undefined | Better HN

0 pointsremram3y ago0 comments

People forget their passwords. If you do more than sell stuff one time and the user really need to get their account back, you need a way to send them a reset link or code. No way around it.

0 comments

1 comments · 1 top-level

_8j503y ago

Only if you or the user refuse to use federated auth. And even then do you not have 2FA? Then your 2FA is reduced to 1FA by email?

"There is no way around it" is such b.s., yes there is, pretend email does not exist, how would you do it? I think you skipped over parts of my post, there is a myriad of messaging applications if you insist control over some external account is the way to go. But really, the ideal way to do this would be have two sets of registration time challenges set. You can go with secret questions but also picture/emoji combinations, pins,patterns as the firsr piece and a second would either be a payment card for $0.01 charge or have them print one-time codes at registration time (second challenge skipped if second-factor auth is good).

"I refuse to change" is what you are saying, you can think about this longer than a minute and come up with more and better ways than what I just mentioned. Not only is email based password reser unneccesary, it is dangerous and lazy.

1 more reply

j / k navigate · click thread line to collapse