| ▲ | vehementi 4 days ago | |||||||||||||
Justifiable in a vacuum, but the end result is grandma knows "sometimes it's OK to give the code to the person on the phone" | ||||||||||||||
| ▲ | cced 4 days ago | parent | next [-] | |||||||||||||
They should have users receive the code and then submit said code into the application for verification, with clear instructions that this code is produced as a result of a support call, and to confirm you are on an existing call when submitting the code. Doing so would not force users to divulge codes over the phone, and enable support staff to verify identity all without training users that reading codes over the phone is acceptable. Thoughts on that? | ||||||||||||||
| ||||||||||||||
| ▲ | Ajedi32 4 days ago | parent | prev [-] | |||||||||||||
How else are you supposed to do identify verification over the phone? I think if the war against phishing online has taught us anything, it's that humans can't be trusted to not reveal secrets to scammers. Only machine-to-machine public key authentication (like TLS or WebAuthn or U2F) is truly phish-proof. | ||||||||||||||