29
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 17 Jul 2026
29 points (100.0% liked)
Open Source
47928 readers
260 users here now
All about open source! Feel free to ask questions, and share news, and interesting stuff!
Useful Links
- Open Source Initiative
- Free Software Foundation
- Electronic Frontier Foundation
- Software Freedom Conservancy
- It's FOSS
- Android FOSS Apps Megathread
Rules
- Posts must be relevant to the open source ideology
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
- !libre_culture@lemmy.ml
- !libre_software@lemmy.ml
- !libre_hardware@lemmy.ml
- !linux@lemmy.ml
- !technology@lemmy.ml
Community icon from opensource.org, but we are not affiliated with them.
founded 7 years ago
MODERATORS
I understand that this is frustrating but it is arguably the right option. If the correct owner can recover the account without TOTP then the TOTP isn't really protecting the account.
Of course there are various ways to authenticate and it can make sense to have authentication to be (username + password + OTP) OR (email verification) but for a lot of people that email verification is a weaker link. It is more secure to only allow the former.
What I wish is that more sites would document their account recovery procedure. Often times they ask for a phone number for verification or notifications and that silently becomes a backdoor into the account. Even better would be if users can select what authentication combos are supported on a per-account basis (there are a few companies with "lockdown" settings that are a simplified version of this).
Of course it then becomes important to make it clear to the user "if you ever loose you X your account is forever lost". It shouldn't be surprise.