Eugen RochkoSep 17, 2019

Brainstorming with @[email protected] how the account migration feature could be safeguarded against someone who's unrightfully gained access to your account, like with those people who didn't have 2FA on and re-used passwords.

Since attackers usually just try e-mail/password combinations from data dumps, they may not actually have access to the e-mail inbox, so requiring an e-mail confirmation for such an action (as well as account deletion) would probably be a good step.

#mastodev

Show threadval
@Gargron @Thib You can also enforce a time delay, with a banner on the (old account's) web ui the whole time. Wouldn't work if someone only uses third-party apps, though.
Sep 17, 2019 at 12:15pmWeb