[eldavido]

Two-factor authentication is a good step, a better one is to completely outsource authentication to a third-party single sign-on provider (Google, Facebook, Twitter). It's a little more work upfront than a standard username/password box, but you get out of a ton of annoying hassles by doing this, including email verification, account suspension, enforcing password rotation/complexity, and building two-factor authentication flows into your app.

[arunoda]

No it's not better. If one'e Google Account get hacked. hacker can access all the sites, including yours. SSO offers good UX but not the security.

[gnur]

Well, it leans on the fact that it is more likely that Google has good security and that your web app will probably never reach that kind of security. It also works the other way around, someones Webapp gets hacked (which is far more likely) and the same password is used for google, you get the same end result, but then it is YOUR fault, and not google's.

[sporksmith]

Isn't this typically the case anyways? A hacker with access to your email account can just use the password reset mechanism to get a sign-in link to your other web sites.

[arunoda]

Yes! It is the typical situation. That's why 2fac auth comes in.

[sequoia]

"Have email, lost phone- help me" -Mallory