Lead engineer at MailChimp here. Funny you should mention it, but tomorrow we're going to be launching Google Authenticator and YubiKey integrations with AlterEgo so you can use those as you like. We're also working on a Duo integration, but no ETA there.

BTW, Duo's android app now supports adding TOTP accounts, same as Google Authenticator does (though I'm not sure about QR code support).

Duo's app is actually better than GA by allowing rearrangement of accounts, which is a long-standing open bug in GA.

Is that the rearranging bug on iOS? Stupid workaround: Visit the legal button, then try rearranging.

On iOS, at least the iphone version I just installed on an ipad to test, accounts can be rearranged in GA.

On Android, there is no rearrangement possible. There's no "edit" button like there is on the ios version, that enables dragging accounts around.

https://code.google.com/p/google-authenticator/issues/detail...

neat, announce that tomorrow again and i'll set it up :)

See Google Reader. When you create your own solutions, you don't have to worry about somebody else changing the rules down the road.

Google Authenticator is opensource[1] and implements a standard.

[1] https://code.google.com/p/google-authenticator/

Google Authenticator is also used by Amazon for AWS and LastPass.

There's a page[1] describing why they created AlterEgo.

They basically claim everything else was too difficult for people to use - which is funny considering the other companies[2] using Google Authenticator. They also call it "1.5-factor authentication", which is kind of unsettling.

AlterEgo is a closed-source online-only service provided by MailChimp, while Google Authenticator is an offline, open-source, standards-based, two-factor security solution that anyone can implement on a wide range of platforms. You'd have to want less compatibility, less reliability and less security to use AlterEgo.

[1] http://blog.mailchimp.com/introducing-alterego-1-5-factor-au...

[2] http://en.wikipedia.org/wiki/Google_Authenticator#Usage

Google Authenticator integration wasn't an option when they launched Alter Ego. https://news.ycombinator.com/item?id=5446230

It's funny they say that, because google authenticator's git repo has commits going back to 2010, and AlterEgo was launched in 2011. Could be a coincidence though.

Edit: Nope. Just confirmed Google Authenticator was released in February 2011 [1], and AlterEgo was released May 2011 [2].

[1] http://techcrunch.com/2011/02/10/google-rolls-out-two-factor...

[2] http://blog.mailchimp.com/introducing-alterego-1-5-factor-au...

GA is just the better known implementation of OATH/TOTP. There are independent third-party implementations; I use a J2ME one, which works fine even with Google's own webapps.

If you follow that rationale your going to enter a spiral of reinventing wheels ad infinitum.

Just make sure that whatever you rely on can be substituted for another system and you're good to go. You depend on that service but on the off chance that it's discontinued your business is not at risk.