DavidAnson
DavidAnson

@manton @macgenie Is it expected that I can log into the official iOS app on a new device with only an email address and access to that email account? This seems unusual and unlikely to be secure enough for folks like journalists who are actively targeted. Have you folks considered requiring password entry and adding 2FA for people who want increased security? Thanks!

|
Embed
manton
manton

@DavidAnson @macgenie Yep, it's expected. To get into someone's M.b account a journalist's email would have to be hacked, and they will have much bigger problems! But I totally agree — we want to offer another level of security (likely push notifications or text message).

|
Embed
jd
jd

@manton SMS is no longer recommended for 2FA since it's too easy to attack/hijack: www.schneier.com/blog/arch...

TOTP seems reasonable to me.

|
Embed
manton
manton

@jd Thanks, I've heard at least one story of someone's phone number being stolen. Maybe we'll start with a push notification verification for iOS users. Won't cover everyone, but should be relatively secure if your Apple ID hasn't been compromised.

|
Embed
jd
jd

@manton 👍❤️

|
Embed
DavidAnson
DavidAnson

@DavidAnson Agree on the recommendation for TOTP! Very handy and natively supported by 1Password, etc..

|
Embed