undefined | Better HN

0 pointsdalmo33y ago0 comments

How would you prevent someone from spamming a user just by knowing their username? Say, if the 2FA is done by SMS, or email.

An attacker brute-forcing the password could flood the user with multiple messages. The usual response is doing a password reset, but that wouldn't work in your system.

I wonder how systems that use magic links handle this.

0 comments

Tangurena23y ago

> How would you prevent someone from spamming a user just by knowing their username?

Wasn't something like this how Uber got hacked recently? Spamming the target until they clicked "yes" on the 2FA prompt?

ezekg3y ago

Your authentication system should have per-user and per-IP rate limits.

j / k navigate · click thread line to collapse