[HN Gopher] HTML attributes to improve your users' two factor au... ___________________________________________________________________ HTML attributes to improve your users' two factor authentication experience Author : ecaron Score : 102 points Date : 2020-01-11 20:34 UTC (2 hours ago) (HTM) web link (www.twilio.com) (TXT) w3m dump (www.twilio.com) | casca wrote: | While Twilio does a lot right, they still only offer SMS and | their own proprietary Authy solution for 2FA for their website. | No TOTP (and still no plan to offer the industry standard) means | that this has a whiff of hypocrisy. | philnash wrote: | The Twilio 2FA API actually allows you to generate secrets and | QR codes for generic authenticator applications now. Check out | the documentation here: | https://www.twilio.com/docs/authy/api/one-time-passwords#oth... | ayberk wrote: | These are all super nice and I really wish more developers made | use of these, but my main complain is not having username and | password fields on the same page :/ | ljoshua wrote: | Oy, me too, and though I love Twilio they are an offender here! | What is the point of this pattern? Something to do with SSO | validation or something? | philnash wrote: | It is to do with SSO. I will pass off to my Twilio colleague | Kelley to answer this with a post she wrote last year: | https://www.twilio.com/blog/why-username-and-password-on- | two... | | The nice thing about using autocomplete with username and | current-password is that it can help your password manager | auto fill these fields across pages if they are implemented | like this. | pixelcort wrote: | In the article they mention that: | | > You definitely want to consider using these attributes if you | are building a login form with the username and password on | different pages. | stockkid wrote: | > In a sign up form, make sure to use the "new-password" value as | it triggers password suggestions in some browsers. | | Nice. I didn't know about that. | cyberferret wrote: | This is a really cool and informative article. I had head of the | 'pattern' attribute before, but I hadn't come across 'inputmode' | before. This will solve a ton of headaches for my future | development work. | skunkworker wrote: | I wish more sites would follow these protocols. When you have a | numeric 2FA with a regular keyboard it feels less polished. | tobyhinloopen wrote: | Didn't we just learn you shouldn't use SMS 2FA? | sneak wrote: | Twilio offers a service to send SMSes via an API. Of course | they're going to tell you to use this. | sansnomme wrote: | For low-stakes auth or simply duplicate user prevention SMS is | sufficient. E.g. dating apps, sharing economy services, | e-commerce sites. | reaperducer wrote: | A lot of people say that. But SMS 2FA is better than nothing. | JshWright wrote: | Is it though? Implementing SMS 2FA often means a site will | never bother implementing anything better. | jimbobimbo wrote: | Not implementing SMS 2FA doesn't mean a site would | implement anything either. | hombre_fatal wrote: | Nope, not if it introduces common customer support backdoors. | robbya wrote: | Sure, everything that has a backdoor is bad. But what does | that have to do with SMS 2FA? | | Surely SMS 2FA (without a backdoor) is better than nothing. | Sites should still offer something better than SMS for 2FA | as it has widely documented issues. But as an end user | presented with SMS 2FA or no 2FA; SMS 2FA is the safer | option. | | Is there a reason to assume an arbitrary SMS 2FA | implementation would have a back door? That would be news | to me. | zulln wrote: | If it is enough with access to the phone number, no | password needed, then it is no longer 2FA. | philnash wrote: | SMS 2FA is still stronger than no 2FA. | 9HZZRfNlpR wrote: | Taking over accounts is mainly American thing, the rest of the | world is using same method to identify yourself to a telecom | company - by providing your ID card or passport. | notlukesky wrote: | SAASPASS has a much better 2FA user experience on the mobile | phone than SMS including URL callback to the 2FA app and app to | app with SDK. For desktop environments configurable MFA methods | include scanning encrypted barcodes and push login. More on the | developer environment is here: | | developer.saaspass.com | | I work for an IAM consultancy/reseller and work on SAASPASS | implementations. | philnash wrote: | Hello! I'm the author of this article. Thanks for posting! Here's | to the power of HTML attributes and better sign in experiences | for everyone. | sneak wrote: | I know you're probably paid to do so, but please stop | recommending that site operators use SMS for a second factor. | | https://www.issms2fasecure.com/ | philnash wrote: | I'm actually paid to say that too ;) . In fact, SIM swapping | isn't the only weakness of SMS, take a look into the SS7 | network and how that allows for a rogue operator to redirect | SMS messages too. | | At Twilio, we have APIs for two factor authentication and we | recommend implementing via push notification to the Authy app | with "approve" and "deny" buttons. This is more secure and a | better experience than SMS. The API also allows for regular | app based 2FA, with a TOTP code, which is more secure than | SMS. But it also allows you to fallback to SMS, which is | still more secure than no 2FA. | | You do have to consider the threat model for your own | application when considering these sort of security measures. | If the value of an account takeover is high then a targeted | attack can, and will, break SMS 2FA. Which is why the Twilio | 2FA API allows you to turn off SMS 2FA if you choose. | | Ultimately I'd prefer SMS over nothing when it comes to 2FA, | but I also encourage developers to use more secure options | that can also have a better experience. | jxcl wrote: | If you allow fallback to SMS instead of TOTP, your solution | may be more secure than no 2FA, but it's no more secure | than SMS either. | philnash wrote: | But as I said towards the end of the previous comment, if | you deem the threat to your users great enough that | targeted SMS attacks are a problem, you can turn off that | fallback. ___________________________________________________________________ (page generated 2020-01-11 23:00 UTC)