Update: I just noticed that you are not the OP. So having no stake in the situation and nothing to potentially lose (unlike the OP) you can be as irresponsible with your comments as you like. Especially being anonymous. So who cares?

In all honesty, I don't see how an anonymous post is more lacking in relevance than a veiled argument. I actually wrote the above anonymous post, sorry, I hadn't realised I wasn't logged in.

I really don't see how you think that this compromises the security of the application in question.

A person applies for access and is sent a code by post. They can only do anything with that code if they are the owner of the email address which the request was made with and they received the code in the post.

There is basically no possibility of anyone guessing both pieces of information; it's not even any more plausible that someone having taken control of the email address could then guess the correct code. Note that it's not _any_ valid code, it's _that_ valid code that is required.

After that, they can associate a login token with their account to use it to log in. Worst case, if someone stole my email address and intercepted my post, they could attach their login to my account until I complained of all these injustices.

So who cares?

The point is that the supposed-to-be secure system whose identity I am legally bound not to reveal, is made more vulnerable now that its code can be cracked, albeit somewhere else. There may be repercussions from that.

One world, one people