this post was submitted on 10 Jul 2023
55 points (96.6% liked)

lemmy.ml meta

1406 readers
1 users here now

Anything about the lemmy.ml instance and its moderation.

For discussion about the Lemmy software project, go to !lemmy@lemmy.ml.

founded 3 years ago
MODERATORS
nutomic@lemmy.ml
55
I'm going to assume the admins here all have 2FA on their accounts, right? (lemmy.ml)
submitted 1 year ago by tryagain@lemmy.ml to c/meta@lemmy.ml
26 comments fedilink hide all child comments
 

Right guys?

you are viewing a single comment's thread
view the rest of the comments
[–] Lmaydev@programming.dev 0 points 1 year ago (2 children)

Once a token is issued it is valid until it experies. There is no way to disable a token short of changing the secret used to sign them which would invalidate all existing tokens for all users.

[–] Mic_Check_One_Two@reddthat.com 3 points 1 year ago

I actually suggested exactly that elsewhere. It would be a nuclear option, for sure. Since it would require every single user to log back in. But it would 100% without a doubt stop the attacker in their tracks.

[–] Natanael 1 points 1 year ago

That's bad design because you can bind a user token to a per-account value which can be rotated to deprecate tokens