• DacoTaco@lemmy.world
        link
        fedilink
        arrow-up
        4
        ·
        8 months ago

        Depends, some ask for the email used for the registration, the others ask for a username. Incase of the username, its a 2fa! Something you know ( username ) and something you have ( access to the registered email’s inbox )!

        … Its still a shit security design. Better to have username, pass and a security key hehe

        • VeganCheesecake@lemmy.blahaj.zone
          link
          fedilink
          arrow-up
          1
          ·
          8 months ago

          Hmh, I guess, though I feel this is a bit more complicated. What if you can look up the username in the registration mail sent to the inbox? Or it’s a site that uses email addresses as usernames? Is it knowing if said knowledge is inferrable from the thing you have?

          • DacoTaco@lemmy.world
            link
            fedilink
            arrow-up
            1
            ·
            8 months ago

            I think you got it wrong what i meant (?)
            Imagine i register on a website with my username ( DacoTaco ) and email ( someEmail@domain.com ). When i want to reset my password and click the “forgot password” link, it would ask my username, not my email address (something i know) and send me an email ( to someEmail@domain.com ) without reporting what email it sent it too. That way it could be considered a separate identity factor i think (access to the mailbox, something you have ).
            Websites generally dont work this way, i know. But thats how id implement it :')

            • VeganCheesecake@lemmy.blahaj.zone
              link
              fedilink
              arrow-up
              2
              ·
              8 months ago

              Thanks for clarifying. I was mostly trying to apply that scenario to a likely real world one, but there’s definitely cases in which it could be two factor.

      • AndrasKrigare@beehaw.org
        link
        fedilink
        arrow-up
        3
        ·
        8 months ago

        Shit, are we getting to that point where all non-password logins are “2fa” like how all denial of services are “DDoS”