Help talk:Two-factor authentication/Archives/2018

ISthere any way to prevent user to disable TFA? Caiovernaglia (talk) 18:55, 12 March 2018 (UTC)

@Caiovernaglia: not yet, but ways to do it are being discussed here: phab:T150562. — xaosflux ^Talk 19:24, 12 March 2018 (UTC)

I've just received an email from User:WMFOffice which contained advertising for what appears to be proprietary software (https://authy.com/ and w:Google Authenticator). Please stop such despicable use of Wikimedia resources. --Nemo 11:53, 17 November 2018 (UTC)

@Nemo, I've been slowly looking for better tools for the past year or two. Those two are the two most recommended tools in most places I've found. I've seen those 2 tools are the only 2 mentioned in the EFF's blog post "The 12 Days of 2FA: How to Enable Two-Factor Authentication For Your Online Accounts" (albeit 2 years ago), and their list at Surveillance Self Defense guide only includes "Google Authenticator, Duo Mobile, the Facebook app, or Clef" (plus a link to the "12 Days" blog post at the bottom) of which #2 and #3 are also closed source and the 4th is a hardware dongle. (I emailed EFF in September suggesting they update the list, but nothing has changed yet).

AFAICT, freeOTP is the only semi-widely recommended foss alternative (that I've seen) that is suitable for most people and available on both major mobile platforms. Hence I added it and Authy (which I use and have seen recommended by reliable sources) in September. However, freeOTP doesn't have a feature for backups (at least on Android), which is a very important feature because of how (un)reliable both hardware and humans are... (phones can break, and humans often seem to ignore the instructions to write down their scratch tokens).

There is also andOTP but that's Android only, and authenticator but that's iOS only, and there's https://totp.app but that doesn't support QR codes, and WinAuth but that's M$ only, and oathtool but that's CLI-only. I've now added a few of those to the list here, and shuffled it to make foss-ness clearer. I'll send a note to some staff telling them I've added this useful list here, that they could use in future emails.

I investigated why https://privacytools.io doesn't have a section for 2fa software, and wrote notes at their issue tracker in September.

We could potentially even add other closed tools such as 1Password or LastPass which have the (arguably major) benefit of encouraging secure password habits (non-duplication, strong-random-generation, etc). But I don't have experience with those, plus they're closed, hence I haven't added them here myself.

If you can find anything better for us to learn from, listing reliable and user-friendly FOSS software that realistically works for most people, then that might be more helpful than just angry ranting? :P *grumbles* *sighs* --Quiddity (talk) 08:23, 18 November 2018 (UTC)