Clean data is definitely going to be a challenge for this project moving forward. I've discussed several ideas in other comments in this thread, so check those out if you are interested.
It does look like inbox.google.com is missing from our data set. We have an open issue to make sure that all of the Google products are added [1].
The messaging that is currently shown there is definitely wrong too because inbox.google.com does support 2FA. We have another issue for handling the "unknown" state when the domain simply is not in our data set [2].
What type of messaging and UI do you expect to see when the extension is unsure whether a given site supports 2FA or not?
Feedback from the community will really help improve the extension! Thanks for sharing your thoughts!
It does look like inbox.google.com is missing from our data set. We have an open issue to make sure that all of the Google products are added [1].
The messaging that is currently shown there is definitely wrong too because inbox.google.com does support 2FA. We have another issue for handling the "unknown" state when the domain simply is not in our data set [2].
What type of messaging and UI do you expect to see when the extension is unsure whether a given site supports 2FA or not?
Also, have you had the chance to see the UX for a site that does support 2FA? We currently have over 1,000 domains in our data set, so there is bound to be a service that you use. Feedback from the community will really help improve the extension! Thanks for sharing your thoughts.
That is frustrating. I have been contributing to the twofactorauth.org project, but I am still new to the community there.
It is a really great resource of information with over 1,000 sites as of today. I am not aware of any other data sources that could provide similar information, but if you know of any, please do share!
2FA Notifier uses twofactorauth.org as a data feed, but does not rely on that data alone. I have made updates to the data already to help it work better for the use-case that 2FA Notifier is trying to solve.
I am looking to create a community around the support of data for 2FA Notifier. We would still use the twofactorauth.org data as a main source and contribute changes back to that project. However, I can see 2FA Notifier having a different set of criteria and processes so that we could move more quickly to get the data into production so that it is useful for users of 2FA Notifier.
Will you contribute data to the 2FA Notifier project? I can reach out to you offline if you're interested. I'd love to chat!
> Will you contribute data to the 2FA Notifier project?
Given that's its a chrome extension, and I neither use Chrome or have it installed, that seems unlikely.
You're free to merge my PR's (linked below in the reply to @davis) into your data set, but honestly I'd say at this point unless something changes they are a dubious choice of data (see further response to @davis below)
Gotcha. If you happen to use Firefox, I published the extension to the FF store yesterday too [1].
I will definitely take a look at your PRs. I see that you linked them below. I plan to review all of the outstanding PRs in the twofactorauth.org project to see if there are good data cleanup/improvements that I can take advantage of too.
Gotcha. It will likely be...a while before I get around to writing a Safari extension, but I am certainly open to it!
I honestly don't know the first thing about creating an extension for Safari. I wish they would just get on board and support the WebExtension standard #wishfulthinking
> We need some guidelines for proper 2FA implementation.
I could not agree more. I write a lot about 2FA on my site, All Things Auth [1], and do teardowns of 2FA implementations for sites.
In March, we featured Zapier [2] in a screencast episode and a 5 post series digging deep into their 2FA implementation and related topics. I highlighted some things they are doing well and also made suggestions on how they could improve.
I plan to continue doing teardowns for 2FA implementations from many different types of sites. I plan to create a definitive guide to aggregate 2FA implementation best practices.
That is a great idea! I am 100% in favor of helping the users understand the security tradeoffs between the 2FA methods.
We definitely have it on the roadmap to update 2FA Notifier to include more educational content. Thanks for the feedback!
I am currently writing a series on 2FA on my site All Things Auth [1] that gets into the details explaining how each method works and exploring the security and usability tradeoffs of each. I want to put together a summary and/or infographic highlighting the main takeaways and hopefully like to something like that from 2FA Notifier.
Currently, we use the data from twofactorauth.org [2] as our main data feed. I definitely encourage you to check out their community on GitHub and propose your idea there too!
Thanks for the positive feedback! There are 2 main articles in the 2FA series left to write (Push 2FA and U2F/WebAuthN), but there are a ton of other posts I have bouncing around in my head. Join the email list if you're interested in getting updates!
I'll definitely give your post a read too!
Have you found it effective publishing on Medium vs your own blog? I've been considering cross posting my articles for additional exposure. Curious to hear your thoughts.
Medium infinitely, Linkedin is also gaining popularity if you want/need to boost your network.
Feel free to write me via email if you’d like to talk
more, but between hn and hackernoon, with medium any of my posts gets at least a thousand reads. This one is currently at 4.6k views/1.9k reads. There’s no way I’d get this reach with my own blog.
(I'm the other half of this team. I tackle the UX/UI parts)
@encyclic, i'm curious about how you typically approach enabling 2FA.
- How do you typically choose which services to enable 2FA for?
- What do you do now if a service doesn't have 2FA OR doesn't have the type of 2FA appropriate for your situation?
As Conorgil145 mentioned, we have this on our roadmap and have some ideas about how to approach this. But understanding how you approach things now will definitely help us to craft a more effective solution.
Thanks for the feedback! We use the data from twofactorauth.org as our main data feed, so that is where we pick up the domains.
I am definitely open to augmenting those entries, but trying to think about ways to either automate (ideal) or crowdsource contributions on the data side.
Any thoughts? Would you be interested in contributing data updates like this?
I am not a core committer for twofactorauth.org (yet! I hope to become one!), so I cannot say whether they will accept a PR like that. However, there is an open issue discussing this topic that is worth reading over [1].
2FA Notifier has a bit of an easier job since we don't have to render anything or make it searchable (as of today). I would happily review any PRs along these lines! The data is currently hard coded in a Typescript file, which makes it really easy to update [2].
I plan to document criteria for contributing data to 2FA Notifier like this, but just haven't had the time. One entry per PR would be ideal if you are motivated to contribute!
Happy to answer any questions and have a larger conversation about the best way to get average internet users to enable 2FA on their accounts.
Any and all feedback/thoughts/comments appreciated!