Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST civic hacking day challenge sparks the creation of an innovative new API

Multi-factor authentication (MFA) is near and dear to our hearts at NSTIC. We understand how important it is to the security and privacy of online transactions and we get excited about any opportunity to increase the awareness of—and encourage the adoption of—MFA. This is why we jumped at the opportunity to submit a challenge about MFA for the National Day of Civic Hacking earlier this summer. NIST hosted a ‘Two Factor Frenzy’ challenge that called for a tool designed to show users which sites currently offer MFA that could be personalized based on their online habits. Two colleagues at Code HS in San Francisco joined forces to work on a solution for us: Kurt Hepler and John Kelly. Kurt and John both recently became interested in cybersecurity; Kurt is an avid coder who tutors students and teachers, and John is a programmer who changed his major at Berkeley from cognitive science to computer science when he realized he had a passion for it. This was their first time as civic hacking participants—and their first time building an API. They chose to work on our challenge because of the cybersecurity focus and the creativity we encouraged. Kurt and John decided to build and launch a publicly available API that makes the data from (which compiles information about which websites support MFA) easier to access through a browser extension. The API can show internet users if the website they are visiting offers MFA—in hopes of adding simplicity and convenience for the user. They also expanded the API’s dataset to include even more information about the security of the websites being visited (e.g., if the website has phone call support, email support, and hardware token support). The browser extension for Chrome and Firefox can be downloaded from the Chrome Web Store and at Add-ons for Firefox now. You can also look up if a website offers MFA on their website, Check This Site. Kurt and John are currently working on a way for others to be able to add information to their database as more sites adopt MFA—and say they already have a plan for how to make this work. Ultimately, they would like to allow the community to contribute so the tool is as useful, robust, and effective as possible. Kurt has reasons for his passion on MFA. He says, “As we continue to spend more and more of our time online, the need for safer online practices becomes increasingly important. This is especially true when you think about how much personal information we share online. Whether we're checking email or filing taxes, there’s a lot of info about us that we want to keep secure. To this end, MFA can have a huge impact on keeping us and our data safe. We hope that our project will be helpful in educating about and promoting these resources and practices.” We at NSTIC appreciate that Kurt and John took the time to collaborate and come up with a solution to our challenge. This was the first time NIST participated in the National Day of Civic hacking, and we are really happy with how the event turned out. Tools like those developed in the hacking day challenge help advance the Identity Ecosystem and, in the case of our challenge, encourage service providers to offer MFA—which will make the online world more secure in the future… and will keep us happy in the meantime. More information about the API is on ChallengePost (which includes additional links and screenshots). …And remember to follow us on Twitter!


Add new comment

Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.