• 857@infosec.pub
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Well this is concerning.

    Going to have to adjust my end-luser instructions, for sure.

    Just spitballing here, maybe the right answer is to stop assuming that bog standard email is secure in any serious sense of the word. That would require notifications through another channel.

    Since we are forcing MFA apps with Touch ID support on a wide scale (yay!) I suppose magic codes via an app might be viable.

    One I have in mind is designed for two way comms with the originating server - press button on phone, you’re in. Would be fairly trivial to utilize that (marginally more secure if all actors trusted) for “Hey I’m a legit site!” Notifications. Just something off the top of my head cause the current paradigm isn’t working.

    • garrett@infosec.pub
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      I’m not even sure how you’d frame this to users beyond “just don’t trust any links in the email”. Sounds like we might just need to accept the fact that email is unreliable. :/