One of my jobs is browbeating people to turn on 2-Step Verification, and it’s working; more and more people are. Today I learned that we’ve got some open-source technology you can use to add 2-factor to your own app.
Please Get Safe · Seriously, if you haven’t already, and if someone hacking your Google account would screw up your life, then start here right now and come back after you’ve turned it on. I’ll wait.
What, you didn’t do it? You’re not convinced? You think it’ll be inconvenient? Wrong. It’s super-smooth; every so often, when Google asks you to refresh your login, it’ll ask you to enter a number that we send you by SMS. Don’t like SMS? No problemo, just grab the Google Authenticator app for your Android or Blackberry or iOS device, and it’ll generate a code locally.
It’s just not inconvenient. What is inconvenient is having to apologize to everyone when your account gets hacked and your friends all get spammed or worse, scammed. So please, get on board.
Add It To Your App · I don’t think that apps should be doing their own authentication, I think they should be farming that out to Identity Providers, the better to preserve the sanity of their users. But if you really must authenticate people, give serious thought to offering 2-factor.
It turns out that your app can use Authenticator too; it works with those OATH TOTP constructs. (Yes, that’s OATH not OAuth, life is confusing.) Dropbox is already doing this, so you’d be in good company.
Authenticator is also an open-source project, which makes it easier to be confident about what it does and how it works. Also, it would be perfectly reasonable and OK for you to fork it (Apache license) for your own purposes.