🎉 It is time! #Mastodon 3.2.0 is here! What's in it? Have a look:
> Add e-mail-based sign in challenge for users with disabled 2FA
> If user tries signing in after:
> * Being inactive for a while
> * With a previously unknown IP
> * Without 2FA being enabled
> Require to enter a token sent via e-mail before sigining in
@Gargron Aside from requiring to do something the user opted-out of?
* leaking more data to email provider;
* creating problems/annoyances logging in, especially if your email provider is blocked in your country and you have to run Tor or something to access it;
* then there can also be a problem when I'd want to login from a device which has no access to email or such an access is undesirable.
@loganer @tennoseremel Did y'all miss how it only activates if you haven't signed in for a while (2 weeks, to be exact) and only if you're trying to sign in from an IP you haven't signed in from before? Your hijacked account is a liability for the whole network, so no, you don't get a choice about how we safeguard inactive accounts from being hijacked.
@Gargron Which is:
a) rather short;
b) still does what the user opted-out of;
c) IP doesn't matter as it changes daily pretty much for everyone.
2 weeks is not hijacked, it's barely a vacation.
I'd expect such a move from big brother companies (you haven't logged in in X amount of time, punishment time), not an open source project.
1. People tend to namesquat on Mastodon (reserve username, stop paying attention indefinitely)
2. People tend to re-use passwords between different websites and often pop up on haveibeenpwned.com
3. People who namesquat often have bad password security and don't bother setting up 2FA
As a result, we've been dealing with a lot of account hijackings on Mastodon. Spammers take over legit looking accounts and transform them into spam.
Server run by the main developers of the project It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!