| (ISC)2 |
Authenticator |
Authenticator; SMS |
SMS; PKQ |
Authenticator; PKQ |
PR email |
backup signup available |
|
|
| Acquia |
Authenticator; SMS |
SMS |
Authenticator |
|
PR email |
backup signup recommended |
|
|
| Adafruit |
Authenticator; SMS |
SMS |
Authenticator |
|
PR email |
SMS backup signup recommended |
|
|
| Adobe ID - reported fixed |
Email |
Email; SMS; Authenticator |
Email; SMS |
|
PR SMS; PR email |
email 2FA mandatory |
reported as fixed; this row represents our original finding |
|
| Airtable |
SMS; Authenticator |
SMS |
|
|
PR email |
SMS 2FA mandatory |
|
|
| Allegro |
SMS |
Authenticator; SMS |
|
|
PR email |
SMS 2FA used as mandatory backup |
|
|
| Ally Bank |
|
|
|
|
PR SMS |
Restriction - bank account required for account creation |
|
|
| Amazon |
SMS |
SMS; Authenticator |
Authenticator |
|
PR SMS; PR email |
backup signup available |
closed as won't fix |
|
| Amazon Web Services |
Authenticator |
U2F |
|
|
PR email |
SMS 2FA still used but no longer enrollable |
|
|
| Ancestry |
SMS |
|
|
|
PR email |
|
|
|
| Aol Mail |
SMS; Email |
|
|
|
PR SMS; PR email |
automatic email backup signup using email on file; 1-step login with OTP available |
no response |
|
| Apple |
Proprietary; SMS |
|
|
|
PR linked device |
SMS backup signup mandatory; 2FA cannot be disabled once set |
|
|
| Atlassian |
Authenticator |
SMS |
|
|
PR email |
|
|
|
| Autodesk |
Authenticator; Email |
SMS; Email |
|
|
PR email |
automatic email backup signup using email on file |
|
|
| Backblaze |
SMS |
Authenticator |
Authenticator; SMS |
|
PR email; PR SMS only if SMS 2FA is not enabled |
|
|
|
| Betterment |
SMS |
SMS; Authenticator |
|
|
PR email |
SMS 2FA mandatory; backup signup available |
|
|
| BiggerPockets |
SMS |
SMS; Authenticator |
|
|
PR email |
SMS 2FA mandatory; backup signup available |
|
|
| Bitflyer |
Email |
Authenticator |
SMS |
|
PR email |
|
|
|
| Bithumb |
SMS |
Authenticator |
|
|
PR email |
initial SMS 2FA signup mandatory; 1-step login with OTP available if SMS 2FA is enabled |
|
|
| Bitlish |
SMS |
Authenticator |
|
|
PR email |
|
|
|
| Bitly |
SMS |
|
|
|
PR email |
|
|
|
| bitwarden |
Authenticator |
Authenticator; Email |
SMS |
U2F |
PR email |
SMS 2FA available with premium membership |
|
|
| Blizzard - fixed without reporting |
Proprietary; Email; SMS |
|
|
|
PR SMS; PR email |
automatic SMS backup signup using phone number on file; automatic email backup signup using email on file; proprietary app can be disabled with SMS |
template acknowledgement; later fixed the issue without notifying us; this row represents our original finding |
|
| Blockchain |
Authenticator |
U2F |
SMS |
|
PR seed |
|
|
|
| Booking.com |
SMS; Email |
|
|
|
PR email |
automatic email backup signup using email on file |
|
|
| Box |
SMS |
|
|
|
PR email |
|
|
|
| BTC BOX |
Authenticator |
Authenticator; SMS |
SMS |
|
PR email |
SMS 2FA improperly configured, does not manifest |
|
|
| Buddy |
SMS |
Authenticator |
|
|
PR email |
|
|
|
| Buffer |
SMS |
Authenticator |
|
|
PR email |
|
|
|
| Buycraft |
Email |
Authenticator; SMS |
|
|
PR email |
initial email 2FA signup mandatory; SMS 2FA used as mandatory backup for authenticator 2FA |
|
|
| CEX.IO |
Authenticator |
SMS |
|
|
PR email |
|
|
|
| Circle |
SMS |
Authenticator |
|
|
PR email |
initial SMS 2FA signup mandatory |
|
|
| Cisco Meraki |
SMS |
Authenticator; SMS |
|
|
PR email |
SMS 2FA used as mandatory backup |
|
|
| Cloze |
SMS |
Authenticator |
|
|
PR email |
|
|
|
| CM Telecom |
SMS |
Proprietary; SMS |
|
|
PR email |
automatic SMS backup signup using phone number on file |
|
|
| Coinbase |
U2F |
Authenticator |
SMS |
|
PR email |
already explicitly recommends against SMS 2FA, explanation provided but not directly linked |
|
|
| CoinDeal |
SMS; Authenticator |
|
|
|
PR email |
SMS 2FA used as mandatory backup |
|
|
| Coinjar |
Authenticator |
Authenticator; SMS |
SMS |
|
PR email |
Recommends against SMS but labeles authenticator as 'advanced' |
|
|
| Coinspot |
Authenticator |
SMS |
|
|
PR email |
Already explicitly recommends against SMS 2FA |
|
|
| Comcast |
|
|
|
|
PR SMS; PR email |
Restriction - utility service required for account creation |
|
|
| Con Edison |
|
|
|
|
PR SMS; PR email |
Restriction - utility service required for account creation |
|
|
| Cosmolex |
SMS |
|
|
|
PR email |
|
|
|
| Delighted |
SMS; Email |
|
|
|
PR email |
automatic email backup signup using email on file |
|
|
| DigitalOcean |
Authenticator; backup code |
Authenticator; SMS |
SMS; backup code |
SMS; Authenticator |
PR email |
backup signup available |
|
|
| Discord |
Authenticator; SMS |
Authenticator |
|
|
PR email |
authenticator 2FA mandatory; SMS backup signup recommended |
|
|
| Docusign |
Authenticator; SMS; Email |
SMS; Email |
Email |
|
PR email |
email 2FA used as mandatory backup; required 2 combined phone number/email backup minimum |
|
|
| Dropbox |
SMS |
Authenticator; SMS |
Authenticator |
Authenticator; U2F |
PR email |
SMS backup signup recommended |
|
|
| Dynadot |
Authenticator |
SMS |
Authenticator; SMS |
|
PR email |
backup signup available |
|
|
| easyDNS |
Authenticator |
SMS |
Email |
|
PR email |
|
|
|
| eBay - reported fixed |
Proprietary; Email |
SMS; Email |
|
|
PR SMS |
automatic email backup signup using email on file; 1-step login with OTP available if 2FA is not enabled |
reported as fixed; this row represents our original finding |
|
| Electronic Arts (Origin) |
Authenticator; Email |
SMS |
Email |
|
PR email |
backup signup available; backups cannot be disabled once set |
|
|
| Etsy |
Authenticator |
SMS |
Phone |
|
PR email |
|
|
|
| Evernote |
Authenticator |
SMS |
|
|
PR email |
SMS 2FA available with Evernote Premium |
|
|
| Facebook |
Authenticator |
SMS |
U2F |
|
PR SMS only if 2FA is not enabled; PR email |
|
|
|
| FastMail |
Authenticator |
U2F |
|
|
PR SMS only if 2FA is not enabled; PR email only if 2FA is not enabled |
Outdated - no SMS 2FA |
|
|
| Figma |
Authenticator |
Authenticator; SMS |
SMS |
|
PR email |
backup signup available |
|
|
| Finnair |
SMS |
Authenticator; SMS |
|
|
PR SMS; PR email |
automatic SMS backup signup using phone number on file |
no response |
|
| Fiverr |
Proprietary; Email; SMS |
|
|
|
PR email |
|
|
|
| Flywheel |
Authenticator |
SMS |
|
|
PR email |
|
|
|
| FollowMyHealth |
Authenticator; Email; SMS |
|
|
|
PR email |
automatic SMS backup signup using phone number on file; automatic email backup signup using email on file; backups cannot be disabled once set |
|
|
| Formstack |
Authenticator; SMS |
SMS |
Authenticator |
|
PR email |
SMS backup signup recommended |
|
|
| FreeTaxUSA |
SMS; Email |
Authenticator; SMS; Email |
Authenticator; Email |
Authenticator; SMS |
PR SSN |
initial SMS 2FA signup mandatory; initial email 2FA signup mandatory |
|
|
| Gaijin Entertainment |
Authenticator; SMS |
Authenticator; Email; SMS |
|
|
PR email; PR SMS |
SMS 2FA used as mandatory backup; using SMS disables 2FA altogether |
did not understand |
|
| Gemini |
Authy |
SMS |
U2F |
|
PR email |
initial SMS 2FA signup mandatory, permanantly switches to Authy if installed |
|
|
| GitHub |
Authenticator |
Authenticator; SMS |
SMS |
U2F |
PR email |
SMS backup signup available |
|
|
| GoCardless |
SMS |
|
|
|
PR email |
|
this row represents our original finding |
|
| GoDaddy |
SMS; Authenticator; U2F |
SMS; U2F |
Authenticator |
SMS |
PR email |
backup signup recommended |
|
|
| Google |
SMS; Authenticator; U2F |
Authenticator |
Proprietary; U2F |
SMS; U2F; Proprietary |
PR email; PR SMS only if SMS 2FA is not enabled; PR manual review |
|
|
|
| Grape |
SMS |
Authenticator |
|
|
PR email |
|
|
|
| GroupMe |
SMS |
|
|
|
PR email |
|
|
|
| Guild Wars 2 |
Email |
SMS |
Authenticator |
|
PR email |
initial email 2FA signup mandatory |
|
|
| Gusto |
SMS |
Authenticator |
|
|
PR email |
|
|
|
| HashiCorp Terraform Enterprise |
Authenticator; SMS |
Authenticator |
SMS |
|
PR email |
SMS backup signup recommended |
|
|
| HashiCorp Vagrant Cloud |
Authenticator; SMS |
Authenticator |
SMS |
|
PR email |
SMS backup signup recommended |
|
|
| HelloSign |
Authenticator |
SMS |
|
|
PR email |
SMS 2FA available with upgrade |
|
|
| Hover.com |
Authenticator |
SMS |
|
|
PR email |
|
|
|
| HubSpot |
Authenticator; SMS |
Authenticator |
SMS |
|
PR email |
backup signup recommended |
|
|
| Hushmail |
Authenticator; SMS; Email |
SMS; Authenticator |
Email |
Authenticator |
No PR |
No PR; all schemes selected by default |
|
|
| ID.me |
SMS |
Authenticator; SMS |
Authenticator; Proprietary |
Proprietary; U2F |
PR email |
backup signup available |
|
|
| IFTTT |
Authenticator |
SMS |
|
|
PR email |
|
|
|
| Infomaniak |
Proprietary |
SMS; Email; U2F |
Proprietary; U2F |
|
PR email |
backup signup available |
|
|
| Instagram |
SMS |
Authenticator |
SMS; Authenticator |
|
PR email |
backup signup available |
|
|
| Intuit TurboTax |
SMS |
SMS; Authenticator |
|
|
PR email; PR SMS only if 2FA is not enabled; PR PII |
SMS 2FA used as mandatory backup; 1-step login with OTP available if 2FA is not enabled |
|
|
| Jottacloud |
Authenticator |
SMS |
|
|
PR email |
|
|
|
| Justworks |
Authenticator; SMS |
Authenticator; Email |
SMS; Email |
Email |
PR email |
|
|
|
| Keeper |
SMS |
Authenticator |
|
|
PR email |
other 2FA options available with enterprise plan |
|
|
| Kickstarter |
Authenticator; SMS |
SMS |
|
|
PR email |
SMS 2FA mandatory; backup signup recommended |
|
|
| LinkedIn |
Authenticator |
SMS |
|
|
PR SMS only if 2FA is not enabled; PR email |
|
|
|
| LogMeIn |
Authenticator; SMS |
Authenticator; Email |
SMS; Email |
|
PR email |
backup signup mandatory |
|
|
| Mail.Ru |
SMS |
SMS; Authenticator |
Authenticator |
|
PR email; PR SMS only if 2FA is not enabled |
initial SMS 2FA signup mandatory |
|
|
| MailChimp |
SMS |
Authenticator |
|
|
PR SMS; PR email |
|
no response |
|
| MathWorks |
Authenticator |
SMS |
Email |
SMS; Authenticator |
PR email |
backup signup available |
|
|
| Mercado Libre |
Proprietary |
SMS |
Authy |
Proprietary; SMS |
PR email |
backup signup available; Authy 2FA disables all backup schemes |
|
|
| Microsoft - fixed without reporting |
Authenticator; SMS; Email |
|
|
|
PR SMS; PR email |
automatic SMS backup signup using phone number on file; automatic email backup signup using email on file |
did not understand; later fixed the issue without notifying us; this row represents our original finding |
|
| Minds |
SMS |
|
|
|
PR email |
|
|
|
| Mixpanel |
SMS; Authy |
|
|
|
PR email |
automatic Authy backup signup using phone number on file |
|
|
| MongoDB Cloud Manager |
Authenticator |
Authenticator; SMS |
SMS |
|
PR email |
SMS backup signup available |
|
|
| Namecheap |
Authenticator |
U2F |
SMS |
Proprietary |
PR email |
initial SMS 2FA signup mandatory for proprietary 2FA signup |
|
|
| Newegg |
SMS; Email |
SMS; Authenticator |
Email; Authenticator |
|
PR email |
backup signup mandatory |
|
|
| Nexmo |
SMS |
|
|
|
PR email |
|
|
|
| Nimbox |
Authenticator |
SMS |
Email |
|
PR email |
|
|
|
| Norton |
Proprietary; SMS |
SMS; U2F |
Proprietary; U2F |
|
PR email |
backup signup mandatory |
|
|
| Okta |
Proprietary |
SMS; Proprietary |
PKQ; Proprietary |
|
PR email |
proprietary 2FA mandatory; backup signup available |
|
|
| Online.net - reported fixed |
Authenticator |
SMS |
|
|
PR SMS; PR email |
SMS 2FA available for French residents only |
reported as fixed; this row represents our original finding |
|
| Patreon |
SMS |
Authenticator |
|
|
PR email |
|
|
|
| Paychex |
|
|
|
|
PR SMS; PR email |
Restriction - enterprise signup only |
|
|
| PayPal |
SMS; Authenticator |
Authenticator |
SMS |
|
PR SMS; PR email |
backup signup recommended |
did not understand |
|
| Paytm |
|
|
|
|
PR SMS |
Restriction - non-U.S. phone number required for account creation |
|
|
| PCloud |
SMS |
Authenticator |
|
|
PR email |
|
|
|
| Personal Capital |
|
|
|
|
PR SMS; PR email |
Restriction - cannot sign up for 2FA without adding financial accounts |
|
|
| Pinterest |
SMS; Authy |
|
|
|
PR email |
automatic Authy backup signup using phone number on file |
|
|
| Plastiq |
SMS |
|
|
|
PR email |
|
|
|
| Playstation Network |
SMS |
|
|
|
PR email |
|
|
|
| Questrade |
SMS; Email |
|
|
|
PR email |
SMS 2FA mandatory; email 2FA used as mandatory backup |
|
|
| RBCommons |
Authenticator |
SMS |
Authenticator; SMS |
|
PR email |
SMS backup signup available |
|
|
| Recurly |
Authy |
SMS |
|
|
PR email |
initial SMS 2FA signup mandatory, permanantly switches to Authy if installed |
|
|
| Repairshopr |
Authenticator; SMS |
Authenticator |
|
|
PR email |
SMS backup signup recommended |
|
|
| Ring |
SMS |
|
|
|
PR email |
|
|
|
| Robinhood |
SMS |
Authenticator |
|
|
PR email |
|
|
|
| RoboForm |
Email |
SMS |
Authenticator |
|
PR email |
|
|
|
| Salesforce |
Authenticator; SMS |
Proprietary; SMS |
U2F; SMS |
|
PR email |
SMS 2FA used as mandatory backup |
|
|
| Samsung |
SMS |
|
|
|
PR email |
|
|
|
| SecureSafe |
SMS |
|
|
|
PR seed |
2FA availabe with subscription upgrade |
|
|
| Sentry |
Authenticator; SMS |
Authenticator |
SMS |
U2F |
PR email |
SMS backup signup recommended |
|
|
| Shopify |
Authenticator |
Authenticator; SMS |
Authenticator; U2F |
SMS |
PR email |
backup signup available |
|
|
| Signal |
|
|
|
|
No PR |
No PR; E2EE, phone number only used as identifier, attacker can hijack future communications; Outdated - No 2FA |
|
|
| Slack |
SMS |
Authenticator |
|
|
PR email |
|
|
|
| Snapchat - reported fixed |
SMS |
Authenticator |
SMS; Authenticator |
|
PR SMS; PR email |
backup signup available |
reported as fixed; this row represents our original finding |
|
| Sonic |
|
|
|
|
PR phone call |
Restriction - utility service required for account creation |
|
|
| Square |
SMS |
SMS; Authenticator |
Authenticator |
|
PR email |
backup signup available |
|
|
| StatusCake |
SMS |
Authenticator |
|
|
PR email |
|
|
|
| Stripe |
SMS |
Authenticator |
SMS; Authenticator |
Authenticator; U2F |
PR email |
|
|
|
| T-Mobile |
|
|
|
|
PR phone call |
Restriction - utility service required for account creation |
|
|
| Taxact - fixed without reporting |
Email; SMS |
Authenticator |
|
|
PR SMS; PR email |
SMS 2FA used as mandatory backup for email 2FA |
did not understand; later fixed the issue without notifying us; this row represents our original finding |
|
| Telegram |
Password; Email; Proprietary |
Password; Proprietary |
|
|
PR email only if email 2FA is set |
automatic tap-to-login 2FA sent to other signed-in devices |
|
|
| Ting |
Authenticator |
SMS |
|
|
PR email |
|
|
|
| Tokopedia |
|
|
|
|
PR SMS; PR email |
Restriction - non-U.S. phone number required for 2FA signup |
|
|
| TransferWise |
SMS |
Proprietary; SMS |
|
|
PR email |
initial SMS 2FA signup mandatory; automatic SMS backup signup using phone number on file; 2FA cannot be disabled once set |
|
|
| TransIP |
Authenticator; SMS |
|
|
|
PR email |
authenticator 2FA mandatory; SMS 2FA used as mandatory backup |
|
|
| Tumblr |
SMS |
Authenticator |
SMS; Authenticator |
|
PR email |
backup signup available |
|
|
| Twilio |
SMS; Authy |
|
|
|
PR email |
automatic Authy backup signup using phone number on file |
|
|
| Twitch |
SMS; Authy |
|
|
|
PR email; PR SMS |
automatic Authy backup signup using phone number on file; PR SMS is in beta |
|
|
| Twitter |
SMS |
SMS; Authenticator |
Authenticator |
SMS; U2F |
PR SMS only if 2FA is not enabled; PR email |
backup signup available; Optional feature called PR Protect - requires email address to be correctly entered, does not help against PR SMS |
|
|
| Uber |
SMS |
Authenticator |
|
|
PR email |
1-step login with OTP available if 2FA is not enabled |
|
|
| Ukraine |
Authenticator; SMS |
|
|
|
PR email |
authenticator 2FA mandatory; SMS 2FA used as mandatory backup |
|
|
| Unity |
SMS |
SMS; Authenticator |
Authenticator |
|
PR email |
backup signup available |
|
|
| Venmo |
SMS |
|
|
|
PR SMS; PR email |
|
no response |
|
| VK |
SMS |
SMS; Authenticator |
|
|
PR SMS only if 2FA is not enabled; PR email |
backup signup available; SMS 2FA mandatory |
|
|
| Wealthsimple |
Authenticator |
SMS |
|
|
PR email |
|
|
|
| WhatsApp |
PIN; Email |
PIN |
|
|
No PR |
No PR; 1-step login enabled; phone number only used as identifier, attacker can hijack future communications |
|
|
| WordPress.com |
Authenticator; SMS |
SMS |
|
|
PR SMS; PR email |
SMS 2FA used as mandatory backup |
no response |
|
| XING |
SMS |
Authenticator |
|
|
PR SMS; PR email |
SMS 2FA requires non-US number |
|
|
| Yahoo Mail |
Proprietary; Email; SMS |
Email; SMS |
|
|
PR SMS; PR email |
automatic SMS backup signup using phone number on file; automatic email backup signup using email on file; 1-step login (via notification, OTP via SMS, OTP via email) enabled if proprietary app 2FA is selected |
did not understand |
|
| Yandex.Money |
Proprietary |
|
|
|
PR SMS only if 2FA is not enabled; PR email only if 2FA is not enabled; PR SMS + old password |
1-step login (via in-app QR scanner, via in-app OTP) enabled if 2FA is enabled |
|
|
| Zendesk |
Authenticator |
SMS |
|
|
PR email |
|
|
|
| Zoho Mail |
Proprietary |
Proprietary; SMS |
Authenticator; U2F |
SMS |
PR SMS; PR email |
1-step login available via PR SMS number |
closed as non-issue |
|