After the hacking of a former Gizmodo writer’s Apple account, a lot of discussion has been going on concerning turning on two-factor authentication on services like Google Apps. I absolutely recommend doing so, but I also think that’s not enough. A good majority of the people who read this blog are creators of webapps of some description. It’s time for us to start building two-factor authentication into our products.
Off the top of my head, I know of two well-documented methods of implementing two-factor auth, and after some googling I found one more:
Authy - They launched a few days ago, but their API looks really solid. For most people (meaning for people with webapps under 100,000 people), this service is free, too.
AlterEgo - The venerable team behind MailChimp built this one. I’ve used it on my MailChimp account for a while now, and it hasn’t ever caused me any problems. The main draw of this is that it’s completely free.
Duo Security - This looks by far to be the most comprehensive solution, however this comes at a price. They have a free tier, but unless you have fewer than 10 users on your application, this won’t cut it.
Google Authenticator (thanks @tbyehl) - The Google Authenticator app uses open standards and can be used by anyone. The upsides of this implementation are that it’s free and people who use two-factor auth most likely already have the Google Authenticator app on their phones.
(Did I miss a service? Ping me on Twitter if you know of any more)
Not every webapp needs two-factor authentication. It’s up to you to gauge whether or not you think the data on your service needs this much security. But, if you have some spare development time, it doesn’t hurt to add one of these services as an option. Oh and I beg of you; use a password manager.
Let’s hope Apple step up their game, but just because they haven’t yet doesn’t mean you shouldn’t, either.