Categories Users Search
Help
Sign Up Sign In
Q&A

Can we have second-factor sign-in authentication via e-mailed one-time codes?

1

I realize that this might be a bit of a niche use case, but I'm going to put it out here anyway.

The availability of 2FA via an authenticator app is a great boost to account security.

However, there are still people who don't have smartphones, or who might not be willing to tie their smartdevice to their account here for some reason. For a not entirely unreasonable example, their smartphone might be a work-provided device where policy restricts what it can be used for.

I don't expect that this would be at the top of the list of priorities by any means, but since Codidact can already send e-mails (see for example the subscription feature), would it be possible to have second-factor authentication via an e-mailed one-time code?

I imagine that when set up, after successfully authenticating with one's password, an e-mail would be sent to the address associated with the account, containing a short code that must be entered before being signed in, and that this would happen each time the user signs in (not just when the attempt looks "suspicious" according to some metric – I suspect this would make the feature easier to implement).

Having that would mean that an attacker would need to gain access both to one's Codidact credentials, as well as one's e-mail account; and that such access would need to be ongoing (unless the attacker turns off the sign-in code requirement, which the legitimate account holder would notice no later than the next time they sign in and aren't prompted for a code).

history · edit · permalink · close · delete · flag
Why should this post be closed?

2 comments

Email isn't a secure mechanism, which is also part of the reason I've stayed away from SMS codes. That said, maybe it's enough to put an "are you sure - using an app is more secure" disclaimer before enabling it. The mobile QR-based login (phone icon, top bar) already basically does this, it'd just need to email you the link rather than turning it into a QR code. ArtOfCode 15 days ago

@ArtOfCode I agree that emailed confirmation codes aren't as secure as a proper 2FA solution. However, between what's already available here and what I'm proposing, there should be something that works for everyone. Also, what I'm proposing (password before confirmation code) seems like it should at the very least be no less secure in practice than the multitude of email-based password reset schemes out there, and very likely more secure (because you need to know the current password as well). aCVn 12 days ago

2 answers

2

This should be completed with the next deploy. To make it easy, we just email you a link to sign in - same functionality, but easier to use.

history · edit · permalink · delete · flag

2 comments

It seems to work fine. However, the . at the end of the URL can easily be interpreted as part of the link, while in reality it's meant as a sentence terminator. Please remove it in the email to avoid confusion. aCVn about 19 hours ago

Done, pending deploy - cheers @aCVn ArtOfCode about 3 hours ago

-1

Please make sure that such a feature is optional, and not the default when you create your account.

Personally I find such extra security a pain in the butt and annoying. This isn't Fort Knox or my bank account. A user name and password should be good enough, without needing a phone handy, or immediate access to a particular email account, or whatever.

history · edit · permalink · delete · flag

1 comment

Not sure why this got downvoted, to be honest. Seems like a perfectly reasonable suggestion on top of the original one. Default to what everyone is (should be) familiar with, namely a username and password pair; allow turning on extra security on top of that if and only if so desired. Not everyone feels the need for the extra security, especially when the extra security comes at a bit of an inconvenience. aCVn about 19 hours ago