[thewebguyd]

Don't forget magic links in email for auth and password resets training people that it's OK to click links in emails.

Yes, we've (the software industry) been training people to practice poor OpSec for a very long time, so it's not surprising at all that corporate cybersecurity training is largely ineffective. We violate our own rules all the time

[wholinator2]

Has anyone invented an alternative to that yet? I could imagine emailing you a code to enter in a specific part of a site to get you to the right link, but then people could just scan all the codes. To solve that you could make the codes long 64bit strings but then that's too hard to remember so you could just provide functionality to automatically include that info to get you to the site but then that's just a link again.

Maybe if you expected everyone to copy-paste the info into the form? That might work

[aeternum]

This is the closest I've seen (pretty new): https://github.com/WICG/email-verification-protocol

[rapind]

I recently discovered that Microsofts SSO doesn't guarantee email veracity. Basically you can spoof emails via ActiveDirectory, so if a site supports Microsoft's SSO and doesn't do a second verification, then someone could login to your site with someone else's email.

I mean, what's the point of their SSO if you're just going to need to verify it with an email code anyways?

[miiiiiike]

It’s easier/more complicated than that. Use 6 digit codes, tied to a specific reset session, with only 3 attempts allowed per-session, and sessions lasting only 5 minutes.

[kakacik]

Don't allow HTML rendering of <a> element where href links to another URL than shown, don't allow any (java)scripts to run, or at least give user a warning that he is about top open a new window into domain XYZ.

This is how I found out quite a few scams (apart from obvious ones with improper wording or visual formatting, but those are on purpose so bad to catch only most unskilled or gullible, ie your grandma)

[Sophira]

About 10 years ago, I got an email from Microsoft of all people(!) which to any reasonably security-trained person would look entirely like a phishing email:[0]

1. It said "Dear User" instead of a name/username;

2. It talked about how they were upgrading their forum software and as such would require me to re-login;

3. It gave me a link to click in the email without any stated alternative;

4. It warned me that if I didn't do this, I would no longer be able to access the forum;

5. The domain of the URL that the link went to was not microsoft.com, but a different domain that had "microsoft" in it.

It was a textbook example for how a phishing email would look, and yet it was actually a legitimate email from Microsoft!

I haven't had any others like it since, but that was an eye-opener for sure.

[0] https://reddit.com/r/facepalm/comments/32ou4z/microsoft_what...

[Edit: Fixed a detail I misremembered.]

[Razengan]

There should be a way to tell you who I am without telling you who I am.

Phone/laptop based biometrics?

[disillusioned]

Isn't that what a passkey is intended to be?

If I want to use a passkey on my phone, I have to bio authenticate into it. Similarly, with Windows Hello as a passkey provider, via my camera scanner. It works well and is pretty seamless, all things considered. I prefer it to the email/code/magic link method.

[DANmode]

It’s how I’ve been using physical keys over the same protocol for years, mhmm.

[Brian_K_White]

The mechanics are a solved problem by sqrl I think, but it's too much responsibility for basically everyone.

You really do fully own and control your identity, and if you botch it and lose your top level keys, no one else can give you a "forgot password" recovery.

If this level of unforgiveness were dropped onto everyone overnight, it would mean infinite lost life savings and houses and just mass chaos.

Still I think it would be the better world where that was somehow actually adopted. The responsibility problem would be no problem if was simply the understood norm all along that you have this super important thing and here is how you handle it so you don't lose your house and life savings etc.

If you grew up with this fact of life and so did everyone else, it would be no problem at all. If it had been developed and adopted at the dawn of computers so that you learned this right along with learning what a compuer was in the first place, no problem. It's only a problem now that there are already 8 billion people all using computer-backed services without ever having to worry about anything before.

The real reason it's never gonna happen is exactly because it delivers on the most important promise of end user ultimate agency and actual security.

No company can own it, or own end users use of it. It can not be used for vendor lock in or data collection or profiling or government back doors or censorship or discrimination or any of the things that holding someone's password or the entire auth technology can be used for to have control over users.

No (large) company nor any government has any interest in that, and it's way too technical for 99.99% of people to understand the problems with all the other popular auth systems so there will be no overwhelming popular uprising forcing the issue, and so it will never happen.

A method already exists (I think), that solves the hard problems and delivers the thing everyone says they want, and everything else claims to be groping for, but we will never get to use it.

[thewebguyd]

I think this is the way forward. We shouldn't continue relying on email (or proving ownership over an email address for that matter) as identity.

Public/private keys with a second factor (like biometrics) as identity I think is a good option. A way to announce who you are, without actually revealing your identity (or your email address).

Tbh that's how all the age verification crap should work too for the countries that want to go down that road instead of having people upload a copy of their actual ID to some random service that is 100% guaranteed going to get breached and leaked.

We need psuedoanonymous verification

[dredmorbius]

Biometrics might be useful in establishing a (PKI) key, but are not suitable for the key itself.

"Something you have" is far more useful, especially if that something is itself cryptographically-based. Yubikeys, RSA fobs (generating one-time codes), and wearable NFC tokens (rings, amulets), and the like, which may be autheticated in part based on biometrics and other attestation, but are themselves revokable, would be a far better standard.

What the General Public can be expected to utilise willingly and effectively seems to be the larger problem, as well as what commercial and governmental standards are established.

[edoceo]

pGP signature?

[dredmorbius]

An unblemished 34 year record of failing mainstream adoption.

(I've had at least one PGP/GPG key for the past quarter century or so myself.)