Email Password

It is kinda confusing since the url Change Users' Passwords referenced in the docs of Auth0 Management API v2 says something like Regardless of how the password reset process was triggered, the user receives email containing a link to reset their password.

Email Password

DOWNLOAD: https://blltly.com/2x4zZv

If I was to forget my Master Password and would need to delete an account and start over, 1P would verify my identity by sending me an email.... which I cannot access without remembering my Master Password (assume phone with sync lost/stolen, logged-in PC burned down or something... or maybe I don't keep email logged-in on PC either).

Similarly, if I was to forget my Master Password (with no recovery possible), I would then need to contact individual services (facebook, aws, dropbox, etc) to reset my (randomly generated) password. That process would usually go through the email... which I cannot access without remembering my Master Password.

In any of the above, the attacker now gains access to my individual service passwords (facebook, amazon, etc). When they try to login, they will be faced with a 2FA challenge. That is the whole point of 2FA. This is my last line of defense. In 3/4 cases, the attacker does not have my phone, therefore cannot access 2FA seeds/codes that are on my phone. In the remaining case, even if phone is stolen and fingerprint is lifted off the case, my 2FA app has a separate pin (oh how I hate that they don't allow fingerprint auth... but obviously this is quite on purpose to combat situations like this).

[Considering only single-point-of-failure scenarios here. If someone attacks my vault personally (a wide attack on 1P servers to gain encrypted vaults is pointless without a from-the-future quantum computer, and unlikely) and attacks the 2FA app's servers in a coordinated attack and also breaks their encryption, then they probably need those passwords more than I do (or it's so above my paygrade i'd rather give them passwords and keep my life).]

By keeping my 2FA separate from 1P, it serves it's purpose and the attacker still cannot gain access to my individual services despite having the passwords. The next step for the attacker would be to suspend 2FA, or disable 2FA, or request alternative 2FA. In most cases, this again would be performed through the email.

So it seem problematic to store email password in a password manager. It's also outright wrong to be storing 2FA in a password manager. At the very least, if one was to store 2FA in a password manager, it should be a different password manager than the one containing the passwords.

I agree you should always know your email password (a strong passphrase). But keeping it in 1P or any other password manager gives an attacker a way to bypass the last line of defense, which is your 2FA (which should not be stored along with passwords... the whole purpose of 2FA is to be separate).

If the 2FA is stored in vault, that last line of defense is already non-existent (which is why 2FA should never be stored along with passwords, at least not in the same password manager as the accounts' passwords). If my 2FA is separate, but email password is in the compromised vault, the attacker can disable the 2FA through use of email (most services allow to disable 2FA by confirming account ownership through email... 1P also relies on email to confirm account ownership, as you yourself noted).

I haven't personally seen services that force the use of 2FA (yet). If you choose 2FA, you want that extra layer of security. If your 2FA is in the same place as your password, you might as well not have 2FA to begin with.

I agree it's convenient to have 1P fill in your password and 2FA all with 1 click, but explain to me what extra security (over just a strong random-generated password that you don't even know yourself) does 2FA provide if it's stored along with the password and filled in with 1 click? It just doesn't.

I know, I know, you provide a tool with options, and it's my choice how I use this tool. If I don't like it, I can simply choose not to use 1P for 2FAs. I get all that. I am not asking you to change it. I just wanted others' opinion on this matter. Maybe I am missing something. Maybe 2FA does provide extra security even when stored along with passwords (I am yet to see this however). This is a discussion.

2FA OTPs are not subject to keylogging or other interception, cause they are time-based one-time codes. I can easily show you my current OTPs, and the next minute's ones... and there is nothing you can do with it unless you are trying to login at this exact minute. That's why OTP fields are not password masked: cause they are not secret. The seed is secret, not the code.

And if there is a keylogger on my machine (or public machine I am using), then my master password is now compromised, and attacker has access to my vault and all passwords

If you keep your 2FA OTP seeds on your phone separate from 1P synchronized vault, and the computer is compromised with a keylogger, then even after gaining master password, and further the passwords to individual sites, the attacker cannot login cause they are missing the 2FA OTPs.

The paragraph you quoted addresses this exact scenario: Passwords and 2FA OTPs in different places protects you from keyloggers; passwords and 2FA OTPs in same place simply doesn't do anything, so why even bother enabling 2FA on a service in the first place?

That makes TOTP sound like it is useless, and that's just not the case. But it's protecting against a different kind of threat: if my account credentials are compromised because of a website breach (for example if Yahoo had used TOTP /cough), an attacker would still not be able to access my account, even though they have the username and password.

My understanding after reading that is the Google account should link to the existing account that was created with email/password. Are the two email addresses the same? It seems like you might be falling under the error case described in item 1.

If you link a social signon to one particular Bubble user and then you create another bubble user with a different email - if you then will have your signed up user switched from the second to the first.

Hi grb I realised I had not followed your instructions to the letter so I tried again, and now it fills the password in twice on the website. Screenshots attached.

Screenshot_2022-10-13-10-16-27-77_40deb401b9ffe8e1df2f1cc5ba480b1214403168 178 KB

Screenshot_2022-10-13-10-15-55-30_edf9c6c5202cf0aae90965d36a8e7fc414403168 197 KB

i created a test version below to show you what i mean.

also tested out on the website and got no issue. the standard username field worked and the email one did as well inputting items in the correct fields.

Same for me. Turns out I used oauth instead of email+password and completely forgot about that. So, after dozens of attempts to recover my password I sign up with google account and the problem was solved.

Same was happening to me guys. Make sure to try signing in THROUGH google, not by typing in your email address. This was the issue for me, as when I tried to send password to email there would be no response because I never set up a password, just signed in through google. Good luck.

Information You Should Know Learn how to activate your Ohio State username(link is external) or how to change your password(link is external) through these provided articles. For information on how to update your address, phone number or other personal information click here.

I have configured SMTP and some emails are working correctly, like email informing about a new ticket being created.

I will try to debug this in version that is installed currently as I have spent some time on data import that I don't want to repeat.

What I did to solve the issue is I've changed in database table _config key = "alert_email_id" from 2 to 1 and now the reset password email is being sent from an email account that has SMTP configured.

My idea is to have a User model and save the email and encrypted password in the database. On login request check the email and password, sign a jwt if the credentials are valid and return it to the client.

One of the benefits of using the Redwood Auth is that you get the same user data on both the web and api sides for free! Well, for free after someone invents a way to do custom email/password login and merges it into Redwood.

Some Firebase Authentication methods that take email addresses as parameters throwspecific errors if the email address is unregistered when it must be registered(for example, when signing in with an email address and password), or registeredwhen it must be unused (for example, when changing a user's email address).While this can be helpful for suggesting specific remedies to users, it can alsobe abused by malicious actors to discover the email addresses registered by yourusers.

To mitigate this risk, we recommend you enable email enumeration protectionfor your project using the Google Cloud gcloud tool. Note that enabling thisfeature changes Firebase Authentication's error reporting behavior: be sure your appdoesn't rely on the more specific errors.

We may require that you reset or update your password at times due to evolving external security threats, updated security requirements, or if we suspect that your Xfinity ID has been compromised elsewhere. For your protection, if we suspect or observe suspicious activity relating to your account, we may also require that you reset your password.

Also, avoid using the same password for multiple accounts. It might be easier to remember, but reusing passwords increases the risk of a security compromise across various services if one is compromised.

2990b30de8