dusnm, This is what #BlueSky considers a perfectly acceptable implementation of a two-factor authentication system.
Just send an email with the 2FA code. This is insanely irresponsible and I'm sure they know it.
Since most people unfortunately reuse passwords, any sane person must reasonably assume the email is likely to be compromised as well...
I have no clue why they don't use #TOTP. Unless the attacker has access to the device with the shared secret, it's borderline impossible to defeat.
Add comment