A while ago I shared a link to that old article about how someone hijacked the author's Twitter username, and one thing mentioned in the article was how the author was constantly getting bombarded with password reset e-mails. That kind of reinforces my opinion that Mastodon shouldn't allow login-by-username and stick to login-by-email only.


@Gargron I tend to agree with @anna
It's more of a punishment to those with 2fa and good password hygiene.

I'd certainly love full out smartcard key-pair challenge response.
But I'm not sure if the world is ready for that, and am absolutely certain those that reuse simple passwords are not :{


@Gargron @anna

> I'd certainly love full out smartcard key-pair challenge response

That's already possible in modern browsers supporting WebAuthn: webauthn.guide

@Gargron @anna There's e.g. rubygems.org/gems/webauthn which we recently integrated in a Rails app in my company. Works like a charm.

Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!