JohnPlanetary
commented
4 years ago 7) "Invite codes"
Invite codes that can be reused until be manually removed or automatic expire; Invite codes for one use only.
These can be used to prevent spammers from getting a account with automated tools for example, or just allow certain people from a community to get in, it can also be integrated into some paywall to give the code after payment (can be used to allow for example one time payment to contribute to the service and also to prevent to some degree spammers).
These "invite codes" can also be extended for the personal accounts, to only allow pre-approved people to request friendship (can be enable for both open and private profiles).
I understand the common user won't do these, but some power/ high profile users may need these to reinforce the account security...
1) "Disable the use of e-mail address for login and recovery"
Should be possible disable the use of e-mail address for the login username and login recovery.
The e-mail is a widely know security vulnerable vector of attack, that is almost impossible for the common user to protect.
2) "Dedicated username just for the login"
In alternative the network should generate a dedicated random login username, ex: "zvs2j-fkqfx-kbpti" plus the user chosen password to login into the account.
The use of the special random login username, for both normal login and for the recovery... prevents hackers from just asking access using the public known e-mail, specially if they get access to it.
... or just use "SQRL" suggested bellow at number 5.
3) "Special account recovery username & password"
To recover access to the account you could have a special username & password, randomly generated by the server, say: Recover username: 7urvv-3rp5w-ddic4-7t3ry Recover password: pfrp3-v9rj6-c7w25-xd3f5
Using these special recover data the user should be logout and ask to login again normally and then asked to enter the recover username & password to make sure the user really knows it and only then by entering it correctly activate the use of it, otherwise the functionality stay inactive until the user produces new values and successfully logins with those.
The change of them should require knowing them, to prevent hackers from modifying them after a successful attack on the normal username & password login.
Of course the e-mail login use and e-mail recovery could be available by default, but users be offered these upgrade to make stealing social accounts harder.
... or just use "SQRL" suggested bellow at number 5.
4) "Provide secure notifications"
Usually users are notified by e-mail and/ or sms of things happening on the account, but since none of them are truly secure/ private solutions I would suggest the integration of Threema Gateway into the platform. Unfortunately I'm not aware of a similar free substitute for these kind of notifications on a messenger platform that are both secure and private end-to-end. If one such thing exists or is created for free then even better.
What would be notified?
5) "Support more secure login technology"
SQRL (Secure Quick Reliable Login) (https://www.grc.com/sqrl/sqrl.htm) seems a better/ more secure way to login and in and by itself solves all the problems at once [nothing private for the server to loose, recovery of the account, lock recovery access (if supported by the platform) to just allow the use of the secure SQRL to login], effectively preventing all the work suggested in suggestion two (2) and three (3)above.
SQRL is to substitute the need for login username & password. FIDO/FIDO2/Webauthn second factor, for example, can still be used for extra security.
The use of SQRL allow even for the platform to not need to use the e-mail address at all, being better to comply with privacy laws around the world by not requiring a information that is not really needed to use the service.
6) "Prevent large account creation of SPAM accounts"