With the topic of user account security coming up recently, I opened by big mouth and suggested that implementing, Time-Based One-Time Passwords (TOTP), a popular multifactor authentication (MFA) authentication method, might be useful. A number of crates already exist to provide these services, but I lack the Rust background to evaluate them much further.

In practice - for anyone unfamiliar - this is the thing where you set up an app on your phone (or in your password manager) to generate a code for logging into a web site. It's the same principle as a site sending you a one-time code in an SMS when you're logging in, but without having to store user information or pay Amazon $0.0065 per text. You go into a site and opt in to TOTP. The server generates and stores a key that you copy down into your authenticator (commonly as a QR code to a phone app, or a site can show a text key for use in password managers). Next time you log into the site, you're prompted for the code from your authenticator, which is generated independently on your authenticator and verified server-side against the stored key.

Pros:

• MFA can increase user account security substantially for security-conscious users.
• Effective in mitigating compromised passwords and emails.
• TOTP allows you to implement MFA without storing sensitive information.

Complications:

• Initial hurdle to opt-in and set up authentication.
• Potential for unrecoverable user accounts without administrative intervention in the event of user key loss.
• Limited protective scope: In the event of a total database breach, keys may be exposed as well as passwords. Won't safeguard against stolen, unrevoked JWTs or session cookies.

I can get more into the weeds if anyone's interested, but I don't want to bore people with extraneous details.