-
neox
> Re-reading https://thomas-leister.de/en/password-resets/ what's the ecosystem feeling about this? I do prefer in-person talk to verify informations. It can be done by XMPP (another account for example) or by email. It works well because we don't have too many accounts on our service, of course.
-
moparisthebest
That's not really doable with a public server is it? Or at least not helpful
-
croax
I think it's the simplest way to maximize security but also user's frustration. I believe there are good alternatives like: - warn the user by any mean of the current request and allow cancellation - add extra delays to the procedure (eg. 7 days) - allow the user to configure the security level. But this comes with additional work (and flaws?) for the admin.
-
rozzin
moparisthebest: perhaps the more fundamental idea there is just "have *some sort* of relationship between the user and service-operator, beyond just that service itself"?
-
moparisthebest
or, everyone should run their own server
-
mjk
...on their phones!
-
Ellenor Bjornsd.
D:
-
rozzin
moparisthebest: Well, the usual relationship I recommend people pursue for most services is the "paying customer / paid support" relationship.... But "self" is also a relationship....
-
rozzin
But usually I'm making that recommendation within a context like: a friend is saying "someone else got control of my Yahoo! e-mail account and changed my password! What should I do!"
-
moparisthebest
Bend over and kiss your Yahoo account goodbye
-
rozzin
moparisthebest: that particular person ultimately decided "Well, somehow I still have access to use my e-mail through the app on my iPhone, I just can't change my password or log in from my computer..., so I'll just only do e-mail from that one device from now on—and when I trade up for a new phone, then I'll get a new Yahoo account".
-
Noop
Learn how to steal it back, or become paying customer of someone who can.
-
rozzin
Users make very confusing choices sometimes.