Discussion

Sherri W (SyntaxSeed)

@syntaxseed@phpc.social · 2 weeks ago

All I do all day is enter passwords and 2FA codes.

#WebDev #security #opsec

Sherri W (SyntaxSeed)

@syntaxseed@phpc.social replied · 2 weeks ago

The countdown in the 2FA code apps that shows you how long until the code refreshes, is, low-key, kind of stressful.

Who decided 30 seconds was the standard?

When you open it and the little progress bar around the circle is 3/4 of the way around... do you race it, or wait for the new one?? If only I didn't routinely have to do this 15 times a day... 😆

#security #2fa

Alda Vigdís

@alda@topspicy.social replied · 2 weeks ago

@syntaxseed I also doubt a 30 second limit with no way to extend it is compliant with WCAG.

Terence Eden

@Edent@mastodon.social replied · 2 weeks ago

@alda @syntaxseed
There's no limit to the number of seconds it can be. The spec recommends 30 - but also says that implementations should accept the previous and next codes. To be fair, most websites will let you type in the last code.

But you can absolutely have a 5 minute code.

https://shkspr.mobi/blog/2025/02/the-least-secure-totp-code-possible/

Sherri W (SyntaxSeed)

@syntaxseed@phpc.social replied · 2 weeks ago

@Edent @alda Wow great write up. I didn't realize so many of the parameters come from the QR code!

bonfire.cafe

A space for Bonfire maintainers and contributors to communicate

bonfire.cafe: About · Code of conduct · Privacy · Users · Instances

Bonfire social · 1.0.2-alpha.7 no JS en

Automatic federation enabled