[HN Gopher] HTML attributes to improve your users' two factor au...
___________________________________________________________________
HTML attributes to improve your users' two factor authentication
experience
Author : ecaron
Score : 102 points
Date : 2020-01-11 20:34 UTC (2 hours ago)
(HTM) web link (www.twilio.com)
(TXT) w3m dump (www.twilio.com)
| casca wrote:
| While Twilio does a lot right, they still only offer SMS and
| their own proprietary Authy solution for 2FA for their website.
| No TOTP (and still no plan to offer the industry standard) means
| that this has a whiff of hypocrisy.
| philnash wrote:
| The Twilio 2FA API actually allows you to generate secrets and
| QR codes for generic authenticator applications now. Check out
| the documentation here:
| https://www.twilio.com/docs/authy/api/one-time-passwords#oth...
| ayberk wrote:
| These are all super nice and I really wish more developers made
| use of these, but my main complain is not having username and
| password fields on the same page :/
| ljoshua wrote:
| Oy, me too, and though I love Twilio they are an offender here!
| What is the point of this pattern? Something to do with SSO
| validation or something?
| philnash wrote:
| It is to do with SSO. I will pass off to my Twilio colleague
| Kelley to answer this with a post she wrote last year:
| https://www.twilio.com/blog/why-username-and-password-on-
| two...
|
| The nice thing about using autocomplete with username and
| current-password is that it can help your password manager
| auto fill these fields across pages if they are implemented
| like this.
| pixelcort wrote:
| In the article they mention that:
|
| > You definitely want to consider using these attributes if you
| are building a login form with the username and password on
| different pages.
| stockkid wrote:
| > In a sign up form, make sure to use the "new-password" value as
| it triggers password suggestions in some browsers.
|
| Nice. I didn't know about that.
| cyberferret wrote:
| This is a really cool and informative article. I had head of the
| 'pattern' attribute before, but I hadn't come across 'inputmode'
| before. This will solve a ton of headaches for my future
| development work.
| skunkworker wrote:
| I wish more sites would follow these protocols. When you have a
| numeric 2FA with a regular keyboard it feels less polished.
| tobyhinloopen wrote:
| Didn't we just learn you shouldn't use SMS 2FA?
| sneak wrote:
| Twilio offers a service to send SMSes via an API. Of course
| they're going to tell you to use this.
| sansnomme wrote:
| For low-stakes auth or simply duplicate user prevention SMS is
| sufficient. E.g. dating apps, sharing economy services,
| e-commerce sites.
| reaperducer wrote:
| A lot of people say that. But SMS 2FA is better than nothing.
| JshWright wrote:
| Is it though? Implementing SMS 2FA often means a site will
| never bother implementing anything better.
| jimbobimbo wrote:
| Not implementing SMS 2FA doesn't mean a site would
| implement anything either.
| hombre_fatal wrote:
| Nope, not if it introduces common customer support backdoors.
| robbya wrote:
| Sure, everything that has a backdoor is bad. But what does
| that have to do with SMS 2FA?
|
| Surely SMS 2FA (without a backdoor) is better than nothing.
| Sites should still offer something better than SMS for 2FA
| as it has widely documented issues. But as an end user
| presented with SMS 2FA or no 2FA; SMS 2FA is the safer
| option.
|
| Is there a reason to assume an arbitrary SMS 2FA
| implementation would have a back door? That would be news
| to me.
| zulln wrote:
| If it is enough with access to the phone number, no
| password needed, then it is no longer 2FA.
| philnash wrote:
| SMS 2FA is still stronger than no 2FA.
| 9HZZRfNlpR wrote:
| Taking over accounts is mainly American thing, the rest of the
| world is using same method to identify yourself to a telecom
| company - by providing your ID card or passport.
| notlukesky wrote:
| SAASPASS has a much better 2FA user experience on the mobile
| phone than SMS including URL callback to the 2FA app and app to
| app with SDK. For desktop environments configurable MFA methods
| include scanning encrypted barcodes and push login. More on the
| developer environment is here:
|
| developer.saaspass.com
|
| I work for an IAM consultancy/reseller and work on SAASPASS
| implementations.
| philnash wrote:
| Hello! I'm the author of this article. Thanks for posting! Here's
| to the power of HTML attributes and better sign in experiences
| for everyone.
| sneak wrote:
| I know you're probably paid to do so, but please stop
| recommending that site operators use SMS for a second factor.
|
| https://www.issms2fasecure.com/
| philnash wrote:
| I'm actually paid to say that too ;) . In fact, SIM swapping
| isn't the only weakness of SMS, take a look into the SS7
| network and how that allows for a rogue operator to redirect
| SMS messages too.
|
| At Twilio, we have APIs for two factor authentication and we
| recommend implementing via push notification to the Authy app
| with "approve" and "deny" buttons. This is more secure and a
| better experience than SMS. The API also allows for regular
| app based 2FA, with a TOTP code, which is more secure than
| SMS. But it also allows you to fallback to SMS, which is
| still more secure than no 2FA.
|
| You do have to consider the threat model for your own
| application when considering these sort of security measures.
| If the value of an account takeover is high then a targeted
| attack can, and will, break SMS 2FA. Which is why the Twilio
| 2FA API allows you to turn off SMS 2FA if you choose.
|
| Ultimately I'd prefer SMS over nothing when it comes to 2FA,
| but I also encourage developers to use more secure options
| that can also have a better experience.
| jxcl wrote:
| If you allow fallback to SMS instead of TOTP, your solution
| may be more secure than no 2FA, but it's no more secure
| than SMS either.
| philnash wrote:
| But as I said towards the end of the previous comment, if
| you deem the threat to your users great enough that
| targeted SMS attacks are a problem, you can turn off that
| fallback.
___________________________________________________________________
(page generated 2020-01-11 23:00 UTC)