Suggestion Removing the 30 days limit from 2FA logins

[matpower]

Last time I used 2FA, it was a bit of a chore to use due to this little feature, it feels pointless to have it there if you have toggled "keep logged in".
I understand that it helps with security a bit more since you need to prove that you are yourself every 30 days, but it is really unnecessary since you are already trusting that computer to be safe, and it is a non-standard behavior for 2FA implementation (I believe only Twitch has that 30 days limit). It seems like a small thing but it might put people off from using 2FA since it is annoying for them, and we should be obviously trying to make people use better security methods to avoid incidents like leaked databases (often with shared passwords since people refuse to use a password manager due to distrust or lack of know-how).

 

[shaunj66]

I really don't see any reason to change this except for it being a minor inconvenience. I feel the security it provides far outweighs the extra time it takes to login once a month.

Of course I'd like to invite other members to give their opinions as we're open to change if the demand is there.

 

[Pedeadstrian]

Last time I used 2FA, it was a bit of a chore to use due to this little feature, it feels pointless to have it there if you have toggled "keep logged in".
I understand that it helps with security a bit more since you need to prove that you are yourself every 30 days, but it is really unnecessary since you are already trusting that computer to be safe, and it is a non-standard behavior for 2FA implementation (I believe only Twitch has that 30 days limit). It seems like a small thing but it might put people off from using 2FA since it is annoying for them, and we should be obviously trying to make people use better security methods to avoid incidents like leaked databases (often with shared passwords since people refuse to use a password manager due to distrust or lack of know-how).

Plenty of sites/programs use a 30 day limit (or even lower) regardless of it being 2FA. If anything, nowadays a site that leaves you logged in permanently seems to be the non-standard behavior. Of course, if you wanna get rid of the "chore" of relogging in every month you could just turn the feature off. Why do you need such strong security for this site, anyway? There's no address/credit card info stored here. Are you afraid someone will hack your account and post something stupid? Or maybe become Margen 3.0 and like everything?

 

[matpower]

Plenty of sites/programs use a 30 day limit (or even lower) regardless of it being 2FA. If anything, nowadays a site that leaves you logged in permanently seems to be the non-standard behavior. Of course, if you wanna get rid of the "chore" of relogging in every month you could just turn the feature off. Why do you need such strong security for this site, anyway? There's no address/credit card info stored here. Are you afraid someone will hack your account and post something stupid? Or maybe become Margen 3.0 and like everything?

Pretty much every service where I use 2FA (Discord and Steam to name a few) doesn't do that, sadly this is anecdotal evidence, so I can't really argue against that. Also there is no argument against having strong security, if my account gets hacked and someone spams using it, use it for slandering other members, etc, it will be my own fault, I am sure that saying "I was hacked!" won't clear any warnings or bans. Right now the only reason I don't have 2FA active right now is because I didn't have a phone until recently.

 

[Chary]

I did have 2FA on once upon a time, but I had to have Bortz disable it for me, because it wouldn't send me an email code on those 30 day increments. I suppose there's the google auth app thing now that I have a phone, though.