#indieweb 2024-11-01
2024-11-01 UTC
gRegorLove_, geoffo, jimw, ps_gro, jimw0, [Joe_Crawford], toastal, bterry, rvalue-, cedric, lazcorp, codebuzz, GuestZero, barnaby, [Joschi_Kuphal], Xe and Guest6 joined the channel; toastal left the channel
# sisoma_new[d] Is there some additional authentication/verification going on?
# sisoma_new[d] Was wondering if anyone knows how IndieAuth's authentication is "safe" enough using the email authentication method.
# sisoma_new[d] Been a while since I've been on here.
# sisoma_new[d] Hey all!
# sisoma_new[d] The auth codes sent via email only contain 4 digits. Which does not make it insanely unlikely for someone to be able to guess the code (people win lotteries with worse odds).
# sisoma_new[d] It doesn't seem too unreasonable that a potential bad guy could successfully brute force the 4 digit code?
# sisoma_new[d] Example scenaria:
# sisoma_new[d] 1. I login to pronouns.page using IndieAuth and type my website's address.
# sisoma_new[d] 2. IndieAuth asks if I want to use email or GitHub authentication methods (discovered through the HTML on my website)
# sisoma_new[d] 3. I select the email method, and get sent an email with a simple 4 digit code
# sisoma_new[d] 4. I type in the 4 digits and voila, I am authenticated.
# sisoma_new[d] Is there some additional authentication/verification going on?
# sisoma_new[d] [edit] Hey all!
# sisoma_new[d] Been a while since I've been on here.
# sisoma_new[d] Was wondering if anyone knows how IndieAuth.com's authentication is "safe" enough using the email authentication method.
# sisoma_new[d] The auth codes sent via email only contain 4 digits. Which does not make it insanely unlikely for someone to be able to guess the code (people win lotteries with worse odds).
# sisoma_new[d] It doesn't seem too unreasonable that a potential bad guy could successfully brute force the 4 digit code?
# sisoma_new[d] [edit] Example scenaria:
# sisoma_new[d] 2. IndieAuth asks if I want to use email or GitHub authentication methods (discovered through the HTML on my website)
# sisoma_new[d] 1. I login to pronouns.page using IndieAuth.com and type my website's address.
# sisoma_new[d] 3. I select the email method, and get sent an email with a simple 4 digit code
# sisoma_new[d] 4. I type in the 4 digits and voila, I am authenticated.
# capjamesg[d] aaronpk ^
# sisoma_new[d] It doesn't seem too unreasonable that a potential bad guy could successfully brute force the 4 digit code?
# sisoma_new[d] [edit] Example scenario:
# sisoma_new[d] 1. I login to pronouns.page using IndieAuth.com and type my website's address.
# sisoma_new[d] 2. IndieAuth asks if I want to use email or GitHub authentication methods (discovered through the HTML on my website)
# sisoma_new[d] 3. I select the email method, and get sent an email with a simple 4 digit code
# sisoma_new[d] 4. I type in the 4 digits and voila, I am authenticated.
toastal and AramZS joined the channel; toastal left the channel
klymilark joined the channel
# sisoma_new[d] Funnily enough, the reason I asked about this is because at work we are implementing a similar email authentication system, so was doing some research on what others are doing. And we did land on using 6 alphanumeric characters codes which are valid for 5 minutes ๐ We also decided to remove a couple of characters that could easily be mistaken for each other.
# sisoma_new[d] I see yeah that would make it practically impossible to guess! ๐
# sisoma_new[d] aaronpk++
rvalue joined the channel
toastal joined the channel
# sisoma_new[d] I always select IndieAuth when I get the option, so is good to also have that peace of mind that it is secure โค๏ธ
# sisoma_new[d] Thanks for the quick fix!
# sisoma_new[d] Awesome ๐
# sisoma_new[d] Just confirmed that the code is 6 alphanumeric characters.
antranigv, [morganm] and [qubyte] joined the channel
cptaffe, sebbu, Kupietz and toastal joined the channel
# Loqi [indienews] New post: "Possible futures for Bridgy Fed" https://snarfed.org/2024-11-01_53932
[aciccarello] joined the channel
# [aciccarello] I appreciate the desire to get feedback on Bridgy's future
BigShip joined the channel
# [aciccarello] It also reminds me of Ben Werd's brainstorming of possible Fedi services https://werd.io/2024/helping-to-build-the-open-social-web
# [aciccarello] haha, I'm sure there are lots of people online happy to share their opinions
JadedBlueEyes and kimmy joined the channel
# fausphorus Hello! ๐ Super duper new to website-making, but also super duper tired of big corp websites destroying all of my efforts/contents after policy changes, especially as a queer content creator. I'm looking to create my own "resilient" website where I can post my creative content without fear of takedown or sudden policy changes by outside entities.
# [aciccarello] Welcome!
# fausphorus I'm glad! I also admit I'm a little overwhelmed with, well, everything out there. Between all of the options, the possible approaches, the terminology, the acronyms... I've tried on and off to get into website building, but I never would get very far beyond learning html line breaks or making paragraphs, or editing neopet pet-pages way back in the 2000's.
# fausphorus Indieweb-dev would be the place for me to get started then?
# IWDiscord <fโausphorus>
# [snarfed] fausphorus you don't need to write code! there are lots of great tools for non-developers: https://indieweb.org/Getting_Started#IndieWeb_Services , https://indieweb.org/web_hosting , etc
# fausphorus My concern is that; I've had the repeat past experience where I would host something I've made, only to have it taken down/deleted/banned/removed from a platform because it doesn't abide to their rules or regulation. I'm a trans creator who wants to make content regarding my lived experiences, and I worry that if I rely on "pre-made" template systems or, I guess like ... framework(?), I would risk losing access to my own content o
# fausphorus I feel like at this point, the only/main way I can ensure I never lose my own creation is to learn how to code myself and keep local copies of my website, unless I'm wrong?
# IWDiscord <fโausphorus>
# fausphorus For example: Tumblr is *very* unfriendly to trans creators, despite attempting to advertise itself as a good space for queer creators. I'm very tired of getting bridges burned that way.
# fausphorus What would be the best suggested solution or route?
# [tantek] so far there are a handful of services (e.g. http://micro.blog) that seem very supportive of queer and other creators. and yes, at least owning your domain is a minimum, so you can always export your stuff from whatever service / backend you're on and switch to a different service
# fausphorus ๐ and here's me not even knowing what's jargon or not right now. I'll go wherever I'm broom-swept to
toastal left the channel
# capjamesg[d] Welcome, fausphorus[d]!
# fausphorus Thanks!
# Loqi [indienews] New post: https://tantek.com/2024/306/t1/simple-embeds
Kupietz, _justin_kelly2, xgpt and angelo joined the channel