alt Hacker NewsYep. Binding 2FA flows to email is risky business for a lot of reasons, but registrar incompetence might be the spookiest thing of all.
Yep. Binding 2FA flows to email is risky business for a lot of reasons, but registrar incompetence might be the spookiest thing of all.
Same reason I dislike SMS based 2FA, or worse SMS/email based 1FA codes.
You dont truly own your cell number or domain. Meanwhile passkeys are certainly hardware I own, likewise my TOTP codes are stored and calculated locally.