+1
Bumping this again.
@Nate_Pearson - I’ve heard you talk about quick wins on the podcast before. This really feels like something you could do a spike on to integrate an off the shelf RFC6238 compliant TOTP library into your existing auth flow with Authy, or Duo, or Google Authenticator, or whatever fits best into your stack.
Speaking from experience, these things are trivially easy to implement into web apps these days, and it would be a pure win.
Appreciate there would need to be a bit of support team training, and maybe some build out of your admin internal interface to allow unpairing of tokens without having to have some SRE go in and manually do an SQL update to fix someone’s account, but that stuff isn’t too difficult. This is something you could put behind early access with all the caveats that come with that.
This is just a feature that needs to be considered table stakes these days - especially when we’re talking about health information. There’s a reminder almost every day about why these things matter, most recently Uber.
@Nate_Pearson A good time to support Passkeys. Code to where the puck is going. You could be one of the first companies to support them.
If they ever add SMS-based 2FA to the site, and you’re not keen on giving out your real number, anonymsms is a good workaround. I’ve used it a few times for stuff like this, no login, just pick a number and wait for the code to show up. Makes life easier when you want the extra security layer but not the spam that sometimes follows.
Bump. I mean I’d never use anything other than a passkey. However, echoing the sentiment.
Glad to see this thread is still going, I can’t believe nothing has been done though. Disappointing.