-factor authentication for one’s primary email account is absolutely mandatory, you’d have to be crazy not to have it.
-
amilopowers commented
I would love to see Yubikey support as well!
-
Anonymous commented
Please include Yubikey support for Desktop and mobile phone (with NFC)
-
Anonymous commented
Yubikey would indeed be great! Specially for a security oriented email system
-
Anonymous commented
Please include Yubikey support.
-
Anonymous commented
Is there any news about 2FA?
-
Anonymous commented
Also agree U2F would be nice.
-
Anonymous commented
I would also appreciate integration with YubiKey. The kind of people who are aware of, and use ProtonMail are probably also similarly acquainted with YubiKey, so a large percentage of users would certainly benefit.
-
Richard Nathan commented
Please use the app "authy" for 2FA. It will make the implementation even more secure. Thank you.
-
Verito commented
Personally i don't think it's a bad idea, HOWEVER there needs to be a system in place to manage that. Google hate users rooting their phones(Android) so most users won't. If this were to be the case of mobiles there needs to be a secure place for the Key to be stored and in a place where the user cannot access without root permissions(including other apps) other there poses the risk of the user losing the key.
It's less likely on computers but there also needs to be a mechanism to get around the key in the event the user loses it.Instead personally there should be an authenticator of some sort for the additional layer of security. Less things can go wrong there but a file upload would be good. Too many things that can go wrong though(like file tampering and copying). An authenticator is most likely the best option here, again my opinion.
@Newguy: You idea is complex but I like it, slightly excessive but i guess for users who are security paranoid (as you should be on the internet) then something like this would be suitable.
@Markus Jansson: I partially agree with you. It would be easy for hackers to steal the key files if this idea was implemented however this idea isn't stupid. It does add a lot of security, providing that the user's computer is completely clear of infections. It would be possible to put the file on Cloud Storage or Flash Drive and upload the file from there so it can be quite secure, it will just depend on the user and not the service(if implemented).
-
Mike commented
I like Lastpass one time password feature because it can only be used once. Lastpass provides an app that creates OTP that you can store in a usb key.
-
Anonymous commented
Yubikey!!