Eugen RochkoSep 17, 2019

Brainstorming with @[email protected] how the account migration feature could be safeguarded against someone who's unrightfully gained access to your account, like with those people who didn't have 2FA on and re-used passwords.

Since attackers usually just try e-mail/password combinations from data dumps, they may not actually have access to the e-mail inbox, so requiring an e-mail confirmation for such an action (as well as account deletion) would probably be a good step.

#mastodev

Show threadMike [SEC=OFFICIAL]
@Gargron @Thib time delay from the request to the execution, or allowing account holder to nominate a specific time window where it's permitted, to prevent a dump happening while you're asleep?
Sep 17, 2019 at 12:06pmWeb
Show threadvitriaSep 17, 2019
@mike @Gargron @Thib
+ a delay between password changes and allowing account migration ?
To avoid the case when the attacker login, change the password to deny access to the account and then migrate the account ?