The world’s most popular websites [1], according to the Alexa website are the following:
| Site | Daily Time on Site (mins:secs) | Daily Pageviews per Visitor |
| Google.com | 12.23 | 14.56 |
| YouTube.com | 12:19 | 6.96 |
| Tmall.com | 6:46 | 2.88 |
| Qq.com | 3:43 | 4.02 |
| Baidu.com | 7:18 | 4.40 |
| Facebook.com | 17:18 | 7.83 |
| Sohu.com | 3:44 | 4.61 |
| Login.tmall.com | 5:05 | 1.00 |
| Taobao.com | 4:23 | 3.53 |
| 360.cn | 3:16 | 3.90 |
[1] – The sites in the top sites lists are ordered by their 1 month Alexa traffic rank. The 1 month rank is calculated using a combination of average daily visitors and pageviews over the past month. The site with the highest combination of visitors and pageviews is ranked #1
Let us break down each website and take a look at what authentication and multi-factor authentication options are available, for login and forgotten password user flows.
| Site | Default Login | Login MFA Options | Default Password Reset | Reset Options |
| Google.com | Username and password; minimum of 8 characters | Google Prompt, SMS OTP, Security Key, Recovery Codes, Authenticator App | Last known password; KBA or pre-configured MFA factor | KBA, unless MFA enabled |
| YouTube.com | Account managed by Google – so same as above | Account managed by Google – so same as above | Account managed by Google – so same as above | Account managed by Google – so same as above |
| Tmall.com | Authentication handled by login.tmall.com | Authentication handled by login.tmall.com | Authentication handled by login.tmall.com | Authentication handled by login.tmall.com |
| Qq.com | Part of Tencent – unable to verify | Part of Tencent – unable to verify | Part of Tencent – unable to verify | Part of Tencent – unable to verify |
| Baidu.com | QR code via app or username and password (8-14 chars, 2 of numbers/letters/punctuation). Mobile required for registration | OTP via registered mobile | Username and reCaptcha, followed by configured MFA. If no MFA configured, requires use of an “appeal” via customer support. This requires QR scan that contains specific URL redirect | OTP via registered mobile |
| Facebook.com | Username and password (min of 6 chars long) | OTP via registered mobile | Code sent to pre-registered email address | |
| Sohu.com | Username or password (8-16 chars, with alpha numeric and special char support). Mobile number and verification code also supported by default | OTP via registered mobile | Mobile phone and verification code or email and code | OTP via registered mobile |
| Login.tmall.com | Authentication handled by passport.taobao.com | Authentication handled by passport.taobao.com | Authentication handled by passport.taobao.com | Authentication handled by passport.taobao.com |
| Taobao.com | Username and password login available | Part of Alibaba group. Registeration involves reCaptcha and OTP sent to mobile device, with MFA for face, bank card verification and mobile device bind | Basic reCaptcha, Face Id, verification code via mobile, bank card reconciliation. | Same as login MFA options |
| 360.cn | Mobile number and password (8-10 chars) or username/email and password (or delivered prompt via QR code) | OTP via SMS | Basic reCaptcha, email/mobile number, followed by verification code. | OTP via SMS |
Notes
- Google Prompt – Android enabled devices, with push notification
- SMS OTP – one time password sent via verified text message to mobile device
- Codes – 10, eight digit codes, that are single use, with ability to generate new ones
- Authenticator app – use of Google authenticator one time password generator
- Security key – USB or Bluetooth enabled hardware key
- OTP delivered via SMS to registered mobile device
- Authenticator app – can use the Facebook mobile app that contains a OTP generator, but can also use other support authenticator apps
- Security key – supports use of USB U2F (FIDO Universal Second Factor) device
- Recovery Codes – 10, eight digit codes, that are sing use, with ability to generate new ones
Summary
SMS delivered one time passwords, seem to be most popular secondary factor method – even though there have been several pieces of analysis done, indicating the inherent weakness in this approach. The National Institute of Standards of Technologies, deprecated the recommendation of SMS OTP as a secure secondary factor back in 2016.
The simple problem is, SMS is almost universally available – usable in multiple geographies and on multiple phone models, including legacy non-smart devices. The use of a one time password as generated using the OATH protcool within an application, using a shared secret (between the app and the server side site you’re accessing) would seem more secure, but requires liberal use of modern applications and a secure way of sharing the secret – certainly using an encrypted communications channel over TLS 1.2/1.3 which some sites in the above list do not necessarily adhere too.
Other secondary factor options, such as push authentication and WebAuthn, seem in the minority at present, probably due to the dependencies on modern browsers and applications.