keybase-issues
keybase-issues copied to clipboard
keybase
Feature request: Multi-factor authentication
To follow up on the discussion in #347 but move it to the currently open issue…
I would be strongly in favor of supporting Google Authenticator, even if it's not the "default" or only app supported, for the sole reason that Authy (or a competitor like Duo Security) requires my smartphone—and Google Authenticator does not, because I can have PebbleAuth on my wrist.
For better or for worse, I've resisted using Authy, because I don't particularly like the idea of adding Yet Another App™ to my phone. I'm not sure I'd categorize Google Authenticator as "rapidly becoming abandonware" as @MattSurabian said, either—the last Android release was in December, which isn't that long ago. (I can't speak for other platforms.)
This isn't to say that only Google Authenticator will make me happy. Basically, if I can add the key to my existing app (Google Authenticator) and PebbleAuth, whatever you guys go with is fine. I just personally have a lot of inertia in the apps that I use now, and having to use something different for Keybase would probably result in me just not setting up 2FA—not an ideal outcome.
They've already decided to use Authy for MFA, which is really great because those of you who are using Google Authenticator wouldn't need to bother changing, and Authy is already fairly ubiquitous.
I did "See here"—that's #347, which I specifically said I was following up. That doesn't read as having "decided to use Authy", though—it sounds like a developer saying what he'd like to do and asking if that's OK with the users.
As previously stated, anything with a code I can enter into Google Authenticator and PebbleAuth for TOTP generation works for me. Authy or otherwise. Just as long as I'm given the option and not required to set up MFA (that still reads as "Master of Fine Arts" to me) using only the Authy app—or whatever ends up being the preferred solution.
A wrote up a little wiki doc with thoughts on an implementation. Let me know if you spot any flaws or shortcomings.
Seems rather solid to me. I don't think anyone is expecting a perfect security scenario, and if they are, they should really reevaluate their life's goals.
Looks pretty solid. I note that there is no "backup code" mechanism as provided by Google, Dropbox, and some other services—but providing one might not be desirable, as such backup codes are usually static (unless reset by the user) and could therefore potentially be brute-forced over time.
This is true, dgw, but Authy automatically backs up these codes to their secure cloud servers to be downloaded by you at a later date. So that's something to look out for if that feature is undesirable for you.
I would really rather use Duo's service. I hate dealing with TOTP but at least Authy makes it somewhat tolerable.
Hi, still no ETA for 2FA? Being a security thing, I think 2FA should be mandatory for a service like this. Cheers
Duo's one touch authentication is a wonderful improvement over numerical 2FA. U2F looks very promising too…
Duo's one touch authentication is a wonderful improvement over numerical 2FA. U2F looks very promising too…
I can personally attest to this. I really love my 2FA key, although, the only service that supports it is Google right now--which is obviously a detriment to its usability.
ubikey edge also looks fine and fully supporting U2F. even GA will be enough for start..
