Ask HN: Why isn't time more a part of account recovery?
1•jmward01•1h ago
I don't have a blog so I don't have some polished think piece on this, just an honest question to the HN crowd. Why isn't it standard practice to have a 'reset cool-down' or something similar on accounts? I want to be able to say have X + Y = primary auth but backup Z (which is presumably less secure) is allowed only a successful login means a 48 hour cool down before you can fully log in (and presumably fix your primary auth mechanism). I am thinking of doing this for a site but don't see it as a best practice and was wondering why.
Comments
1970-01-01•1h ago
Same reason we don't have IPv6 everywhere. It's too hard to for most devs to implement it into whatever they're already living with.
1970-01-01•1h ago