Email authentication is pretty good and much better than not having anything. It is open to some alternate exploits, but this will usually take a lot of work and require targetting a specific user, so it's usually secure. After searching to see if this was a duplicate I saw some of the posts which caused email 2FA to be implemented and I'm sure it solved those problems, however, sometimes email can be inconvenient, especially when there are so many tools that help with TOTP (apps on basically every device, Authy if you want to sync across devices, and my favourite, password managers that automatically copy or fill the code when logging in). With exponential backoff, it's probably also the most secure option (other than maybe Google's Sign-In Prompts, but websites can't use this without using Sign in with Google, and I'd argue it can be more inconvenient at times).

Personally, I find the convenience benefits a big deal, especially without any kind of "Remember this device" system resulting in having to get a code fairly often when using multiple devices.

Email-based 2FA is something we know everyone is able to use, since you need an email address for an account. Anything else runs the risk of being unable to use it by some people. Phone apps require you to have a phone able to use them. Not everyone has a smartphone, and there's also people that simply do not have a cell phone period. SMS also suffers from the same issue, but also doesn't work in areas without cell phone service. There's other options still, but they, too, have their drawbacks and accessibility issues.

Overall, email 2FA is a solution that everyone will be able to use, as an email address is required on signup. Nothing else guarantees 100% accessibility.

As a side note: security is, by design, not supposed to be convenient. It's supposed to be secure.

Another advantage I didn't think of the time is stability. There was recently an issue where verifiers were unable to sign in for days due to not receiving email codes. With TOTP, there's much less that can go wrong and the system wouldn't really require changes after it's implemented, while with emails you generally have rate limits, cost, stability of the email provider/sender, user spam filters. I think having TOTP as at least an option, even if it's not used by default, would go a long way towards the goal with the big changes to speedrun.com of becoming more stable and usable

[quote]There was recently an issue where verifiers were unable to sign in for days due to not receiving email codes[/quote] Bumping this thread to note that, although I haven't ever had this stretch into days, I am still having regular issues where the MFA doesn't work for several hours at a time. As such, I would also appreciate having TOTP as an alternative method for 2fa.

I stopped using this site due to the introduction of the email-based 2fa requirement. I think 2fa is important, but going into my email every single time I want to log in just plain sucks. The last time I logged in was before this thread was created. That's how I'm justifying this thread bump lol

Habreno, what the heck are you on about? All users have access to some kind of computer, which is capable of generating these one-time passwords. Nevermind the issues with using email for 2-factor as others have pointed out, everyone who has an email address can also use TOTP. I use KeePassXC on my desktop for TOTP, no smartphone required. Also, TOTP could exist alongside email-based 2fa. There's no reason email 2fa option has to be axed. Email 2-factor could even continue to be the default. I don't know why you seem to think that there has to be one type of 2-factor for every user.

Lastly, I would argue that email is less secure than TOTP. I mean, it's no secret that the majority of email providers are able to read the contents of incoming emails. Yet, the only two entities that know my one-time passwords for any particular site are me and the site itself. Now, do I think email 2-factor is secure enough? Yes, of course. But just because TOTP is more convenient, at least for some people, doesn't mean that it is inherently less secure. This notion of "security has to be inconvenient" is how you get idiotic concepts like password expiration.

I agree there could be additions to the MFA system, or at least one alternative if the primary MFA is not functioning correctly for some reason. Back then E-mail authentication was just the easiest and most convenient option without requiring users to have a smartphone that could run an app for example, or require just a phone in general to receive a text message. (Not everyone has a phone still..) and we just went by: If a user has an e-mail they'd use to access SRC -> they can receive a 2FA code. The main reasons there currently aren't any additions to MFA are likely because back when Pac ran the site, his options were most likely limited. It was time and cost efficient to just go with e-mail authentication for now since it would satisfy the majority of its users. If Elo will actually consider an alternative to MFA, I'm not sure.. but I at least feel that there should be a back-up again in case the primary method is unavailable. Or you would essentially be locked out as others are describing hereabove.