I'm thinking about adding another layer of security in my application. Two factor authentication (2FA) seems like something I want to work with.
I want to know what determines a good 2FA? Also which ones would you recommend? I am currently not on Devise, so any independent third-party/gem would help.
What determines a good 2FA method? I'd say coverage (# of users that can use it), costs, and extra security benefits.
In terms of security, U2F is the best type of 2FA as it prevents phishing as well as MITM, though your users would need to purchase (inexpensive) tokens. Currently works only in Chrome.
Cheapest is Google Authenticator-style TOTP, which is free and does not incur any SMS fees. Your users need smartphones.
Highest coverage is SMS, which almost all users will have but you may have to pay fees to send SMS and your users may have to pay to receive them.