Lack of interest Add letters to 2 factor auth

This suggestion has been closed automatically because it did not receive enough votes over an extended period of time. If you wish to see this, please search for an open suggestion and, if you don't find any, post a new one.



So currently, if people have 2FA enabled for their email, it will send a 6 random digits to your email.
I've had a case where someone was able to bruteforce himself into an account with only using an email and password.

I think a simple change like adding letters could improve 2FA a lot as bruteforcers would have more combinations to go through. They wouldn't be able to do this as the code would expire by the time they even go through a fraction of the possibilities.

Upvote 0
This suggestion has been closed. Votes are no longer accepted.
Are you positive he didn't have access to the email for example? If he shared passwords between his email and other sites, that's very likely. (And why we suggest email 2FA is not the ideal option.)

We have rate limiting with 2FA attempts to prevent this. This is attached per user, not per IP, so trying from multiple IPs doesn't make a difference. Further, with 6 digits and the code only being valid for 15 minutes, you'd need to send 1100 requests per second to properly brute force it. (Though rate limiting prevents that, unless you get very very lucky.)
Top Bottom