Four-factor authentication!

One of the popular bitcoin exchanges is strike.me.  I guess they really want to minimize the risk that somebody could log in under somebody else’s account.  Here is how it went today when I logged in.

• Step 1.  On my notebook computer, I go to strike.me and I click “log in” and enter my email address.  What happens next is that it sends a secret code number to me by email (if my email address exists in their system).  It invites me to key in the secret code number.
• Step 2.  Check email again and again and again, eventually receiving the email with the secret code number.  It would be tempting to read the secret code number and key it in on the web page.  But it turns out that the secret code number is itself a URL to a web page.  Nowhere is it documented why you might want to click on this URL, but try it anyway.
• Step 3.  The URL launches a new web page that invites me to go find my TOTP (time-based one-time password) and key it in.  I do so.
• Step 4.  What appears next is a page that says I am still not authenticated.  I am invited to go find my mobile phone and launch the Strike app and click to authenticate myself.
• Step 5.  An email message arrives, letting me know that someone is trying to log in using my email address.
• Step 6.  I launch the Strike app and click to authenticate myself.
• Step 7.  I now see that I am logged in on my notebook computer.
• Step 8.  An email message arrives, letting me know that someone logged in using my email address.

I suppose depending on how you count it, this amounts to four-factor authentication.  To log in, I had to satisfy something like five conditions:

• I had to know the email address for logging in.  (In this case it is a custom email address specific to strike.me, so most people would not know the email address.)
• I had to be able to receive email at that email address.  (Most people would not not be able to receive email at that email address.)
• I had to be able to generate my time-based one-time password.  (Most people would not be in possession of my TOTP shared secret for strike.me.)
• I had to be able to lay my hands on my mobile phone, unlock it, launch the strike.me app, unlock it, and then click on the “authenticate” button.
• If this had all been a bad person somehow trying to hack my account, I would have received not one, not two, but three emails that might have tipped me off.

On the one hand, this seems a bit extreme and a bit annoying.   On the other hand, I get it that they would want to minimize the risk of somebody hacking my account.