Depends, some ask for the email used for the registration, the others ask for a username. Incase of the username, its a 2fa! Something you know ( username ) and something you have ( access to the registered email’s inbox )!
… Its still a shit security design. Better to have username, pass and a security key hehe
Hmh, I guess, though I feel this is a bit more complicated. What if you can look up the username in the registration mail sent to the inbox? Or it’s a site that uses email addresses as usernames? Is it knowing if said knowledge is inferrable from the thing you have?
I think you got it wrong what i meant (?)
Imagine i register on a website with my username ( DacoTaco ) and email ( someEmail@domain.com ). When i want to reset my password and click the “forgot password” link, it would ask my username, not my email address (something i know) and send me an email ( to someEmail@domain.com ) without reporting what email it sent it too. That way it could be considered a separate identity factor i think (access to the mailbox, something you have ).
Websites generally dont work this way, i know. But thats how id implement it :')
Thanks for clarifying. I was mostly trying to apply that scenario to a likely real world one, but there’s definitely cases in which it could be two factor.
But you only need one factor, access to your inbox?
So it’s more like SSO authentication
SSO without 2FA
Unless your email has 2fa?
Depends, some ask for the email used for the registration, the others ask for a username. Incase of the username, its a 2fa! Something you know ( username ) and something you have ( access to the registered email’s inbox )!
… Its still a shit security design. Better to have username, pass and a security key hehe
Hmh, I guess, though I feel this is a bit more complicated. What if you can look up the username in the registration mail sent to the inbox? Or it’s a site that uses email addresses as usernames? Is it knowing if said knowledge is inferrable from the thing you have?
I think you got it wrong what i meant (?)
Imagine i register on a website with my username ( DacoTaco ) and email ( someEmail@domain.com ). When i want to reset my password and click the “forgot password” link, it would ask my username, not my email address (something i know) and send me an email ( to someEmail@domain.com ) without reporting what email it sent it too. That way it could be considered a separate identity factor i think (access to the mailbox, something you have ).
Websites generally dont work this way, i know. But thats how id implement it :')
Thanks for clarifying. I was mostly trying to apply that scenario to a likely real world one, but there’s definitely cases in which it could be two factor.
Shit, are we getting to that point where all non-password logins are “2fa” like how all denial of services are “DDoS”