List of Authenticator apps

[abhisekp]

It would be nice if you add a list of authenticator apps in various types of smartphones.

[EvanHahn]

I agree. What's out there?

[abhisekp]

You can see a list of two factor authentication enabled sites from here https://en.wikipedia.org/wiki/Google_Authenticator#Usage

[abhisekp]

Here is a list of multifactor authentication technologies
https://helpdesk.lastpass.com/security-options/#Multifactor+Authentication+Options

[EvanHahn]

I see two issues with providing this list:

1. we'd have to maintain it
2. it's not supported on all 2FA solutions. Facebook, for example, doesn't support Google Authenticator

Maybe we could add a bit of metadata to each site -- "supports 2FA over SMS", "supports 2FA over Authenticator apps", "supports 2FA over calling", Yubikey, etc...

[abhisekp]

yes. That seems to be a better option

[EvanHahn]

I think the JSON might look something like this...

{
  "name": "Google",
  "url": "...",
  "howto": "...",
  "sms": true,
  "app": true,
  "call": true,
  "hardware": true
}

Is there other data we'd add?

Obviously we'd show this data on the page somehow.

[abhisekp]

that seems nice 👍

[EvanHahn]

It's a bit of an endeavor to add these, but I'll start adding the data here and there.

[jamcat22]

We should make it more like this
{ "name": "Google", "url": "...", "howto": "...", "info": "...", "sms": true, "call": true, "email": false, "app": true, "hardware": true }

I could start adding this data on most of them.

[EvanHahn]

@jamcat22 That looks good -- feel free to add the data! I'll add the relevant information.

[jamcat22]

Ok so should I add the data in that format? Also should we include a "paid-only":

That way for some providers cough Enjin, SecureSafe, and others cough that require a paid plan to enable 2fa, everyone knows.

[EvanHahn]

I think I'd like the following keys:

• methods: an array of authenticator methods supported by the service (options: sms, email, call, authenticator, hardware, onetime...others?)
• countries: an array of two-letter country codes where 2FA is supported. If this key isn't there, it's assumed that every method is supported.
• paidOnly: a boolean if it only offers a paid plan. If there's a paid 2FA and an unpaid 2FA, this should be false.

So, for example:

{
  "name": "GitHub",
  "url": "...",
  "howto": "...",
  "methods": ["authenticator", "sms", "onetime"],
  "countries": ["us", "gb", "kr"],
  "paidOnly": false
}

Sorry to keep changing my mind on this.

[jamcat22]

Five questions:

1. What is the difference between authenticator and onetime?
2. Should we add push to the methods?
3. Which represents a mobile app?
4. Should I start adding the data now?
5. Should we add this to the read me as kind of a guide to updating the JSON?

[EvanHahn]

1. Maybe I got the names wrong. There are authenticator apps like Google Authenticator and then there are these one-time-usage codes that some sites give you. For example, if you lose your phone, you can still access Dropbox with these codes you download once.
2. What's an example of push?
3. There's a companion phone app that's unique to the service. Twitter's strategy is an example of this.
4. If you want!
5. Let's add it to the README when we see how well it works.

[jamcat22]

1. Maybe we should change it from authenticator to app and from onetime to backup for printed backup codes to avoid confusion.
2. An example of push is the Twitter app, where you either approve or deny the request from the app after a push notification is sent to your phone. I no longer think we need to add this since we have authenticator/app already (was kind of confused on what that was at first).
3. Ok that makes sense.
4. Great!
5. Ok.

[EvanHahn]

1: I agree about backup but isn't "app" more ambiguous?
2-5: Okay!

[jamcat22]

Maybe make it something like mobileauthenticator/softauth because hardware is also an authenticator.

[EvanHahn]

Sure. You can start adding those if you like! Thanks for doing it (and putting up with my weird nitpicky-ness).

[jamcat22]

So just so I can make sure, the final should be:
methods: call, sms, email, hardware, backup, softauth (any suggestions to change that one?)
countries: two letter country codes like us (leave blank if worldwide)
paidOnly (should we make the "o" lowercase to avoid syntax problems?): true or false

[EvanHahn]

I'd abandon this -- I think we're going to merge with http://twofactorauth.org/.

[jamcat22]

Can I help with merging?

[EvanHahn]

I think we should add a link to their site in the introduction; it seems like an all-around better site.

Sorry I'm so wishy-washy about this; I've been terribly busy with other stuff and haven't dedicated enough thought to this list.