honey it's 4pm, time for your daily rebase
@Mastodon
That' s an impressie huge Changelog ! Great work.
@Mastodon 🎉🎉
@Mastodon
> Add e-mail-based sign in challenge for users with disabled 2FA
> If user tries signing in after:
>
> * Being inactive for a while
> * With a previously unknown IP
> * Without 2FA being enabled
> Require to enter a token sent via e-mail before sigining in
Eew…(((
@loganer @Mastodon @tennoseremel What’s the problem?
@Gargron Aside from requiring to do something the user opted-out of?
Let's see:
* leaking more data to email provider;
* creating problems/annoyances logging in, especially if your email provider is blocked in your country and you have to run Tor or something to access it;
* then there can also be a problem when I'd want to login from a device which has no access to email or such an access is undesirable.
@loganer @tennoseremel Did y'all miss how it only activates if you haven't signed in for a while (2 weeks, to be exact) and only if you're trying to sign in from an IP you haven't signed in from before? Your hijacked account is a liability for the whole network, so no, you don't get a choice about how we safeguard inactive accounts from being hijacked.
@Gargron Which is:
a) rather short;
b) still does what the user opted-out of;
c) IP doesn't matter as it changes daily pretty much for everyone.
2 weeks is not hijacked, it's barely a vacation.
I'd expect such a move from big brother companies (you haven't logged in in X amount of time, punishment time), not an open source project.
@tennoseremel @loganer I think you're misunderstanding something. Mastodon sessions don't expire for like, a year. Once you're logged in, you're logged in. This is about displaying a challenge when you try to login from a browser where you don't already have a session.
@tennoseremel @loganer What you have to understand is:
1. People tend to namesquat on Mastodon (reserve username, stop paying attention indefinitely)
2. People tend to re-use passwords between different websites and often pop up on haveibeenpwned.com
3. People who namesquat often have bad password security and don't bother setting up 2FA
As a result, we've been dealing with a lot of account hijackings on Mastodon. Spammers take over legit looking accounts and transform them into spam.
@tennoseremel @loganer I will do no such thing. Enabling 2FA requires a TOTP app, and a TOTP token is then required on every new login, not a heuristic like suspiciousness. This isn't 2FA.
@Mastodon
Bondiou ! Je suis en retard !!
@Mastodon "Album art is automatically extracted from audio files"
oh that's nice