Hi Everyone,
We are evaluating 2 methods at this time. SMS, and Yubikey.
The "free subscription" we're referring to is SMS verification. Unfortunately we're a prime target for SMS flooding if we make this a free service, as you can probably understand.
As for the Yubikey, you will pay for a key and the service itself would of course be offered free of charge, making it effectively a one time fee.
I don't want to be in a situation where I can't get into my account if I forgot or lose my second factor... I'm hoping you allow some flexibility in this new system for us to decide which methods we would like to select during login. If I need to get into my account, without my second factor, it would be nice to have the ability to choose one of the other 2nd factors during the logon process... If I don't have my Yubikey, but I do have my cell phone configured, I would like to be able to still access my account. If I don't have either of my 2nd factors.. Answering a short series of "Security Questions" should be allowed to be used to gain access. Something like the way that Paypal does it.. During the logon process a user can say "I don't have my Key right now" and still answer a couple of security questions only that user would know, as a backup method, to gain access to their account.
Of course each user could decide which factors are available for them... This would allow users to balance not only the increased security of the new system, but also how convenient they wish it to be for themselves.
Maybe you can implement the SMS 2-Factor in house.. and find a way to avoid the "SMS flooding" scenario... like sending the SMS AFTER the correct password has been entered on the site.
Here is a list of the majority of International SMS carrier gateways.. It could be used as a starting point should you decide to roll your own solution..
att=<number>@txt.att.net
at&t=<number>@txt.att.net
bell=<number>@txt.bell.ca
beeline=<number>@sms.beemail.ru
bouygues=<number>@mms.bouyguestelecom.fr
cricket=<number>@sms.mycricket.com
d1=<number>@t-d1-sms.de
eplus=<number>@smsmail.eplus.de
etisalat=<number>@email2sms.ae
fido=<number>@fido.ca
lmt=<number>@smsmail.lmt.lv
metropcs=<number>@mymetropcs.com
mobistar=<number>@mobistar.be
optus=0<number>@optusmobile.com.au
orange=<number>@orange.net
o2uk=<number>@o2imail.co.uk
o2germany=0<number>@o2online.de
rogers=<number>@pcs.rogers.com
sfr=<number>@sfr.fr
softbank=<number>@softbank.ne.jp
sprint=<number>@messaging.sprintpcs.com
starhub=<number>@starhub-enterprisemessaing.com
sunrise=<number>@mysunrise.ch
swisscom=<number>@bluewin.ch
tdc=<number>@sms.tdk.dk
telecom=<number>@etxt.co.nz
telenor=<number>@mobilpost.no
tele2=<number>@sms.tele2.lv
telia=<number>@gsm1800.telia.dk
telstra=<number>@tim.telstra.com
telus=<number>@msg.telus.com
three=<number>@three.co.uk
tmobile=<number>@tmomail.net
tmobileczech=<number>@sms.paegas.cz
uscellular=<number>@email.uscc.net
verizon=<number>@vtext.com
virginmobile=<number>@vmobl.com
virginmobilecanada<number>@vmobile.ca
vivo=<number>@torpedoemail.com.br
vodafonegermany=0<number>@vodafone-sms.de
vodafonegreece=<number>@sms.vodafone.gr
vodafoneitaly=<number>@sms.vodafone.it
vodafoneuk=<number>@vodafone.net