zlacker

[parent] [thread] 4 comments
1. wholin+(OP)[view] [source] 2025-11-13 20:06:50
Has anyone invented an alternative to that yet? I could imagine emailing you a code to enter in a specific part of a site to get you to the right link, but then people could just scan all the codes. To solve that you could make the codes long 64bit strings but then that's too hard to remember so you could just provide functionality to automatically include that info to get you to the site but then that's just a link again.

Maybe if you expected everyone to copy-paste the info into the form? That might work

replies(3): >>aetern+W3 >>miiiii+B31 >>kakaci+RG1
2. aetern+W3[view] [source] 2025-11-13 20:28:20
>>wholin+(OP)
This is the closest I've seen (pretty new): https://github.com/WICG/email-verification-protocol
replies(1): >>rapind+N41
3. miiiii+B31[view] [source] 2025-11-14 04:41:24
>>wholin+(OP)
It’s easier/more complicated than that. Use 6 digit codes, tied to a specific reset session, with only 3 attempts allowed per-session, and sessions lasting only 5 minutes.
◧◩
4. rapind+N41[view] [source] [discussion] 2025-11-14 04:52:23
>>aetern+W3
I recently discovered that Microsofts SSO doesn't guarantee email veracity. Basically you can spoof emails via ActiveDirectory, so if a site supports Microsoft's SSO and doesn't do a second verification, then someone could login to your site with someone else's email.

I mean, what's the point of their SSO if you're just going to need to verify it with an email code anyways?

5. kakaci+RG1[view] [source] 2025-11-14 13:03:39
>>wholin+(OP)
Don't allow HTML rendering of <a> element where href links to another URL than shown, don't allow any (java)scripts to run, or at least give user a warning that he is about top open a new window into domain XYZ.

This is how I found out quite a few scams (apart from obvious ones with improper wording or visual formatting, but those are on purpose so bad to catch only most unskilled or gullible, ie your grandma)

[go to top]