Two Factor Authentication (2FA)

in-development

#22

Just wanted to put a vote in for token based OTPs vs SMS based OTPs.


#23

No to sms. Yes to alternatives.


#24

Any update on this?


#25

Not yet unfortunately but this is still high on priority.


pinned #27

#28

Thanks for quick response :call_me_hand:t5:


#29

I already have to keep 2 different authentication apps not mentioned in the poll for other entities. Would really like not to have another. SMS is best.


#30

SMS is not as secure as using app auth (I.e google authenticator)


#31

If not SMS, then Duo Mobile or FreeOTP please.


#32

I too, prefer 2FA (google authenticator, Okta, YubiKey) methods other than OTP. OTP is susceptible to MitM attacks.


#33

However, in retrospect, I would actually prefer some sort of biometrics for accessing the app. Most modern phones now support facial, retinal, and/or fingerprint recognition.


#34

That is what I’m hoping for so when I open the wyze app I’ll be asked to use face ID to access the home page.

Here is the apple developer documentation on it

https://developer.apple.com/documentation/localauthentication/logging_a_user_into_your_app_with_face_id_or_touch_id


#35

Voted for Google Authenticator, but Duo Mobile is also a great option. Duo has great resources for developers looking to integrate 2FA. That said, if SMS is easier to implement immediately I’d rather have weak SMS 2FA than no 2FA at all until a token-based method can be implemented.

I’m also in favor of having email notifications for any account changes like new app signins, cameras added/deleted/shared, Many online services already do this and it’s an relatively simple backend change.

I’m less concerned about locking down the app on my phone with biometrics etc. since that’s already required to unlock the phone itself. Unless you typically hand over your unlocked phone to other people I don’t see why you would need a separate lock on the app.


#36

I agree with you I wouldn’t mind the SMS for now but hopefully they do move into using tokens because I run all of my supported 2FA apps through Google auth and it’s super convenient to have everything all in one place.

When it comes to having biometrics I prefer having the extra security for example if my phone gets taken or someone who I lend my phone to gets curious. It’s not a priority feature but would be nice to have eventually.


#37

Whatever method is chosen, for me it is a must have to have the option that it not be required every time you use the app, but only for logins on unknown/new devices.

My phone is already locked down biometrically. I don’t need to be asked to unlock the app every time.


#38

For me it isn’t an issue to have a second biometric lock due to how fast and easy it is to use face ID I could see it becoming annoying if you have a phone that doesn’t have touch Id/face id and have to enter a pin in each time but that’s why they can make the feature only be enabled if you toggle it on.


#39

Regarding your poll, and data in your spec document, a little flawed for data collection. Google Authenticator, Lastpass Authenticator and Authy use similar enrollment methods. Yes, you can integrate with some to push approvals to the device, but all support the same QR code based enrollment to deliver a rolling code back to you.

Better to skip SMS / Email notifications, unless you are looking for a simple checkbox to say you have the feature. They are both clunky, and SMS is insecure. Industry is moving toward token / app code based authentication for a reason. Any way you look at it, placing it as a tier 3 priority is a miscategorization in my opinion.


#40

What about FIDO2 and U2F?


#41

Hello, Community Members…

For those of you that would like to attain a better understanding regarding the pros/cons of different authentication methods, but are too hesitant to ask… I listed 2-articles below for your convenience.

…and…

NOTE: If these articles are not appropriate to list in the forum, then @Loki or other moderator can remove this post.


#42

Completely agree. SMS is only a short term solution with known vulnerabilities. It would be better to develop 2FA with authenticator app support from the start with eyes on long term support for the standard. Also, and I might be wrong, but I’m pretty sure that 2FA through authenticator apps would have lower running costs than having to maintain a service to send SMS tokens to customers.