Quoted from robin:

I create a quick first version today of a more secure login. This first version works by sending a one-time login code to your registered e-mail address. This is not entirely secure of course (and not really 2-factor) but it would have stopped that scammer today and is also the simplest and cheapest solution to implement. It also doesn't require Pinside asking for your phone number. That said, I'm still planning a real two factor option (sms or google authenticator/authy) for people who want their accounts really secure. Remember, getting your account broken into is also bad for your own rep!
I'm considering this added security to be mandatory for everybody. It would only appear when logging in from a new IP address OR when logging in after a

Quoted from swampfire:

Please don’t use the IP address. I use a VPN, and my IP is always changing (though I usually pick a US address).
I own customer identity management (CIAM) for a large telco. We added MFA last year, with it being mandatory for customers who have been compromised.
robin please include an SMS option in the final solution. It’s the most frictionless way to register and log in. SMS is more secure than email for OTP delivery. It’s much easier to hack someone’s email than to hack their phone (unless they use LastPass and MFA to secure their email account, as we all should). Contrary to some opinions here, I can’t get someone’s SMS messages just because I know your phone number. Unless they’re dumb enough to read the code to me when I call them on that same phone.

Quoted from Isochronic_Frost:

Fixed it for clarity. I was trying to give an accurate example of the shitty seatbelt metaphor but realize it was counterintuitive. It’s fixed now.
Either way, Seatbelts also are shown to increase crashes due to careless drives with a false sense of security... hmmm I wonder if that maybe be relevant to this topic!

Quoted from robin:

Aha! Actually a few people contacted me, telling me the exact same thing: how they were surprised to get a login code request when their IP address didn't change.
Turns out that many of you (me too in fact) have two IP addresses. One IPv4 and one IPv6. Which one gets used seems to be almost random. Sometimes you'll get connected to Pinside on v4 and sometimes on v6. I'm not a network expert, so not sure when, why or how this is determined. Maybe someone can chime in?
So you might think you are connected via your 123.456.789.123 IPv4 address when in fact you're connecting with a different IPv6 address every day.
At least, that's what I found out. I never knew this myself.
Here, check out my last few IPs and notice how most are IPv6, while there's also one IPv4 visit there:
[quoted image]
This is all from my home, all connections made today. My IPv6 changes very often!
(Sorry, I greyed out the full addresses, but they're all slightly different.)
FYI, I'm currently investigating ways to allow for *slight* IP address changes. For example, if your IP address closely matches a previously used IP address (same "network part" I think is what it's called) I could allow the login automatically. So, for example, I could check if the first two number groups of your IPv4 are the same and then let you log in without a login code request. For IPv6 I think it's the first 4 alphanumeric groups. Again, i'm not a network expert so i need to look into this some more.
[quoted image]