Two factor authentication list

[17pm]

Quote:

Originally Posted by pjwalsh

20 bucks a year is crazy expensive?

Fastmail is winning in the race to become my next e-mail provider. Sadly, they're Australia based with servers in the US. That's horrible, specially considering the new Australia's terror law. Their support also doesn't seem to be very good.

[Jack]

Quote:

Originally Posted by lpn

The two factor authentication list twofactorauth.org has an email section that lists some of the commonly used email providers.

If some of your email providers are not listed, submit a pull request on their github repository to be included in the list.

If some of them don't support 2FA, click on the provided link corresponding to the providers in question (as I did for gmx.com) to post a tweet asking them to implement it.

Just FYI, that web site appears to be down. I've tried three times over the past week to access it with no luck.

[17pm]

Quote:

Originally Posted by Jack

Just FYI, that web site appears to be down. I've tried three times over the past week to access it with no luck.

The website is working to me..

EDIT:

Someone should submit a "Pull Request" on their GitHub page and add posteo.de and mailbox.org.

I've no idea how to do it..

[Dutchie007]

mail.de is also supporting U2F...! Now there is a special program if you sign up via emailtester.de.

They give you an inicial storage of 10 gigs...and it gets larger if you need it. All for free. And NO ads in the web interface:-)

Only thing could be, that they only accept clients from germany..! (sadly) They want an address AND a cellphone number,like most german mail providers.

You can try signing up from another country but I don't know if that works.

Dutchie.

[Tsunami]

I realise I'm behind here and how odd this question will be like, but ... 2FA means that to access an account (be it a webmail account or other internet service) you have to enter your username, password AND an ever-rotating code sent through SMS ; is that correct?

[kangas]

Quote:

Originally Posted by Tsunami

I realise I'm behind here and how odd this question will be like, but ... 2FA means that to access an account (be it a webmail account or other internet service) you have to enter your username, password AND an ever-rotating code sent through SMS ; is that correct?

Hi. Two factor authentication means that there are 2 pieces of information used to verify your identity. It really doesn't matter what those two things actually are. It is common for them to be a password and an SMS token, but in truth, you can just pick any 2 things from the following (definitely not exhaustive) list:

* password
* SMS Token
* A token pushed to an authorized application on your phone
* Touching "yes" or "i approve" on a special application on your phone.
* A Token emailed to a separate email address
* A rotating number read off of a hardware fob (e.g. a RSA hardward token)
* A client-side TLS certificate
* A fingerprint reader
* An iris scanner
* A second, unrelated password
* etc.

It is generally though that a good 2FA scheme uses something you know (e.g. your password) together with something you have (e.g. your phone) so that it is harder to compromise.

It is important to note that the security of SMS-based tokens is not that great against a determined attacker:

https://www.wired.com/2016/06/hey-st...uthentication/

https://luxsci.com/blog/sms-is-broke...text-ephi.html

[Tsunami]

Quote:

Originally Posted by kangas

Hi. Two factor authentication means that there are 2 pieces of information used to verify your identity. It really doesn't matter what those two things actually are. It is common for them to be a password and an SMS token, but in truth, you can just pick any 2 things from the following (definitely not exhaustive) list:

* password
* SMS Token
* A token pushed to an authorized application on your phone
* Touching "yes" or "i approve" on a special application on your phone.
* A Token emailed to a separate email address
* A rotating number read off of a hardware fob (e.g. a RSA hardward token)
* A client-side TLS certificate
* A fingerprint reader
* An iris scanner
* A second, unrelated password
* etc.

It is generally though that a good 2FA scheme uses something you know (e.g. your password) together with something you have (e.g. your phone) so that it is harder to compromise.

It is important to note that the security of SMS-based tokens is not that great against a determined attacker:

https://www.wired.com/2016/06/hey-st...uthentication/

https://luxsci.com/blog/sms-is-broke...text-ephi.html

A fingerprint scanner Is there any email service that would offer that option ?


Anyways, I think SMS as an extra on top of the password isn't bad, most people wouldn't even be aware of 2FA's existance, let alone use it. So any added authentication factor seems like a good security measurement, realising that the average internet user probably doesn't even use 2FA.