You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@@ -82,10 +82,10 @@ Again, I'm fine with telling the user if the email is valid or not.
Login throttling and rate limiting would be pretty similar to login and will be based on both email and IP addresses. Add a Captcha if necessary.
I think both single-use OTPs and links work and their expiration will be similar to email verification. I would hash the code or token just to be safe, especially since it's not really hard.
Both single-use OTPs and links work and their expiration will be similar to email verification. I would hash the code or token just to be safe, especially since it's not really hard.
2FA should be required even for password resets.
## Did I miss anything?
Let me know on Twitter or Discord if there's anything I should add to the post.
Let me know on Twitter or Discord if there's anything I should add to the post!
