Going to have to adjust my end-luser instructions, for sure.
Just spitballing here, maybe the right answer is to stop assuming that bog standard email is secure in any serious sense of the word. That would require notifications through another channel.
Since we are forcing MFA apps with Touch ID support on a wide scale (yay!) I suppose magic codes via an app might be viable.
One I have in mind is designed for two way comms with the originating server - press button on phone, you’re in. Would be fairly trivial to utilize that (marginally more secure if all actors trusted) for “Hey I’m a legit site!” Notifications. Just something off the top of my head cause the current paradigm isn’t working.
Well this is concerning.
Going to have to adjust my end-luser instructions, for sure.
Just spitballing here, maybe the right answer is to stop assuming that bog standard email is secure in any serious sense of the word. That would require notifications through another channel.
Since we are forcing MFA apps with Touch ID support on a wide scale (yay!) I suppose magic codes via an app might be viable.
One I have in mind is designed for two way comms with the originating server - press button on phone, you’re in. Would be fairly trivial to utilize that (marginally more secure if all actors trusted) for “Hey I’m a legit site!” Notifications. Just something off the top of my head cause the current paradigm isn’t working.