this post was submitted on 16 Apr 2024
65 points (97.1% liked)

Privacy

32165 readers
296 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 
  • I make websites
  • If someone is banned twice (two accounts) I want it to take them more than 5min and a VPN to make a 3rd account
  • I'm okay with extreme solutions, like requiring everyone to have a Yubikey-or-similar physical key
  • I really hate the trend of relying on a phone number or Google capcha as a not-a-bot detection. Both have tons of problems
  • but spam (automated account creation) is a real problem

What kind of auth should I use for my websites?

you are viewing a single comment's thread
view the rest of the comments
[โ€“] [email protected] 2 points 7 months ago* (last edited 7 months ago) (1 children)

[TOTP] Simple to setup / create, doesn't depend on 3rd party ...

Actually I'm worried its a bit TOO easy to create. I don't need a bulletproof/airtight system but what's stopping highschooler from installing bluestacks, downloading the AUTH app, and then handling 10,000 TOTP requests for different bot accounts.

[โ€“] [email protected] 2 points 7 months ago

First, that would be a very targeted attack and the typical bots won't have provisions for a forced TOTP on the first login + account deletion after 5 days if no TOTP is setup.

Second you can make things harder, TOTP should be combines with other anti-burteforce measures, restrict the number of registration on an IP address, add delays here and there to make it annoying etc.