Thanks for the feature request and discussion.
I have been looking into adding an extra layer of security to logins for years, and this is getting more and more relevant especially considering all our efforts to verify Pinside accounts and stop scammers from using Pinside to operate.
So yes, I'm interested to implement this sooner rather than later!
I guess the basic idea comes down to this:
If you log in to Pinside with an IP address that we have not seen you previously using AND you have 2FA enabled for your account, we will require you to authenticate.
The easiest authentication system I can think of, which is easy for me to implement and also easy to use/understand for most Pinsiders would probably be a simple SMS containing a short verification code, sent to a registered phone number.
Downsides:
- costs, although it looks like Twillio would only set me back $7.50 / 1000 sms codes
- folks would need to add their phone # to their pinside account
Other options are:
- authentication via e-mail, which would be free and I already have Pinsiders' email addresses.
- authentication via an authenticator app
- via our new notifications system (for people who have notifications enabled and who have at least one 'push' device), this is also free and probably faster and more reliable than email.
- Via a Pinside app (but we don't currently have this)
While adding this as an option is nice and all, I think I need to be a bit more proactive here. I am considering automatically 'locking' accounts that have not been accessed for x months from login, and first require a simple email link click. So, for example, when you return to Pinside after being away for 8 months, we would send you an e-mail to authenticate/login. Quick and easy. And while absolutely not 100% watertight, it would stop random password brute force hackers and also avoid logins into dormant/forgotten accounts being hacked by password leaks and the likes (which is also the reason why we require usernames to log in in vs email addresses).
Keep in mind that a great deal of trust is given to "old" accounts. So they're nice targets for the scammers we have seen using Pinside in the past.
I welcome all thoughts while I investigate this subject some more!