My account for Slate Auto does not have a password; I type in my email address that they have on file for me and they email me a one-time secure code (or I could have set it up with my phone number to receive a text of the code).
I rather prefer having a code sent to me, and I wonder why more sites don’t do it that way. Is it less secure?
p.s. I suppose it is probably less secure that 2-factor authorization, but that’s not what I’m asking.
I see more websites all the time are adopting that approach. It’s a relatively new fashion in website design that’s still catching on.
Because it’s more secure than a dumb password like “Password”. And it’s more convenient for end users now that the customers they care about (those under age ~40) do everything on their phone, not on a primitive geezer PC or Mac like you or me.
But it’s arguably much less secure than a real password like “aTf*4jy2Mzxv^4yGexpi”.
And it’s definitely less secure than 2FA of a complex PW and a code sent via email or SMS.
When they use an SMS text of a one-time code as the only authentication, in effect that moves the security boundary from “Does somebody else know your secret password?” to “Does somebody else have your phone?” That’s a different kind of risk profile.
When they use an email of a one-time code as the only authentication, in effect that moves the security boundary from “Does somebody else know your secret password?” to “Does somebody else have your phone, OR access to your email?” That’s an even worse kind of risk profile.
Unfortunately, even if you use a different password on every site, the only one that really matters is your email password. When an attacker has that, they can click on “I forgot my password” on almost every other site and read the reset link that gets emailed to you.
True, but how common really is that sort of multi-step targeted attack? Most security breaches (at least the ones I hear about) seem to be mass hacking thefts of database contents, which data is then made available for sale (on the “dark web” I guess). How often does it happen that a particular person is targeted with that kind of research? And wouldn’t that sort of thing be most likely to happen to someone who is notable for some reason, either because they have lots of money, or they make a useful target in some other way? (These are genuine questions, by the way, I don’t know the answers.)
I receive on average 1 or 2 scam emails each day, which are only sent to me because my email address was stolen from some database somewhere and sold to the hopeful scammers. That’s the closest I have come (so far, knock wood) to suffering from any attempted scam. As a pretty anonymous one among billions, how worried do I have to be?
What is the difference between the typical 2-factor authorization, and having a code sent to you email.?
In my experience, the typical 2-factor system is just a code sent to my phone number, which I then type back into the website.
(This scares me so much that I told me bank to never allow a transfer of money from my savings accounts unless I physically sign a paper form at the branch.
My worry is that if my phone gets stolen, the thief would see my bank branch in my contacts, phone them, return the 2FA code and transfer all my money to his account .)
No it’s not. Anybody with access to your email can initiate a password reset flow. The email OTP pattern came from a sites realizing a decent chunk of their users using the password reset flow as their default flow. The email OTP is essentially turning the password reset flow to become the default flow instead. Usually, a lot of sites will have a tiny text link where you can login with a password instead so the previous password flow now becomes the alternate flow.