Goofed Home

Just noticed that Stackoverflow has a new front end in Beta. I do not like it, however I slowly begin to fear im just another boomer. :( What do people on here think about it?

I think the beta looks just like any other weekend project with cookie cutter elements. There is nothing to differentiate it from other sites that are made after 2020. Current design is also way more concise Im not sure when we started using the whole widescreen for a website. Sure wasted screen estate is unfortunate but long mouse travel times are also uncool.

I’m putting together an API for a project, and one of the requirements is MFA. I’m using TOTP and that all works. I also have facilities to clear the MFA token and regenerate / re-enroll the secret, but I’m wondering what the best practice is for invoking that.

Their email is required and verified during signup, so would a validation email be sufficient like with a password reset? Or should I require the user to contact the administrators to reset the MFA?

Solutions that work for a corporate application where all the staff know each other are unlikely to be feasible for a publicly available application with thousands of users all over the world

This is something of a hybrid. There will be both general public users as well as staff. So for staff, we could just call them or walk down the hall and verify them but the public accounts are what I’m trying to cover (and, ideally, the staff would just use the same method as the public).

Figure if an attacker attempts the ‘forgot password’ method, it’s assumed they have access to the users email.

Yep, that’s part of the current posture. If MFA is enabled on the account, then a valid TOTP code is required to complete the password reset after they use the one-time email token. The only threat vector there is if the attacker has full access to the user’s phone (and thus their email and auth app) but I’m not sure if there’s a sane way to account for that. It may also be overkill to try to account for that scenario in this project. So we’re assuming the user’s device is properly secured (PIN, biometrics, password, etc).

If you are offering TOTP only,

Presently, yes.

or otherwise an OTP sent via SMS with a short expiration time

We’re trying to avoid 3rd party services, so something like Twilio isn’t really an option. We’re also trying to store the minimum amount of personal info, and currently there is no reason for us to require the user’s phone number (though staff can add it if they want it to show up as a method of contact). OTP via SMS is also considered insecure, so that’s another reason I’m looking at other methods.

“backup codes” of valid OTPs that the user needs to keep safe and is obtained when first enrolling in MFA

I did consider adding that to the onboarding but I have my doubts if people will actually keep them safe or even keep them at all. It’s definitely an option, though I’d prefer to not rely on it.

So for technical, human, and logistical reasons, I’m down to the following options to reset the MFA:

1) User must contact a staff member during business hours to verify themselves. Most secure, least convenient. 2) Setup security questions/answers and require those after the user receives an email token (separate from the password reset token). Moderately secure, less convenient, and requires us to store more personal information than I’d prefer. 3) Similar to #2 except provide their current password and a short-term temporary token that was emailed to them when they click “Lost my MFA Device”. Most convenient, doesn’t require unnecessary personal info, possibly least secure of the 3. Note that password resets require both email token and valid TOTP token, so passwords cannot be reset without MFA.

I’m leaning toward #3 unless there’s a compelling reason not to.

My work has us call a helpdesk which verifies our ID (based off the number we’re calling from and other info) then gives us a one-time password to reset all our login info

This is my favorite web dev blog, his grid and flex tutorials are amazing with all those interactive examples.

Came here to say the same thing but for SVG

I come with a seemingly simple question: should outbound links be styled differently than intra-site links? For example, the way Wikipedia does it with an icon after the text of the link. Do users care? Did anyone done any research on that?

I’m thinking of situations where you might have a sentence like ‘I’ve written about this before, and recent events around ACME corporation only made me entrenched in my opinion.’ where ‘written about this before’ would be a link to another page on the website and ‘recent events around ACME corporation’ would be link to external site.

That’s also my thinking, but it does add some visual clutter plus wouldn’t the counterargument be that people who really care can use their own user styles or extensions, or look at the status bar?

No I don’t accept the counter argument as an argument. People who care shouldn’t jump through hoops to get what they deserve.

And the visual clutter is way too little to care.

cross-posted from: https://lemmy.bestiver.se/post/946712

Comments

Targeting sub 1s build times seems like the wrong optimisation. If you write your content in markdown you can just preview it in a browser with ~1ms latency, because you don’t need no fancy build system to do that. When you’ve written your post, put it in the site data structure, hit build, and go make a coffee.

If your objective is to put content on the internet, this will be more than enough. If it is instead to create The Most Perfectest Website Framework Ever, then unfortunately Spring Boot already exists 😏

Go for the fun, but your issue is a non issue. I use Zola (built with Rust) and it is very very fast. A full build of ~200 pages takes ~2s and in dev mode, changes are reflected almost instantly.

The article obviously picks vector loaders as better, except in certain specific cases (or for very small loaders). I usually stick with SVG > PNG > JPG when dealing with graphics for the web.

Check against Can I Use, all of the APIs, except for the following are supported by major browsers: - Synchronous Clipboard API only Safari has full support, the rest have partial - Temporal only currently supported in Chrome and Firefox

Was a bit embarrassed when showing a prototype using Temporal last month and the provided computer’s Chrome turned out not recent enough to support it, so for this one API I’ll wait for one more year before considering it ready.

There was a time where you really needed Javascript and the Javascript you needed did not exist yet so you actually needed Flash.

If all your site did was display static content or maybe POST to a php back-end, sure, JS was optional. But if you wanted a website to do anything, or look like more than a jumped-up Word document, then JS was your only sane option until maybe 2011. And even then the Javascript you needed was actually jQuery.