Both of these, plus a differentiator between 'current' and 'new' token requests ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		sturadnidge on Oct 16, 2014 \| parent \| context \| favorite \| on: Passwordless authentication: Secure, simple, and f... Both of these, plus a differentiator between 'current' and 'new' token requests - without that, it's an easy way to log people out of sites by simply knowing their email address. To the point about not always having access to email, it's a pretty simple denial of service vector.

PythonicAlpha on Oct 16, 2014 [–]

Can you clarify, what you mean by "differentiator between current and new token requests"? Currently I don't exactly know which attack form you mean and how it could be prevented by such a "differentiator".

(an example would be nice)

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact