Ask HN: Why isn't time more a part of account recovery?

jmward01 · 1 day ago · view on HN · opinion
quality 2/10 · low quality
0 net
AI Summary

Discussion questioning why time-based cooldowns on account recovery aren't standard practice — proposing a security model where backup authentication methods require a 48-hour waiting period before full account access is restored.

Tags
account-recovery authentication security-design account-takeover-prevention backup-authentication best-practices
I don't have a blog so I don't have some polished think piece on this, just an honest question to the HN crowd. Why isn't it standard practice to have a 'reset cool-down' or something similar on accounts? I want to be able to say have X + Y = primary auth but backup Z (which is presumably less secure) is allowed only a successful login means a 48 hour cool down before you can fully log in (and presumably fix your primary auth mechanism). I am thinking of doing this for a site but don't see it as a best practice and was wondering why.
← Back to stories