| ▲ | dathinab 9 days ago | ||||||||||||||||
sure, it being a 6 digit code which has potential for social engineering can be an issue like similar to if you get a "your login" yes/no prompt on a authentication app, but a bit less easy to social engineer but a in turn also suspect to bruteforce attacks (similar to how TOTP is suspect to it) through on the other hand - some stuff has so low need of security that it's fine (like configuration site for email news letters or similar where you have to have a mail only based unlock) - if someone has your email they can do a password reset - if you replace email code with a login link you some cross device hurdles but fix some of of social enginering vectors (i.e. it's like a password reset on every login) - you still can combine it with 2FA which if combined with link instead of pin is basically the password reset flow => should be reasonable secure => eitherway that login was designed for very low security use cases where you also wouldn't ever bother with 2FA as losing the account doesn't matter, IMHO don't use it for something else :smh: | |||||||||||||||||
| ▲ | cpcallen 9 days ago | parent | next [-] | ||||||||||||||||
Did you mean to post this comment at https://news.ycombinator.com/item?id=44819917 ? | |||||||||||||||||
| |||||||||||||||||
| ▲ | mschuster91 9 days ago | parent | prev [-] | ||||||||||||||||
I think you misplaced this comment and it belongs here: https://news.ycombinator.com/item?id=44819917 | |||||||||||||||||