From 1026603aae0cbf763fa1dcd204230329f0386ae1cea85d7cd2758ed3222f581b Mon Sep 17 00:00:00 2001 From: Nicholas Johnson Date: Wed, 5 Feb 2025 00:00:00 +0000 Subject: Replace instances of 'anyways' with 'anyway' 'anyway' is the correct spelling. --- content/entry/re-why-even-let-users-set-their-own-passwords.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'content/entry/re-why-even-let-users-set-their-own-passwords.md') diff --git a/content/entry/re-why-even-let-users-set-their-own-passwords.md b/content/entry/re-why-even-let-users-set-their-own-passwords.md index 39c8da9..9b1dfb0 100644 --- a/content/entry/re-why-even-let-users-set-their-own-passwords.md +++ b/content/entry/re-why-even-let-users-set-their-own-passwords.md @@ -14,7 +14,7 @@ There are several flaws with this email token approach to account security as de First, as Hugo points out, since the alternate login flow (password recovery) only requires the email token, the password not only becomes a pointless inconvenience that increases system complexity with no security benefit, but it also gives the user a false sense that their account is protected using two-factor authentication when it's not. -Even if the email tokens were truly two-factor, most users probably access email from the same device they use to log in to online accounts anyways. So it still wouldn't be "proper" two-factor. +Even if the email tokens were truly two-factor, most users probably access email from the same device they use to log in to online accounts anyway. So it still wouldn't be "proper" two-factor. Second, these email tokens actually give the attacker several more avenues to gain account access, and in ways the user likely isn't considering, doesn't know about, and has no ability to mitigate. Here are a few: @@ -32,7 +32,7 @@ Second, these email tokens actually give the attacker several more avenues to ga > "Often this will be combined with fallacious notions such as “remember this device”, the idea being you only have to go through all this the first time when logging in from a particular device. This idea is fallacious because the web has no notion of a “device”, and this is a very intentional design choice made for privacy purposes. We are literally living through the gradual phase-out of third-party cookies, amongst other functionality, specifically to try and prevent this sort of thing, so why do web developers persist in believing in this fiction of a “device”? My own browser erases all cookies from an origin immediately after the last tab from that origin is closed, so these sites are convinced I am logging in from a new “device” every single time, and then demand I respond to one of these challenge emails." -I don't see the "remember this device" terminology as a problem. I think it helps non-technical people understand what's going on while technical people understand what it's doing anyways. +I don't see the "remember this device" terminology as a problem. I think it helps non-technical people understand what's going on while technical people understand what it's doing anyway. My browser also erases cookies, so I also have to log in every time, but this is the desired behavior. -- cgit v1.2.3