With increasing password complexity requirements, I've found myself just hitting forgot every time on almost every website, because it has become more convenient. It made me start to wonder, what would be the security implications of just requiring that same process for every login, given the current push for 2-factor involving email anyway? That is, is 2-factor involving email or text any different than the password reset process anyway, less the need to come up with a new password each time?
Asked
Active
Viewed 17 times
0
-
Basically, you're implementing OpenID, but worse in every way. Instead, implement OpenID, but also allow a normal password login. – Oct 27 '20 at 15:22
-
The current push is ***not*** to use email as a second factor, but a TOTP code ... – schroeder Oct 27 '20 at 15:26
-
@MechMK1 It is, looks like a duplicate. Thanks! – Dan Chase Oct 27 '20 at 15:27