Ask HN: Why isn't time more a part of account recovery?

I don't have a blog so I don't have some polished think piece on this, just an honest question to the HN crowd. Why isn't it standard practice to have a 'reset cool-down' or something similar on accounts? I want to be able to say have X + Y = primary auth but backup Z (which is presumably less secure) is allowed only a successful login means a 48 hour cool down before you can fully log in (and presumably fix your primary auth mechanism). I am thinking of doing this for a site but don't see it as a best practice and was wondering why.

1 points | by jmward01 2 hours ago

1 comments

  • 1970-01-01 2 hours ago
    Same reason we don't have IPv6 everywhere. It's too hard to for most devs to implement it into whatever they're already living with.