Comment on Why?
01189998819991197253@infosec.pub 2 weeks ago
How hard is it to implement email verification?
Securely? Very fucking difficult.
Comment on Why?
01189998819991197253@infosec.pub 2 weeks ago
How hard is it to implement email verification?
Securely? Very fucking difficult.
ChromaticMan@lemmy.world 2 weeks ago
No it’s not.
whoisearth@lemmy.ca 2 weeks ago
securely
bangupjobasusual@lemmy.world 2 weeks ago
Sorry, yes it is. I’d really prefer it if software developers would take this more seriously. Managing user credentials is a high risk burden that you should avoid if possible.
limer@lemmy.ml 2 weeks ago
There are open source solutions to handle this effectively, which can be used in most projects; I would change the advice you gave to “ do not roll your own email verification, ever”
bangupjobasusual@lemmy.world 2 weeks ago
I wouldn’t change my advice. Even if you go Argon2id, you still have a creds database to protect. If you let that go it’s just a matter of time before it’s useful.
You could go webauthn, but now we are back to passkey or windows hello or whatever. Which is what I told op, they invented passkey, and it’s Still third party reliance.
Source: I’ve been a software architect for 25 years.