[…] Two Factor Authentication […]

Man, if I had know you were this helpful in the comments I would have asked for protips about how to accomplish automatic back ups in your last rant on the subject. Thanks for the clue in about 2FA on so many services outside of gmail.

@ Liudvikas:

Personally I use Google Authenticator because it is a standard HMAC based OTP implementation. It works for me because several other services I use (including Linode and Digital Ocean web panels) use it as a primary 2Factor tool.

Youbikey is interesting because it is not phone based but a real physical token. This means it’s easier to lose, and it may not be easy to ship overseas. Also, when I looked into it was basically a thumb-drive with an encrypted partition, and some binaries that were auto-run when you plugged in… And it had no support for Linux which was a deal-breaker for me.

Duo and Transakt seem more intuitive for end users, but they seem to require some communication with their servers. Their authorization seems to involve the site pinging their servers to push an acknowledgment notification to your phone, you acknowledging the login via app, which gets sent to their server and back to the site which initiated the challenge. That seems like too many moving parts. Also I have no clue what happens if their servers go down, or are blocked by a firewall.

Google Authenticator churns numbers locally, so it will work even if Google stops supporting it. Also it’s a standardized algorithm so you can replace the authenticator app at any time.

Oh, and you can screen-shot the QR-Code as backup to re-authenticate with a new device if needed – which as far as I can tell is not an option with the other methods. So in my mind it is clearly superior.

@ Luke Maciak:
Ok I am convinced, any advice which option is best for lastpass?

@ Liudvikas:

Most of the SMS based services will prompt you to print-out or save a set of “panic codes” or “recovery codes” which are one time passwords you can use in lieu of the 2nd factor in case you lose the activated device. So you have to lose two things to get completely locked out.

Also, Facebook, Twitter and etc let you designate some computers as “trusted” machines and bypass the 2nd factor when you log in from them. The logic is that you probably want the 2nd factor on unknown machines and maybe on your work laptop, but perhaps not on the desktop in your bedroom. So chances are that even if you lose the phone, you can still get in and disable it from some of your machines.

@ Jason *StDoodle* Wood:

While it’s true that most of general purpose locks are trivial to open using a bump key, I was thinking more alongside design principles. Keys are designed to be secure unique tokens, whereas combinations/passwords are designed to be easily exchanged.

@ Matt`:

This is true for all the HMAC-OTP systems. The SMS based systems don’t use QR-Codes but instead ask you to give them your mobile phone number so they can text you the codes.

Liudvikas wrote:

I am super paranoid of losing my phone, I would then be locked out out of many many accounts.

Each account setup probably involves being shown a barcode. Keep a screenshot tucked away in an encrypted volume.

Ah Luke, you are to real-world locks as most of the “tech clueless” are to Heartbleed-style security issues if you think anyone outside of large corporations and government agencies are using locks that are difficult to pick. ;)

The only problem I see with 2 factor identification is that, I am super paranoid of losing my phone, I would then be locked out out of many many accounts.

My problem with SMS-based 2FA is that it’s tied to a device I carry with me which can be easily lost or stolen. If I lose my phone, or it gets stolen, and my provider decides to screw me around about switching my number to a new SIM (it wouldn’t be the first time), I’ve lost access to my accounts. That said, looking at that list you linked, I didn’t realise software 2FA was quite so prevalent, so I may have to go through my accounts again and see what’s available… and possibly compromise on my backup and password policy of “I should be able to flee the country with nothing but the clothes on my back without losing more than an hour’s worth of data” for any important sites that only offer SMS-based 2FA.

Actually, I am. :) It only triggers after you log in with valid username and password though, so I’m pretty much the only person who sees the 2nd step which is actually perfectly find by me.