99 % of websites even with “2FA” enabled allow to reset all login credentials with an email reset. Or worse, an SMS reset.
aka it’s all just 1FA with the password+TOTP just being there for “convenience”, and they trust gmail’s actual 2FA not to get breached because if it does then the account is donzo.
Not that emailing passwords is good, because users won’t change them and are likely to leak them. However login systems that are just an email with temporary credentials are superior to the standard system with the possibility to reset password by email, since they’re basically that with less attack surface. The service provider never even has to process the user’s password. Literally the only downside is usability, which can be a worthwhile tradeoff.
Alternatively one could do OIDC, but the downside is it only works with whichever authentication providers are setup whereas email registrations work without an intermediary such as google or Microsoft which is a big plus in my book, and might even be a hard requirement in B2B scenarios.
OpenID-Connect, the standardized form of oAuth for the sole purpose of authenticating users to third-party services (i.e. google says “yes I certify it is john.smith@gmail.com logging in to your service”).
99 % of websites even with “2FA” enabled allow to reset all login credentials with an email reset. Or worse, an SMS reset.
aka it’s all just 1FA with the password+TOTP just being there for “convenience”, and they trust gmail’s actual 2FA not to get breached because if it does then the account is donzo.
Not that emailing passwords is good, because users won’t change them and are likely to leak them. However login systems that are just an email with temporary credentials are superior to the standard system with the possibility to reset password by email, since they’re basically that with less attack surface. The service provider never even has to process the user’s password. Literally the only downside is usability, which can be a worthwhile tradeoff.
Alternatively one could do OIDC, but the downside is it only works with whichever authentication providers are setup whereas email registrations work without an intermediary such as google or Microsoft which is a big plus in my book, and might even be a hard requirement in B2B scenarios.
I’m not tech literate anymore, whats OIDC ? I figured out the other ones
OpenID-Connect, the standardized form of oAuth for the sole purpose of authenticating users to third-party services (i.e. google says “yes I certify it is john.smith@gmail.com logging in to your service”).
Much love for responding