So, users are locked into MePIN's proprietary app and depend on MePIN's website to log in, rather than using a open standard that can run offline. If you use HOTP/TOTP, you can use open source Google Authenticator, DuoSecurity, libpam, or any number of clients.

It's pretty easy to implement your own TOTP client if you don't like any of those. Here's a JS reference in 250 lines of code and HTML: https://code.google.com/p/google-authenticator/source/browse...

In MePIN's defense, DuoSecurity also has their own push notification for a single-tap login, so users are willing to trade interoperability for convenience.

Are you concerned that it is a lot easier to trick users into clicking a button to authorize the login?

Of course user behavior has to be considered. The MePIN app does allow the user to set up a personal PIN code, so an authorization would then require the PIN code and a tap.

A PIN would do nothing to keep a user from being tricked into authorizing an attacker's login.

Don't want to argue, but yes it would. It would stop the user for a second, giving time to the brain to process for a while what's going on.

If a user is willing to press the button, a PIN isn't going to stop them. Your app is decreasing security in favor of usability, which is not something look for when they are looking to implement two factor auth.

I think anyone who would blindly use your proprietary two factor solution that makes it easier for end users to authorize other people to log in would be silly.

I can use similar arguments; a user can be tricked to enter an OTP to a phishing site. For that the hacker does not need to time the attack to the same second, so it's much much easier attack for the hacker.

'No 2FA' is the real silly one here. Any 2FA is so much better than no 2FA, and usability has been a big issue so far in 2FA adoption.