Hard stance. I suspect many, many businesses would have to change significantly for that. And it wouldn't work till everyone (or the vast majority at least) did it anyway
Including in emails "Reminder: we will never prompt you for your password except when you go to the main page and click login..." can help.
-
-
Also making login page so it only works when referer is home page (or csrf-prot-like mechanism) avoids creation of links to login.
-
Many browsers now hide referer entirely so we've had trouble with that
-
Even within site? I thought it was cross-site only.
-
Lots of sites depend on same-origin referer e.g. for image linking restrictions.
End of conversation
New conversation -
-
-
Though fwiw I think 2fa is a better option for staff, since training doesn't seem to work very well.
-
2FA works well in controlled enterprise type environment. Awful for personal users out in chaotic world.
-
But either way it does nothing to kill off the awful "password culture" that's the source of phishing.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
