Blog - Daniel Huang

We replaced passwords with something worse

Too many services have been using the following login method:

Enter an email address or phone number
The website will send a 6-digit code
Use the 6-digit code to log in

Please stop.

This is terrible for account security:

An attacker can simply send your email address to a legitimate service, and prompt for a 6-digit code. You can't know for sure if the code is supposed to be entered in the right place. Password managers (a usual defense against phishing) can't help you either.
In fact, this attack method has been successfully used in the wild: Microsoft's login for Minecraft accounts use this login method, and many accounts have been stolen already.

All Blog Posts

Have any questions or feedback, or just want to say hi? Email me at [email protected]!