> Add e-mail-based sign in challenge for users with disabled 2FA

> If user tries signing in after:
> * Being inactive for a while
> * With a previously unknown IP
> * Without 2FA being enabled

> Require to enter a token sent via e-mail before sigining in


@Gargron @Mastodon @tennoseremel

"Require to enter a token sent via e-mail before sigining in"
that is just email based 2FA.
steam does this and i think its the superior 2FA.

but when taking into context
"Add e-mail-based sign in challenge for users with disabled 2FA"

basically either 1. its not well defined or are ignoring the users request.

@Gargron Aside from requiring to do something the user opted-out of?

Let's see:

* leaking more data to email provider;
* creating problems/annoyances logging in, especially if your email provider is blocked in your country and you have to run Tor or something to access it;
* then there can also be a problem when I'd want to login from a device which has no access to email or such an access is undesirable.


@tennoseremel @Gargron

what i personally would love to see is this being optional because i actually love email based 2fa and i can not use phone based 2fa because i don't have one.
but it definitely should have its own separate option to toggle it.

@loganer @tennoseremel Did y'all miss how it only activates if you haven't signed in for a while (2 weeks, to be exact) and only if you're trying to sign in from an IP you haven't signed in from before? Your hijacked account is a liability for the whole network, so no, you don't get a choice about how we safeguard inactive accounts from being hijacked.

@Gargron Which is:

a) rather short;
b) still does what the user opted-out of;
c) IP doesn't matter as it changes daily pretty much for everyone.

2 weeks is not hijacked, it's barely a vacation.

I'd expect such a move from big brother companies (you haven't logged in in X amount of time, punishment time), not an open source project.


@tennoseremel @loganer I think you're misunderstanding something. Mastodon sessions don't expire for like, a year. Once you're logged in, you're logged in. This is about displaying a challenge when you try to login from a browser where you don't already have a session.

@Gargron And that's what I usually do – login from a browser. And all of that session data is erased whenever I close it 'cause privacy… :blobcatgoogly:


@tennoseremel @loganer What you have to understand is:

1. People tend to namesquat on Mastodon (reserve username, stop paying attention indefinitely)

2. People tend to re-use passwords between different websites and often pop up on

3. People who namesquat often have bad password security and don't bother setting up 2FA

As a result, we've been dealing with a lot of account hijackings on Mastodon. Spammers take over legit looking accounts and transform them into spam.

@Gargron @tennoseremel and i'm fine with that . you are combating this .
just please communicate the real intent of the options to the users of the software.

if it is that 2FA is disabled then it is disabled.

@Gargron People have bad security, now I have to suffer in their place, awesome.

Anyway, at least do as @loganer says: write that 2FA is not actually disabled (haven't seen how that looks as my server is still at 3.1.5) because it isn't.

@tennoseremel @loganer I will do no such thing. Enabling 2FA requires a TOTP app, and a TOTP token is then required on every new login, not a heuristic like suspiciousness. This isn't 2FA.

@Gargron @tennoseremel an emailed key to login is 2FA .

it is 2 Factors you need to Authenticate with.

2FA separated by some random time is still 2FA
and email based 2FA is still 2FA
@Gargron @tennoseremel don't think i'm hitting on just you though for these crappy definitions .

pleroma also does not well define 'Outgoing blocks'
@Gargron @tennoseremel

even if one or the other must be active , then you should properly define it because disabled is not "use something else".

@Gargron This is also doubly amusing because spamers will just register new accounts and post spam daily which this thing is unable to stop, so they aren't even affected by the change :blobderpy:


Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!