| ▲ | duxup 4 days ago |
| Is it possible to do the thing proposed in the email without clicking the link? I just try to avoid clicking links in emails generally... |
|
| ▲ | loloquwowndueo 4 days ago | parent | next [-] |
| Should be - open another browser window and manually log into npm whatever, and update your 2fa there. Definitely good practice . |
| |
| ▲ | Dilettante_ 4 days ago | parent | next [-] | | This is the Way. To minimize attack surface, the senders of authentic messages should straight-up avoid putting links to "do the thing" in the message. Just tell the user to update their credentials via the website. | | |
| ▲ | viraptor 4 days ago | parent | next [-] | | That's what the Australian Tax Office does. Just a plaintext message that's effectively "you've got a new message. Go to the website to read it." | | |
| ▲ | duxup 4 days ago | parent | next [-] | | All my medical places I use do that, with the note that you can also use their app. Good system. | | |
| ▲ | foxglacier 3 days ago | parent | next [-] | | Unfortunately, my doctor's office texts me their bank account number saying "please pay $75 to this account". It told them that's putting people at risk of phishing but they didn't care. | |
| ▲ | darthwalsh 2 days ago | parent | prev [-] | | Personally, I'd rather they put the HIPAA message content straight into the email, and let Gmail sort out the priority. About 90% "you have received a message" notifications are not actionable: "you made an appointment" or "take this survey nobody cares about." |
| |
| ▲ | amysox 4 days ago | parent | prev [-] | | My doctor's office does the same thing. So do some financial services companies. |
| |
| ▲ | Roguelazer 3 days ago | parent | prev [-] | | For most users, that'll just result in them going to Google, searching for the name of your business, and then clicking the first link blindly. At that point you're trusting that there's no malicious actors squatting on your business name's keyword -- and if you're at all an interesting target, there's definitely malvertising targeting you. The only real solution is to have domain-bound identities like passkeys. |
| |
| ▲ | hu3 4 days ago | parent | prev | next [-] | | That's what I always do. Never click these kinds of links in e-mail. Always manually open the website. This week Oracle Cloud started enforcing 2FA. And surely I didn't click their e-mail link to do that. | |
| ▲ | ares623 3 days ago | parent | prev [-] | | But won’t someone think of the friction? /s My theory is that if that companies start using that workflow in the future, it’ll become even _easier_ for users to click a random link, because they’d go “wow! That’s so convenient now!” |
|
|
| ▲ | 0cf8612b2e1e 4 days ago | parent | prev | next [-] |
| The Microsoft ecosystem certainly makes this challenging. At work, I get links to Sharepoint hosted things with infinitely long hexadecimal addresses. Otherwise finding resources on Sharepoint is impossible. |
|
| ▲ | JohnFen 4 days ago | parent | prev [-] |
| > I just try to avoid clicking links in emails generally... I don't just generally try, I _never_ click links in emails from companies, period. It's too dangerous and not actually necessary. If a friend sends me a link, I'll confirm it with them directly before using it. |
