Comment by erikerikson
24 days ago
Instead they took away TOTP as a factor.
Scaling security with the popularity of a repo does seem like a good idea.
24 days ago
Instead they took away TOTP as a factor.
Scaling security with the popularity of a repo does seem like a good idea.
Are there downsides to doing this? This was my first thought - though I also recognize that first thoughts are often naive.
You don't want "project had X users so it's less safe" to suddenly transition into "now this software has X*10 users so it has to change things", it's disruptive.
TOTP although venerable was better than no second factor at all.
TOTP isn't phishing resistant
No it's not but it's better than nothing. Don't let the perfect be the enemy of the good.
It's not much better than nothing. It basically solves "I reused my password across sites" exclusively, that's it. If you're going to go through the effort of TOTP, it seems odd that you wouldn't just use a unique password.
If you use a unique password it's questionable if it adds any value at all. Perhaps in very niche situations like "password authentication is itself vulnerable due to a timing attack/ bug" or some such thing... but we've rarely seen that in the wild.
6 replies →
TOTP seems effectively useless for npm so that seems fine to me