Transcript
A tumblr post saying "i really like this thing where websites will have separate “log in” & “sign up” buttons and if you click “log in” it takes you to a sign-up screen anyway so you have to click “i already have an account” and then it will ask if you want to sign in with your facebook account or with instagram or linkedin or deviantart or whatever, and if you choose “username & password” it asks if you want to put in your username or use your thumbprint, and once you put your username & password it emails you a confirmation code, and once you put in the code it says “do you want to give us your phone number for future sign-ins? do you want to sign up for facial recognition? do you want to give us your bones? give us your fucking bones?”
Urgh, that’s probably the worst part.
I don’t mind mail-based 2FA. However, since I see “random sites have your phone number” as a bigger threat than “skript kiddo might hack your password”, if the 2FA must use my phone number, I’ll genuinely think if I really need an account in that site, and probably give up.
All sites should support TOTP, fuck email/sms OTPs, and especially fuck sites that think being “passwordless” but sending a code to my email is secure.