Micro.blog

DavidAnson
DavidAnson

@manton @macgenie Is it expected that I can log into the official iOS app on a new device with only an email address and access to that email account? This seems unusual and unlikely to be secure enough for folks like journalists who are actively targeted. Have you folks considered requiring password entry and adding 2FA for people who want increased security? Thanks!

manton
manton

@DavidAnson @macgenie Yep, it's expected. To get into someone's M.b account a journalist's email would have to be hacked, and they will have much bigger problems! But I totally agree — we want to offer another level of security (likely push notifications or text message).

jd
jd

@manton SMS is no longer recommended for 2FA since it's too easy to attack/hijack: www.schneier.com/blog/arch...

TOTP seems reasonable to me.

manton
manton

@jd Thanks, I've heard at least one story of someone's phone number being stolen. Maybe we'll start with a push notification verification for iOS users. Won't cover everyone, but should be relatively secure if your Apple ID hasn't been compromised.

jd
jd

@manton 👍❤️

DavidAnson
DavidAnson

@DavidAnson Agree on the recommendation for TOTP! Very handy and natively supported by 1Password, etc..