Hacker Neue

Preferences
docmars parent
It isn't a free service -- only during the alpha you get access to an "Individual" account which would normally run $20/mo once the test period is over.

https://exe.dev/docs/pricing

notepad0x90
Yes, it should be paid of course. Matter of fact, please charge me more for the privilege of not being asked email,phone, credit cards. Just take my money, and feel free to take whatever steps you think are needed to make sure abuse isn't taking places. I champion requiring a "deposit" where if abuse took place the user would forfeit it.

But, my original comment is strictly about email. Even if you asked for a government-id and credit-card payment, I won't object. Just please, no email!

docmars OP
I think that leaves: how would you prefer to recover your account if you lost access?
notepad0x90
same way I would with my email provider. But I'd expect a recovery code of some sort that i could save.

How would you normally recover an account? Email? So, if my email is compromised, everything gets compromised? That's not sane at all. You should normally have MFA, and if you can recover your MFA/2FA with email, it's just an over-engineered inconvenience. The way it's done right, the MFA recovery code servers as a general account recovery code as well. You save that somewhere safe and offline.

In this case, they use ssh public keys, so there is no need for all that, just add a spare public key to authorized_keys, and keep it's private key offline and safe, ideally in an HSM.

This is a service for technical people, so all that works, for general consumer service, you give them a choice. Either they choose to use a recovery key, a recovery email/phone...or recovery via payment. Let them pay $1 for recovery, proving they control the original method of payment (KYC not crypto). But if nothing else, users should be able to choose recovery code instead of email. It's more secure, because you're not relying on a 3rd party service to also be secure. I don't like them much, but recovery questions have also been used, but if you think about it, those are not that different from recovery codes, they're just more guessable.

Recovery codes aren't one string, they're usually multiple, so if users chose, they can split up their storage. For added reliability, you can require validation of recovery codes periodically, after a successful sign-in.

docmars OP
Thanks for explaining! I was mainly curious what viable alternatives there would be for the average user, and I think your suggestions are sound. Even technical folks wants things to feel as frictionless as possible.

The nice thing about recovery codes is being able to store them securely in a password manager alongside any other entries for the service.

The downside is they're easy to leak (or lose), so the added factors in requiring access to email (also with its own 2FA) are lost in a system like this, if whatever you're managing is mission critical. I wouldn't want to make that kind of bet, personally.

notepad0x90
> , personally.

I get it, that's why I advocate letting users choose. Especially with a technical audience, treating them like they can't be trusted to make mission critical choices is not good.

lane776 (dead)

This item has no comments currently.

Keyboard Shortcuts

Story Lists

j
Next story
k
Previous story
Shift+j
Last story
Shift+k
First story
o Enter
Go to story URL
c
Go to comments
u
Go to author

Navigation

Shift+t
Go to top stories
Shift+n
Go to new stories
Shift+b
Go to best stories
Shift+a
Go to Ask HN
Shift+s
Go to Show HN

Miscellaneous

?
Show this modal