2 factor authentification • page 2/2 • Lichess Feedback • lichess.org

@sheckley666 said in #5:
> Mmh - I do use 2-factor authentification, and I rarely need an authenticator. I keep logged in between sessions, and lichess each time automatically recognizes my account.
> All I had to do, was allowing the browser to keep cookies from lichess.

But isn't the idea of 2fa that you actually use the second factor? This sounds strange.... what's the use of 2fa if it is never checked?

sheckley666

#12

The second factor is useful, if someone tries to use my account from another device.
If someone manages to gain control of my PC, as mentioned in #7, then lichess is the least of my worries.

Deadban edited

#13

@senn71 said in #11:
> But isn't the idea of 2fa that you actually use the second factor? This sounds strange.... what's the use of 2fa if it is never checked?

The thief or the phisher needs the device and the browser where you authorized lichess to keep the session active without logging out each time you close the tab. But as already mentioned, if someone has your phone or your pc the lichess account is at the end of the things you need to worry about.

When instead they want to access specifically your lichess account from remote and they obtained your password, then they need an additional code that lasts 30 secs each time to be able to login.

You can reset the 2fa with an email reset link because, again, the principle is that if you lose access to your email account you have bigger priorities. I personally disagree with this but the lichess devs seem confident.

Unless you constantly use multiple devices and browsers to login to lichess it seems to me that activating 2fa while keeping your title is much better than requesting to be de-titled and lose all the benefits that come with it.