top | item 45915796

(no title)

fady0 | 3 months ago

Aren’t these codes supposed to have a timeout, like you have to use them within 10 minutes or they become invalid?

discuss

Sure, but say the implementation lets you try 5 codes in that 10 minutes with a 30 minute lockout. An attacker could trigger Account Recovery, blindly try 5 six-digit codes immediately, and have a 0.0005% chance getting into your account.

They could script this to run over a long period of time targeting 1 account, or they could target many accounts at once, and would probably have success.

vablings|3 months ago

This is my biggest gripe with email auth or any kind of security code via sms/mms. I pray for the day I can fully move to a passwordless setup and break free the mess of email addresses spaghetti and phone numbers.

conception|3 months ago

It’s probably easier to just have an exception log when someone(s) have 100 bad password attempts in a day or whatever.

tracker1|3 months ago

Feel free to implement something that sends a UUID, and deal with the complaints instead.

jdmoreira|3 months ago

I've implemented otp codes / magic links many times now. They absolutely always have a timeout. Say 30 minutes.