@streaky81 wrote:
2. It's a million miles from an ideal solution but it should be the absolute minimum standard supported. It has fairly serious security weaknesses that are almost impossible to mitigate though.
3. People should be prepared to get willing. U2F tokens are cheap and this is the standard that's coming down the hill - it's far more secure against well funded and determined actors than TOTP (et al) and cheaper and easier to impliment than other crypto token device support and far more user friendly. Be prepared to buy two - one for backup - whilst you're at it. It's also supported by all the major browsers people care about (Chrome/Firefox and I believe there's Opera support also).
4. SMS isn't even close to fit for purpose, there's been occasions where people have had their phone accounts moved to a third party device for way less serious reasons than having money stolen.
2. TOTP (Google Authenticator): With respect, the security issues are not significant to everyday users. The biggest obstacle is the hassle factor (see below). PayPal should nonetheless use it to replace the seriously flawed Symantec VIP.
3. U2F: With respect, people won't change. Given a choice between convenience (freedom from hassle) and security (hassle), most people will choose convenience. That's why the most common password is 123456. The better alternative is TOTP because there is at least some chance that people will actually use it.
4. SMS: Agreed.
My own experience is a case in point. I recently tested a YubiKey NEO, and abandoned it almost immediately. Too much pain for too little gain. And I'm a technologist. My clients would never use it.
