Comment by rdl

The Duo app is really nice. I was really happy to find out you could use it without their (fairly expensive) service; it's essentially a drop-in replacement for the Google Authenticator app. I've still been using both, though.

The thing I dislike most is when sites don't allow you to link your own OATH credential (i.e. a hardware token); I don't consider any of the cellphone apps or services to be as secure as the hardware token, and there are nice ways to use the hardware tokens for role accounts (locking the physical token in a safe, or leaving it in the custody of a third party without direct access to the account, like a CFO). The ideal implementation of OATH/2FA for a site allows users to specify their own, get the QR code, or get a text code.

Coinbase, for instance, only shows the QR code; I can't either use my own hardware token or back up the character string (which I feel I can do safely) to let me re-generate the token. I generally like having >1 device with my OATH credentials for any given account, particularly if the device is needed to change security settings later. It's awesome that they support 2FA, but doing better would be better.