| I've had conflicting advice about complete transparency - if we give the entire algorithm, then that helps attackers find the exact surface that will get them in, so we don't publish the full ruleset we use. Here's an example of some inputs that go into it though: we store a cryptographic token in a cookie which tells us the first time your account successfully authenticated from a computer. If we have a history of you using the same computer over multiple years, that's different than a new computer. But cookies can be cloned, so it's only a signal, not proof in itself. If it's from the same IP address as multiple successful logins in the past, that's a signal. We're not the only site that uses methods like this to help identify people when they've lost their password. People make mistakes. Taking a hard line "you lose your password, you lose your entire email account with all its history, and you don't get your money back either" might sound attractive to a certain demographic. They are not the bulk of our userbase. Even locking people out for 24 hours is a pretty big imposition that you want to avoid if you're really confident (algorithmically) that it's the same person. If people in the "security is more important than easy recovery" demographic haven't turned on 2FA yet, then they certainly haven't signaled that they want things locked down in case of doubt. Even of those who HAVE turned on 2FA, you'd be surprised at how many lose one or both of their factors. It's easy to say "I won't mess up", but people do. Which is why our post today says in bold "If that happens, you will lose access to your account permanently." |