It’s just 1 factor, as they are using “something you have,” i.e. your email account, to authenticate you initially. Anyone with access to the account would have the password, so it can’t count as a unique factor.
99 % of websites even with “2FA” enabled allow to reset all login credentials with an email reset. Or worse, an SMS reset.
aka it’s all just 1FA with the password+TOTP just being there for “convenience”, and they trust gmail’s actual 2FA not to get breached because if it does then the account is donzo.
Not that emailing passwords is good, because users won’t change them and are likely to leak them. However login systems that are just an email with temporary credentials are superior to the standard system with the possibility to reset password by email, since they’re basically that with less attack surface. The service provider never even has to process the user’s password. Literally the only downside is usability, which can be a worthwhile tradeoff.
Alternatively one could do OIDC, but the downside is it only works with whichever authentication providers are setup whereas email registrations work without an intermediary such as google or Microsoft which is a big plus in my book, and might even be a hard requirement in B2B scenarios.
OpenID-Connect, the standardized form of oAuth for the sole purpose of authenticating users to third-party services (i.e. google says “yes I certify it is john.smith@gmail.com logging in to your service”).
This is asinine and anyone responding that this is normal is asinine as well. You can email a link to reset the password but if you’re sending a plaintext password, even with the intention of changing it immediately, you’re a fucking idiot.
The other day I used a website and they didn’t let me pick a password.
They sent me a very secure random one via email 💀 in the year 2025, this still happens.
There’s really nothing wrong with that, it’s a sort of half-baked 1.5FA, I would hope/assume you had to immediately change your password after.
It’s just 1 factor, as they are using “something you have,” i.e. your email account, to authenticate you initially. Anyone with access to the account would have the password, so it can’t count as a unique factor.
99 % of websites even with “2FA” enabled allow to reset all login credentials with an email reset. Or worse, an SMS reset.
aka it’s all just 1FA with the password+TOTP just being there for “convenience”, and they trust gmail’s actual 2FA not to get breached because if it does then the account is donzo.
Not that emailing passwords is good, because users won’t change them and are likely to leak them. However login systems that are just an email with temporary credentials are superior to the standard system with the possibility to reset password by email, since they’re basically that with less attack surface. The service provider never even has to process the user’s password. Literally the only downside is usability, which can be a worthwhile tradeoff.
Alternatively one could do OIDC, but the downside is it only works with whichever authentication providers are setup whereas email registrations work without an intermediary such as google or Microsoft which is a big plus in my book, and might even be a hard requirement in B2B scenarios.
I’m not tech literate anymore, whats OIDC ? I figured out the other ones
OpenID-Connect, the standardized form of oAuth for the sole purpose of authenticating users to third-party services (i.e. google says “yes I certify it is john.smith@gmail.com logging in to your service”).
Much love for responding
Hmm, yup, you’re right, my bad.
I guess it’d help if it still required an MFA code added or something.
The 1.5 is them relying on your email provider to provide the 2factor 😂
Australian Army still does this.
This is asinine and anyone responding that this is normal is asinine as well. You can email a link to reset the password but if you’re sending a plaintext password, even with the intention of changing it immediately, you’re a fucking idiot.
Yeah, I’m shocked with the other responses to my comment…
Some banks do this and then ask you to change it later.
it’s ok if you need to immediately change it