New two-factor authentication library shows us most secure services online

New two-factor authentication library shows us most secure services online

Summary: Want to know which services offer two-factor authentication to keep your accounts safe? There is a simple, easy way to find out.

SHARE:
TOPICS: Security
4
password_security
Credit: CNET

Following the high-profile hijack and ransom of the @N username on Twitter, software engineer Josh Davis has created a website to show users which services offer two-factor authentication -- and which do not.

Email accounts, social media and online retailers all store our personal information, ranging from telephone numbers to credit card data, if we choose to use the service. However, not all services offer heightened security features such as two-factor authentication, the use of an additional method to verify your identity if you try and access an account.

For example, online retail giant Amazon sticks with a password-only approach, whereas PayPal gives users the option to tie their mobile number to an account, sending a code which must be input in addition to a password if you try to log in. If you've been the victim of a phishing campaign and have mistakenly input your details, these types of security checks can help prevent your accounts from being hijacked.

In the case of @N, as noted in a blog post written by Davis over the weekend, Naoki Hiroshima's valuable and rare Twitter handle was taken over after a hacker used social engineering tactics to find out the details of Hiroshima's credit card, which was later used to gain access to a GoDaddy account -- leverage to force Hiroshima to release his Twitter handle.

"About a month ago I was going through the process of looking for a new domain registrar to transfer my domains to. My number one criteria was a secure registrar," Davis said. "Although I don't own a rare Twitter handle, it was scary to think about how the extortion of Naoki Hiroshima was possible just because of a lost domain name. Although GoDaddy does support two-factor auth, if Naoki had been using it for PayPal, his PayPal account would have been compromised as well."

As a result, the software engineer and computer science student decided to create a website dedicated to comparing two-factor authentication services offered -- and missing -- from the most popular email, retail, social, financial, developer, and communication services, giving us a quick way to find out which services are most secure.

Screen Shot 2014-03-19 at 11.37.08

TwoFactorAuth.org is the result. Popular services in each category are displayed, and a marker indicates whether they support two-factor authentication or not. In addition, a Twitter button lets you tweet out to companies to demand they support this security standard. The system is open source, and by going over to GitHub repo you can contribute websites and add comments.

Davis commented:

"If every website that ends up on TwoFactorAuth.org ends up in the green and my website becomes pointless, then that is only a success in my vision.

Here's to hoping that more sites will put the security of their customers first and invest in two factor auth."

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • I still

    like the look fo SQRL.
    wright_is
  • TwoFactorSpam

    I'm sorry, I'm not that gullible. Giving my phone number to a website makes the user info they market worth more money and increases my risk by putting more of my personal info in one place. The less data any one site has on you, the less the damage when that one site is hacked. Tying everything together like google and facebook want you to do makes you extremely vulnerable.

    Besides, they can already ID the hardware your on. I recently built a new PC for myself and plugged it into all the cords and cables the last one was plugged into. My internal and external IP's are unchanged and I'm using the same copy of windows with the same product key, but Hotmail and Yahoo mail knew I was "logging in from a new device".

    The screwed up part was that each wanted to send a "second auth code" to the other for me to use to prove I am who I am before I could log on to my accounts. This was a big problem as I use Skype for my phone service (because it the only phone I can "block everyone not in my phone book") and it uses the same login as Hotmail.

    Luckily I kept the old PC to use in another location in the house and was able to walk back and forth between rooms and get and use my so called 2nd auth codes.
    Sqrly
    • of course they knew

      your new computer didn't have the cookies from the old. had you copied them over Hotmail and Yahoo wouldn't have noticed the change
      vpupkin
      • re: of course they knew

        It's not just cookies that would be an issue for Sqrly, as mentioned the entire computer was replaced. This means new hardware ID (SID), new MAC address, and various other changes that browsers can see and therefore share with the servers on the Internet.
        l_creech