Two-factor authentication - a handy list of who offers it (and who doesn't)

A new website has been created, urging more services to offer two-factor authentication.

The good news is that more and more websites are integrating two-factor authentication (2FA), offering their users a higher level of protection over their accounts. But there's clearly more who need to jump on the bus.

Twitter 2FA

A well-implemented two-factor authentication system means that it's no longer the case that the only barrier between your online account and a hacker is whether they can determine your username (which is often just your email address) and password.

In many cases websites offering 2FA will send a short SMS message to your phone when you try to log in, or perform an action which requires an additional security check. In other cases, the website might ask you to check an app on your smartphone or a tag on your keyring where a one-time password is displayed which changes every 30 seconds or so.

Because the hackers (hopefully) don't have their paws on your phone or keyring they won't be able to break into your account with just your username and password.

This doesn't mean your accounts are impregnable of course, but two-factor authentication (also sometimes known as two-step verification or multi-factor authentication) is a much higher level of protection than that offered for accounts which don't offer it.

It seems every week there are new websites allowing users to protect their accounts with two-factor authentication. Just earlier this week, for instance, Tumblr boosted security for its users comparing 2FA to "how you need two keys to launch a nuclear missile".

I was lucky enough to stumble across the twofactorauth.org website which offers a helpful list of websites offering 2FA, how they have implemented 2FA (for instance, whether it is done via SMS or commonly-used systems like Google Authenticator), and - interestingly - what websites *haven't* implemented the security system yet.

2FA website list

The site's creator, Josh Davis, said in a blog post that he created the site after he heard the worrying story of how Naoki Hiroshima had his ultra-short-and-desirable @N Twitter user account hijacked.

Although I don't own a rare Twitter handle, it was scary to think about how the extortion of Naoki Hiroshima was possible just because of a lost domain name.

Although GoDaddy does support two factor auth, if Naoki hadn't been using it for PayPal, his PayPal account would have been compromised as well.

I did a Google search for a list of sites with two factor auth and the results were pretty dissatisfying. The first result was a website with a huge list of sites that was barely usable.

This gave me an idea for my next mini-project.

Presently the site includes details about over 150 websites, including social networks, online banks, file-sharing services and many more, and has made it easy to submit details of other sites if you would like them to be added.

Let's hope the site encourages more websites to integrate two-factor authentication, and raises awareness of the additional security users can enable to better protect their accounts.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

2 Responses

  1. Miranda

    March 31, 2014 at 3:37 pm #

    Twofactorauth.org is a great guide for consumers. I am so excited to see the spread of better security. I think most companies who haven't implemented these extra security measures are reluctant due to how their users will react to this extra step to security… because 2fa does involve doing extra steps. Most 2fa solutions I have used are very cumbersome like Google Authenticator, which I used for maybe two weeks but then turned it off because of how annoying it was to me. I recently found an awesome 2fa solution called Toopher through my LastPass (password manager) account. Toopher seems to get 2fa right by creating an automation feature, which uses the location awareness of your smartphone, that allows the user to go on with business without being interrupted every time they need to log in. The problem is that it seems many people do not know about Toopher – I've only seen it offered on LastPass and WordPress – so how do solutions like this get implemented into my other accounts? I want my credit union to offer Toopher and Facebook and Twitter. It would make me feel so much more secure and I wouldn't have to give up my user experience.

  2. Michael

    February 5, 2016 at 4:01 pm #

    I use Protectimus Smart software authenticator instead of Google Authenticator. I like it because it is compatible with the smartwatch and is additionally protected with PIN.

Leave a Reply