mimi89999
commented
8 months ago Hello,
As I proposed in https://github.com/liberapay/liberapay.com/issues/2163 I think that it would be best to implement Passwordless Webauthn (Passkeys). It is both phishing resistant and very convenient.
It looks like the risk of phishing has never really been discussed in this repository.
Currently Liberapay recommends either using a password manager, or not setting a password at all (and always logging in via email instead). Both of those options reduce the probability of a user being tricked into giving access to their account to an attacker, but they don't eliminate it, and of course not all users do what's recommended. Possible improvements include #926 and #2163. Feel free to post other suggestions here.