Submitting a password reset requests directs to the login page with a modal acknowledgement that I think goes away on a timer.
Registration requires US state or state-like jurisdiction (ie. military).
Password needs to be gauged as "good" via some remote arbiter at the endpoint https://api.coinbase.com/v2/users/score-password with the password posted as password in a form data body. Needless to say, the rules for passwords to meet this strength requirement are not surfaced. I'm starting to think I need a profile field to document this crap consistently beyond notes. Maybe password.rule as a human-text field? (Would still cooperate with data like password.value.length.max.)
Passwords consisting entirely of spaces are rated as "good" past a certain length, but trigger "password can't be blank" errors.
Actually, no, they aren't rated as "good"... passwords of only spaces crash the server! The API returns a 500 status code in response, and now I'm not seeing any new requests going out.
Logging in and changing password both require a code from Authy.
Logging in from a new machine requires opening a confirmation link.
Not profiling destination after resetting a password because it's subject to so much subjectivity re: Authy, new machine approval step...
I just realized I didn't actually review password changing, brb.
Not profiled:
password
in a form data body. Needless to say, the rules for passwords to meet this strength requirement are not surfaced. I'm starting to think I need a profile field to document this crap consistently beyond notes. Maybepassword.rule
as a human-text field? (Would still cooperate with data likepassword.value.length.max
.)I just realized I didn't actually review password changing, brb.