We need some guidelines for proper 2FA implementation. The Instagram 2FA has a quirk were they don't prompt the user to write the phone number registered on the account before sending the SMS. This means I get like 20 password resets on my phone daily. In an ideal world I would use a token 2FA instead of SMS but that is not supported also. If anybody from Facebook/Instagram can pass this feedback along, it will be appreciated.
> We need some guidelines for proper 2FA implementation.
I could not agree more. I write a lot about 2FA on my site, All Things Auth [1], and do teardowns of 2FA implementations for sites.
In March, we featured Zapier [2] in a screencast episode and a 5 post series digging deep into their 2FA implementation and related topics. I highlighted some things they are doing well and also made suggestions on how they could improve.
I plan to continue doing teardowns for 2FA implementations from many different types of sites. I plan to create a definitive guide to aggregate 2FA implementation best practices.
