this post was submitted on 05 Apr 2024
1109 points (98.9% liked)

Programmer Humor

32291 readers
37 users here now

Post funny things about programming here! (Or just rant about your favourite programming language.)

Rules:

founded 5 years ago
MODERATORS
[email protected]
[email protected]
1109
Passwords are insecure (programming.dev)
submitted 6 months ago by [email protected] to c/[email protected]
98 comments fedilink hide all child comments
 
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 128 points 6 months ago (2 children)

If you think about it the last option is a way to use login via 2fa

[–] [email protected] 81 points 6 months ago (1 children)

Nah it's just SFA with extra steps.

[–] [email protected] 23 points 6 months ago (1 children)

Magic link login with extra steps

[–] [email protected] 2 points 6 months ago

This is more correct

[–] [email protected] 44 points 6 months ago (3 children)

But you only need one factor, access to your inbox?

[–] [email protected] 39 points 6 months ago* (last edited 6 months ago) (1 children)

So it's more like SSO authentication

[–] [email protected] 17 points 6 months ago (1 children)

SSO without 2FA

[–] [email protected] 1 points 6 months ago

Unless your email has 2fa?

[–] [email protected] 4 points 6 months ago (1 children)

Depends, some ask for the email used for the registration, the others ask for a username. Incase of the username, its a 2fa! Something you know ( username ) and something you have ( access to the registered email's inbox )!

.. Its still a shit security design. Better to have username, pass and a security key hehe

[–] [email protected] 1 points 6 months ago (1 children)

Hmh, I guess, though I feel this is a bit more complicated. What if you can look up the username in the registration mail sent to the inbox? Or it's a site that uses email addresses as usernames? Is it knowing if said knowledge is inferrable from the thing you have?

[–] [email protected] 1 points 6 months ago (1 children)

I think you got it wrong what i meant (?)
Imagine i register on a website with my username ( DacoTaco ) and email ( [email protected] ). When i want to reset my password and click the "forgot password" link, it would ask my username, not my email address (something i know) and send me an email ( to [email protected] ) without reporting what email it sent it too. That way it could be considered a separate identity factor i think (access to the mailbox, something you have ).
Websites generally dont work this way, i know. But thats how id implement it :')

[–] [email protected] 2 points 6 months ago

Thanks for clarifying. I was mostly trying to apply that scenario to a likely real world one, but there's definitely cases in which it could be two factor.

[–] [email protected] 3 points 6 months ago

Shit, are we getting to that point where all non-password logins are "2fa" like how all denial of services are "DDoS"