Passwordless authentication - how and when to invalidate a login codeDo mail servers follow links in emails as part of a security scan before inbox delivery?Is Twitter digits login (sms auth code) insecure?Should it be possible in a good software, using a “Change Password” link for a single user, to try to guess passwords for every user of a Application?JWT authentication and authorization schemaIs Auth0 Passwordless Authentication secure?How do “Confidence images” on my bank's login page improve security?Authenticate user just by clicking a link on external websiteProtecting the user from unauthorized accessHow does using an app rather than code card to authenticate improve security?How do I make safe login-emails? (GET/POST)Problems with this 2 factor authentication implementation
As a supervisor, what feedback would you expect from a PhD who quits?
Function that detects repetitions
Possibility to correct pitch from digital versions of records with the hole not centered
How did the IEC decide to create kibibytes?
My professor has told me he will be the corresponding author. Will it hurt my future career?
Why did RFK loathe LBJ?
Why do Martians have to wear space helmets?
Array or vector? Two dimensional array or matrix?
Why does the Misal rico de Cisneros uses the word "Qiſſa", and what is it supposed to mean? Why not "Miſſa" (Missa)?
Wouldn't putting an electronic key inside a small Faraday cage render it completely useless?
Passwordless authentication - how and when to invalidate a login code
Interpretation of non-significant results as "trends"
What does "spinning upon the shoals" mean?
Troubling glyphs
Will Jimmy fall off his platform?
Quotients of a ring of integers
Why do airports remove/realign runways?
Shipped package arrived - didn't order, possible scam?
Examples of fluid (including air) being used to transmit digital data?
When is one 'Ready' to make Original Contributions to Mathematics?
How to understand flavors and when to use combination of them?
Custom Geolocation Fields not populating in test class
What was the nature of the known bugs in the Space Shuttle software?
Category-theoretic treatment of diffs, patches and merging?
Passwordless authentication - how and when to invalidate a login code
Do mail servers follow links in emails as part of a security scan before inbox delivery?Is Twitter digits login (sms auth code) insecure?Should it be possible in a good software, using a “Change Password” link for a single user, to try to guess passwords for every user of a Application?JWT authentication and authorization schemaIs Auth0 Passwordless Authentication secure?How do “Confidence images” on my bank's login page improve security?Authenticate user just by clicking a link on external websiteProtecting the user from unauthorized accessHow does using an app rather than code card to authenticate improve security?How do I make safe login-emails? (GET/POST)Problems with this 2 factor authentication implementation
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
Our system uses passwordless login to send user a login code+link by e-mail by which they can login.
We found one of our customers has a mail scanner that actually follows those links. We invalidate the login codes on use to the reduce the attack surface for an attacker. But now such emails no longer have a valid login link.
There seem to be two solutions to this:
- Do not provide a login link but only a code in the message.
- Let the login code be valid after first time use for X period (say it invalidates after 15 minutes)
Option 1 seems to be unacceptable by our UX team.
Option two seems to be much less secure:
- Provides a bigger attack surface because more codes will be active in our database
- Social engineering will be easier: a user could take a picture of someones mail and type of the code within the valid period (even though user already used the code) and login with this code.
Would there be any other or better solution that would be both UX friendly and (atleast as) secure?
authentication
edited 1 hour ago
koyae
1253 bronze badges
asked yesterday
Joel HarkesJoel Harkes
1815 bronze badges
New contributor
Joel Harkes is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
|
show 2 more comments
Our system uses passwordless login to send user a login code+link by e-mail by which they can login.
We found one of our customers has a mail scanner that actually follows those links. We invalidate the login codes on use to the reduce the attack surface for an attacker. But now such emails no longer have a valid login link.
There seem to be two solutions to this:
- Do not provide a login link but only a code in the message.
- Let the login code be valid after first time use for X period (say it invalidates after 15 minutes)
Option 1 seems to be unacceptable by our UX team.
Option two seems to be much less secure:
- Provides a bigger attack surface because more codes will be active in our database
- Social engineering will be easier: a user could take a picture of someones mail and type of the code within the valid period (even though user already used the code) and login with this code.
Would there be any other or better solution that would be both UX friendly and (atleast as) secure?
authentication
edited 1 hour ago
koyae
1253 bronze badges
asked yesterday
Joel HarkesJoel Harkes
1815 bronze badges
New contributor
Joel Harkes is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
4
This exact same question has been asked before. I can't find it right now, but I know it is here.
– MechMK1
yesterday
2
Does the one-off customer mail scanner have a sufficiently unique user-agent that you can simply block it on your server? Possibly coupled with the customer static IP ?
– user10216038
yesterday
3
So annoying that I won't make it a real answer: Put a CAPTCHA on the page that the login link goes to.
– Barmar
yesterday
1
security.stackexchange.com/questions/211258/…
– Joe
21 hours ago
3
Possible duplicate of Do mail servers follow links in emails as part of a security scan before inbox delivery?
– MechMK1
13 hours ago
|
show 2 more comments
Our system uses passwordless login to send user a login code+link by e-mail by which they can login.
We found one of our customers has a mail scanner that actually follows those links. We invalidate the login codes on use to the reduce the attack surface for an attacker. But now such emails no longer have a valid login link.
There seem to be two solutions to this:
- Do not provide a login link but only a code in the message.
- Let the login code be valid after first time use for X period (say it invalidates after 15 minutes)
Option 1 seems to be unacceptable by our UX team.
Option two seems to be much less secure:
- Provides a bigger attack surface because more codes will be active in our database
- Social engineering will be easier: a user could take a picture of someones mail and type of the code within the valid period (even though user already used the code) and login with this code.
Would there be any other or better solution that would be both UX friendly and (atleast as) secure?
authentication
edited 1 hour ago
koyae
1253 bronze badges
asked yesterday
Joel HarkesJoel Harkes
1815 bronze badges
New contributor
Joel Harkes is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Our system uses passwordless login to send user a login code+link by e-mail by which they can login.
We found one of our customers has a mail scanner that actually follows those links. We invalidate the login codes on use to the reduce the attack surface for an attacker. But now such emails no longer have a valid login link.
There seem to be two solutions to this:
- Do not provide a login link but only a code in the message.
- Let the login code be valid after first time use for X period (say it invalidates after 15 minutes)
Option 1 seems to be unacceptable by our UX team.
Option two seems to be much less secure:
- Provides a bigger attack surface because more codes will be active in our database
- Social engineering will be easier: a user could take a picture of someones mail and type of the code within the valid period (even though user already used the code) and login with this code.
Would there be any other or better solution that would be both UX friendly and (atleast as) secure?
authentication
authentication
edited 1 hour ago
koyae
1253 bronze badges
asked yesterday
Joel HarkesJoel Harkes
1815 bronze badges
New contributor
Joel Harkes is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 1 hour ago
koyae
1253 bronze badges
asked yesterday
Joel HarkesJoel Harkes
1815 bronze badges
New contributor
Joel Harkes is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 1 hour ago
koyae
1253 bronze badges
edited 1 hour ago
koyae
1253 bronze badges
edited 1 hour ago
koyae
1253 bronze badges
1253 bronze badges
asked yesterday
Joel HarkesJoel Harkes
1815 bronze badges
New contributor
Joel Harkes is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked yesterday
Joel HarkesJoel Harkes
1815 bronze badges
asked yesterday
Joel HarkesJoel Harkes
1815 bronze badges
1815 bronze badges
New contributor
Joel Harkes is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Joel Harkes is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
4
This exact same question has been asked before. I can't find it right now, but I know it is here.
– MechMK1
yesterday
2
Does the one-off customer mail scanner have a sufficiently unique user-agent that you can simply block it on your server? Possibly coupled with the customer static IP ?
– user10216038
yesterday
3
So annoying that I won't make it a real answer: Put a CAPTCHA on the page that the login link goes to.
– Barmar
yesterday
1
security.stackexchange.com/questions/211258/…
– Joe
21 hours ago
3
Possible duplicate of Do mail servers follow links in emails as part of a security scan before inbox delivery?
– MechMK1
13 hours ago
|
show 2 more comments
4
This exact same question has been asked before. I can't find it right now, but I know it is here.
– MechMK1
yesterday
2
Does the one-off customer mail scanner have a sufficiently unique user-agent that you can simply block it on your server? Possibly coupled with the customer static IP ?
– user10216038
yesterday
3
So annoying that I won't make it a real answer: Put a CAPTCHA on the page that the login link goes to.
– Barmar
yesterday
1
security.stackexchange.com/questions/211258/…
– Joe
21 hours ago
3
Possible duplicate of Do mail servers follow links in emails as part of a security scan before inbox delivery?
– MechMK1
13 hours ago
4
4
This exact same question has been asked before. I can't find it right now, but I know it is here.
– MechMK1
yesterday
This exact same question has been asked before. I can't find it right now, but I know it is here.
– MechMK1
yesterday
2
2
Does the one-off customer mail scanner have a sufficiently unique user-agent that you can simply block it on your server? Possibly coupled with the customer static IP ?
– user10216038
yesterday
Does the one-off customer mail scanner have a sufficiently unique user-agent that you can simply block it on your server? Possibly coupled with the customer static IP ?
– user10216038
yesterday
3
3
So annoying that I won't make it a real answer: Put a CAPTCHA on the page that the login link goes to.
– Barmar
yesterday
So annoying that I won't make it a real answer: Put a CAPTCHA on the page that the login link goes to.
– Barmar
yesterday
1
1
security.stackexchange.com/questions/211258/…
– Joe
21 hours ago
security.stackexchange.com/questions/211258/…
– Joe
21 hours ago
3
3
Possible duplicate of Do mail servers follow links in emails as part of a security scan before inbox delivery?
– MechMK1
13 hours ago
Possible duplicate of Do mail servers follow links in emails as part of a security scan before inbox delivery?
– MechMK1
13 hours ago
|
show 2 more comments
4 Answers
4
active
oldest
votes
Instead of invalidating the login code when the link is clicked, have a script on the page that runs and makes a request to your server to invalidate the code. This will only be effective if the "mail scanner" just visits the page and doesn't run any scripts on it.
You should also invalidate the code after a period of time (your second option), because if the user is running a browser with scripts disabled the code will not be invalidated by this method. The timeout serves as a backup if this is the case.
If you find that whatever "mail scanner" your users have is running scripts on the page, this won't work. Instead, you could require a user action on the linked page to complete the login process. Your users would click the link in the e-mail and be taken to a simple page with a login button, and perhaps some text like Log in as <username>?. Only log them in (and invalidate the login code) when they click the button. This would require two clicks from your users instead of one, but I don't think that's too inconvenient.
Since the "mail scanner" will only visit the page and not click the button, it won't use up the code.
See this similar question.
Edit: I'm liking the login button click more and more. It doesn't rely on the mail scanner not running scripts so it should be more robust. You could even combine it with Steffen Ullrich's cookie idea. If the user clicks the login link in the e-mail and has the cookie, you know they're not the mail scanner so you can log them in right away. One click and they're logged in. If the cookie is NOT present, the click might actually be coming from the mail scanner, so you show a page with a login button. If it's actually just the user on a different browser (or the same browser with cookies disabled), they'll click the button and log in. In this case it took them two clicks, but that's only a slight inconvenience and it's only necessary if the cookie isn't there.
answered yesterday
gfrung4gfrung4
3992 silver badges7 bronze badges
6
Normally this is handled with a form that makes a POST request, since automated tools are unlikely to submit those. It also eliminates dependency on scripts.
– domen
yesterday
Yes, this was the one I was looking for!
– MechMK1
yesterday
9
Instead of editing with "Edit:", just... edit the post to say the new thing. If people care what it was in the past, they'll look at the revision history.
– Nic Hartley
yesterday
add a comment |
It is unclear in which context the password-less login is used. But, if the user gets send the link to login only after visiting the site, then you could issue a cookie to the users browser and expect this cookie when the user logs in.
Most users will likely use the same browser to login after getting the link via mail and in this case you could align the clicked URL with the cookie send by the browser. Since the security appliance has no knowledge of the end users cookies you can easily reject the click from this appliance.
In case the user uses a different browser for clicking the link or if the user has deleted the cookies explicitly or implicitly (like when using a new private browser session) you can still have an explicit token in the mail the user can manually enter to continue with the authentication.
This way almost all users are handled transparently when clicking the link, the remaining users can continue manually by entering the token and any automatic systems are left out - even if they are able to execute the Javascript on the page.
I would not count on the inability of these analysis systems to run script. I'm pretty sure that many will actually handle script since this is also a typical mechanism used in phishing mails to complicate analysis. Instead you should count on missing knowledge of the system (i.e. does not know the cookie) and not missing capabilities.
answered yesterday
Steffen UllrichSteffen Ullrich
126k16 gold badges223 silver badges289 bronze badges
1
This approach seems kind of frickle. What if your local IT admin created the account for you? What if the user signed up with a different device? What if the user has set something such as Firefox Focus (acts like incognito mode) as his default browser? What if the user visits your site on chrome, clicks on the mail notification and his smartphone opens the link with Samsung browser? etc pp
– pytago
16 hours ago
@pytago: These points are actually addressed in my answer. Please read the parts "In case the user uses a different browser ... almost all users are handled transparently when clicking the link, the remaining users can continue manually by entering the token and any automatic systems are left out... ". The main point of my answer that it does not rely on some currently incapable analysis which might be capable to click some link or execute script later. It relies instead on missing knowledge and not missing capability by the analysis.
– Steffen Ullrich
16 hours ago
add a comment |
Log in only on POST request. The link in the email should not cause a login: it should simply link to a login page. The URL code can be extracted from the URL and put into a hidden form field. When the form is submitted, which the email scanner will not do, then, and only then, is the user logged in.
If you want to reduce user friction, you can have javascript submit the form automatically once the page loads.
answered 14 hours ago
TRiGTRiG
5064 silver badges13 bronze badges
add a comment |
I'll add my comment question as a possible stated answer.
Block the one-off customer USER-AGENT on your server? Couple with the customer Static IP.
Assuming these are sufficiently unique, you can make it transparent.
Don't hard code the one instance, assume it will happen again and set up a reference table of USER-AGENT and IP to be blocked. That way you can simply add to the table as required.
answered yesterday
user10216038user10216038
2,0604 silver badges11 bronze badges
1
I would imagine that whatever "mail scanner" is in use fakes its user agent. If it announced to every site it visited that it was a mail scanner, it would be very easy for actual malicious sites to serve a benign page to it, "fooling" the scanner.
– gfrung4
yesterday
@gfrung4: While it would seem logical, you'd be surprised how often it doesn't happen. The reasons are many fold: developers didn't know or care, legal concerns about pretending to be someone else, maintenance keeping the ID updated. More often than not it's either completely absent (which is itself useable) or a static semi unique ID. Hopefully the OP will tell us.
– user10216038
yesterday
2
If the mail scanner is behind the same NAT that the customer is, this won't work. If the mail scanner runs on the customer's machine, this also won't work.
– abligh
17 hours ago
@abligh: As long as the mail scanner has a different user-agent than the customer browser, it will work even from the same NAT. Your second point is valid but that would be a very strange and unlikely configuration.
– user10216038
9 hours ago
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Joel Harkes is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f212933%2fpasswordless-authentication-how-and-when-to-invalidate-a-login-code%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
Instead of invalidating the login code when the link is clicked, have a script on the page that runs and makes a request to your server to invalidate the code. This will only be effective if the "mail scanner" just visits the page and doesn't run any scripts on it.
You should also invalidate the code after a period of time (your second option), because if the user is running a browser with scripts disabled the code will not be invalidated by this method. The timeout serves as a backup if this is the case.
If you find that whatever "mail scanner" your users have is running scripts on the page, this won't work. Instead, you could require a user action on the linked page to complete the login process. Your users would click the link in the e-mail and be taken to a simple page with a login button, and perhaps some text like Log in as <username>?. Only log them in (and invalidate the login code) when they click the button. This would require two clicks from your users instead of one, but I don't think that's too inconvenient.
Since the "mail scanner" will only visit the page and not click the button, it won't use up the code.
See this similar question.
Edit: I'm liking the login button click more and more. It doesn't rely on the mail scanner not running scripts so it should be more robust. You could even combine it with Steffen Ullrich's cookie idea. If the user clicks the login link in the e-mail and has the cookie, you know they're not the mail scanner so you can log them in right away. One click and they're logged in. If the cookie is NOT present, the click might actually be coming from the mail scanner, so you show a page with a login button. If it's actually just the user on a different browser (or the same browser with cookies disabled), they'll click the button and log in. In this case it took them two clicks, but that's only a slight inconvenience and it's only necessary if the cookie isn't there.
answered yesterday
gfrung4gfrung4
3992 silver badges7 bronze badges
6
Normally this is handled with a form that makes a POST request, since automated tools are unlikely to submit those. It also eliminates dependency on scripts.
– domen
yesterday
Yes, this was the one I was looking for!
– MechMK1
yesterday
9
Instead of editing with "Edit:", just... edit the post to say the new thing. If people care what it was in the past, they'll look at the revision history.
– Nic Hartley
yesterday
add a comment |
Instead of invalidating the login code when the link is clicked, have a script on the page that runs and makes a request to your server to invalidate the code. This will only be effective if the "mail scanner" just visits the page and doesn't run any scripts on it.
You should also invalidate the code after a period of time (your second option), because if the user is running a browser with scripts disabled the code will not be invalidated by this method. The timeout serves as a backup if this is the case.
If you find that whatever "mail scanner" your users have is running scripts on the page, this won't work. Instead, you could require a user action on the linked page to complete the login process. Your users would click the link in the e-mail and be taken to a simple page with a login button, and perhaps some text like Log in as <username>?. Only log them in (and invalidate the login code) when they click the button. This would require two clicks from your users instead of one, but I don't think that's too inconvenient.
Since the "mail scanner" will only visit the page and not click the button, it won't use up the code.
See this similar question.
Edit: I'm liking the login button click more and more. It doesn't rely on the mail scanner not running scripts so it should be more robust. You could even combine it with Steffen Ullrich's cookie idea. If the user clicks the login link in the e-mail and has the cookie, you know they're not the mail scanner so you can log them in right away. One click and they're logged in. If the cookie is NOT present, the click might actually be coming from the mail scanner, so you show a page with a login button. If it's actually just the user on a different browser (or the same browser with cookies disabled), they'll click the button and log in. In this case it took them two clicks, but that's only a slight inconvenience and it's only necessary if the cookie isn't there.
answered yesterday
gfrung4gfrung4
3992 silver badges7 bronze badges
6
Normally this is handled with a form that makes a POST request, since automated tools are unlikely to submit those. It also eliminates dependency on scripts.
– domen
yesterday
Yes, this was the one I was looking for!
– MechMK1
yesterday
9
Instead of editing with "Edit:", just... edit the post to say the new thing. If people care what it was in the past, they'll look at the revision history.
– Nic Hartley
yesterday
add a comment |
Instead of invalidating the login code when the link is clicked, have a script on the page that runs and makes a request to your server to invalidate the code. This will only be effective if the "mail scanner" just visits the page and doesn't run any scripts on it.
You should also invalidate the code after a period of time (your second option), because if the user is running a browser with scripts disabled the code will not be invalidated by this method. The timeout serves as a backup if this is the case.
If you find that whatever "mail scanner" your users have is running scripts on the page, this won't work. Instead, you could require a user action on the linked page to complete the login process. Your users would click the link in the e-mail and be taken to a simple page with a login button, and perhaps some text like Log in as <username>?. Only log them in (and invalidate the login code) when they click the button. This would require two clicks from your users instead of one, but I don't think that's too inconvenient.
Since the "mail scanner" will only visit the page and not click the button, it won't use up the code.
See this similar question.
Edit: I'm liking the login button click more and more. It doesn't rely on the mail scanner not running scripts so it should be more robust. You could even combine it with Steffen Ullrich's cookie idea. If the user clicks the login link in the e-mail and has the cookie, you know they're not the mail scanner so you can log them in right away. One click and they're logged in. If the cookie is NOT present, the click might actually be coming from the mail scanner, so you show a page with a login button. If it's actually just the user on a different browser (or the same browser with cookies disabled), they'll click the button and log in. In this case it took them two clicks, but that's only a slight inconvenience and it's only necessary if the cookie isn't there.
answered yesterday
gfrung4gfrung4
3992 silver badges7 bronze badges
Instead of invalidating the login code when the link is clicked, have a script on the page that runs and makes a request to your server to invalidate the code. This will only be effective if the "mail scanner" just visits the page and doesn't run any scripts on it.
You should also invalidate the code after a period of time (your second option), because if the user is running a browser with scripts disabled the code will not be invalidated by this method. The timeout serves as a backup if this is the case.
If you find that whatever "mail scanner" your users have is running scripts on the page, this won't work. Instead, you could require a user action on the linked page to complete the login process. Your users would click the link in the e-mail and be taken to a simple page with a login button, and perhaps some text like Log in as <username>?. Only log them in (and invalidate the login code) when they click the button. This would require two clicks from your users instead of one, but I don't think that's too inconvenient.
Since the "mail scanner" will only visit the page and not click the button, it won't use up the code.
See this similar question.
Edit: I'm liking the login button click more and more. It doesn't rely on the mail scanner not running scripts so it should be more robust. You could even combine it with Steffen Ullrich's cookie idea. If the user clicks the login link in the e-mail and has the cookie, you know they're not the mail scanner so you can log them in right away. One click and they're logged in. If the cookie is NOT present, the click might actually be coming from the mail scanner, so you show a page with a login button. If it's actually just the user on a different browser (or the same browser with cookies disabled), they'll click the button and log in. In this case it took them two clicks, but that's only a slight inconvenience and it's only necessary if the cookie isn't there.
answered yesterday
gfrung4gfrung4
3992 silver badges7 bronze badges
edited yesterday
answered yesterday
gfrung4gfrung4
3992 silver badges7 bronze badges
answered yesterday
gfrung4gfrung4
3992 silver badges7 bronze badges
answered yesterday
gfrung4gfrung4
3992 silver badges7 bronze badges
3992 silver badges7 bronze badges
6
Normally this is handled with a form that makes a POST request, since automated tools are unlikely to submit those. It also eliminates dependency on scripts.
– domen
yesterday
Yes, this was the one I was looking for!
– MechMK1
yesterday
9
Instead of editing with "Edit:", just... edit the post to say the new thing. If people care what it was in the past, they'll look at the revision history.
– Nic Hartley
yesterday
add a comment |
6
Normally this is handled with a form that makes a POST request, since automated tools are unlikely to submit those. It also eliminates dependency on scripts.
– domen
yesterday
Yes, this was the one I was looking for!
– MechMK1
yesterday
9
Instead of editing with "Edit:", just... edit the post to say the new thing. If people care what it was in the past, they'll look at the revision history.
– Nic Hartley
yesterday
6
6
Normally this is handled with a form that makes a POST request, since automated tools are unlikely to submit those. It also eliminates dependency on scripts.
– domen
yesterday
Normally this is handled with a form that makes a POST request, since automated tools are unlikely to submit those. It also eliminates dependency on scripts.
– domen
yesterday
Yes, this was the one I was looking for!
– MechMK1
yesterday
Yes, this was the one I was looking for!
– MechMK1
yesterday
9
9
Instead of editing with "Edit:", just... edit the post to say the new thing. If people care what it was in the past, they'll look at the revision history.
– Nic Hartley
yesterday
Instead of editing with "Edit:", just... edit the post to say the new thing. If people care what it was in the past, they'll look at the revision history.
– Nic Hartley
yesterday
add a comment |
It is unclear in which context the password-less login is used. But, if the user gets send the link to login only after visiting the site, then you could issue a cookie to the users browser and expect this cookie when the user logs in.
Most users will likely use the same browser to login after getting the link via mail and in this case you could align the clicked URL with the cookie send by the browser. Since the security appliance has no knowledge of the end users cookies you can easily reject the click from this appliance.
In case the user uses a different browser for clicking the link or if the user has deleted the cookies explicitly or implicitly (like when using a new private browser session) you can still have an explicit token in the mail the user can manually enter to continue with the authentication.
This way almost all users are handled transparently when clicking the link, the remaining users can continue manually by entering the token and any automatic systems are left out - even if they are able to execute the Javascript on the page.
I would not count on the inability of these analysis systems to run script. I'm pretty sure that many will actually handle script since this is also a typical mechanism used in phishing mails to complicate analysis. Instead you should count on missing knowledge of the system (i.e. does not know the cookie) and not missing capabilities.
answered yesterday
Steffen UllrichSteffen Ullrich
126k16 gold badges223 silver badges289 bronze badges
1
This approach seems kind of frickle. What if your local IT admin created the account for you? What if the user signed up with a different device? What if the user has set something such as Firefox Focus (acts like incognito mode) as his default browser? What if the user visits your site on chrome, clicks on the mail notification and his smartphone opens the link with Samsung browser? etc pp
– pytago
16 hours ago
@pytago: These points are actually addressed in my answer. Please read the parts "In case the user uses a different browser ... almost all users are handled transparently when clicking the link, the remaining users can continue manually by entering the token and any automatic systems are left out... ". The main point of my answer that it does not rely on some currently incapable analysis which might be capable to click some link or execute script later. It relies instead on missing knowledge and not missing capability by the analysis.
– Steffen Ullrich
16 hours ago
add a comment |
It is unclear in which context the password-less login is used. But, if the user gets send the link to login only after visiting the site, then you could issue a cookie to the users browser and expect this cookie when the user logs in.
Most users will likely use the same browser to login after getting the link via mail and in this case you could align the clicked URL with the cookie send by the browser. Since the security appliance has no knowledge of the end users cookies you can easily reject the click from this appliance.
In case the user uses a different browser for clicking the link or if the user has deleted the cookies explicitly or implicitly (like when using a new private browser session) you can still have an explicit token in the mail the user can manually enter to continue with the authentication.
This way almost all users are handled transparently when clicking the link, the remaining users can continue manually by entering the token and any automatic systems are left out - even if they are able to execute the Javascript on the page.
I would not count on the inability of these analysis systems to run script. I'm pretty sure that many will actually handle script since this is also a typical mechanism used in phishing mails to complicate analysis. Instead you should count on missing knowledge of the system (i.e. does not know the cookie) and not missing capabilities.
answered yesterday
Steffen UllrichSteffen Ullrich
126k16 gold badges223 silver badges289 bronze badges
1
This approach seems kind of frickle. What if your local IT admin created the account for you? What if the user signed up with a different device? What if the user has set something such as Firefox Focus (acts like incognito mode) as his default browser? What if the user visits your site on chrome, clicks on the mail notification and his smartphone opens the link with Samsung browser? etc pp
– pytago
16 hours ago
@pytago: These points are actually addressed in my answer. Please read the parts "In case the user uses a different browser ... almost all users are handled transparently when clicking the link, the remaining users can continue manually by entering the token and any automatic systems are left out... ". The main point of my answer that it does not rely on some currently incapable analysis which might be capable to click some link or execute script later. It relies instead on missing knowledge and not missing capability by the analysis.
– Steffen Ullrich
16 hours ago
add a comment |
It is unclear in which context the password-less login is used. But, if the user gets send the link to login only after visiting the site, then you could issue a cookie to the users browser and expect this cookie when the user logs in.
Most users will likely use the same browser to login after getting the link via mail and in this case you could align the clicked URL with the cookie send by the browser. Since the security appliance has no knowledge of the end users cookies you can easily reject the click from this appliance.
In case the user uses a different browser for clicking the link or if the user has deleted the cookies explicitly or implicitly (like when using a new private browser session) you can still have an explicit token in the mail the user can manually enter to continue with the authentication.
This way almost all users are handled transparently when clicking the link, the remaining users can continue manually by entering the token and any automatic systems are left out - even if they are able to execute the Javascript on the page.
I would not count on the inability of these analysis systems to run script. I'm pretty sure that many will actually handle script since this is also a typical mechanism used in phishing mails to complicate analysis. Instead you should count on missing knowledge of the system (i.e. does not know the cookie) and not missing capabilities.
answered yesterday
Steffen UllrichSteffen Ullrich
126k16 gold badges223 silver badges289 bronze badges
It is unclear in which context the password-less login is used. But, if the user gets send the link to login only after visiting the site, then you could issue a cookie to the users browser and expect this cookie when the user logs in.
Most users will likely use the same browser to login after getting the link via mail and in this case you could align the clicked URL with the cookie send by the browser. Since the security appliance has no knowledge of the end users cookies you can easily reject the click from this appliance.
In case the user uses a different browser for clicking the link or if the user has deleted the cookies explicitly or implicitly (like when using a new private browser session) you can still have an explicit token in the mail the user can manually enter to continue with the authentication.
This way almost all users are handled transparently when clicking the link, the remaining users can continue manually by entering the token and any automatic systems are left out - even if they are able to execute the Javascript on the page.
I would not count on the inability of these analysis systems to run script. I'm pretty sure that many will actually handle script since this is also a typical mechanism used in phishing mails to complicate analysis. Instead you should count on missing knowledge of the system (i.e. does not know the cookie) and not missing capabilities.
answered yesterday
Steffen UllrichSteffen Ullrich
126k16 gold badges223 silver badges289 bronze badges
answered yesterday
Steffen UllrichSteffen Ullrich
126k16 gold badges223 silver badges289 bronze badges
answered yesterday
Steffen UllrichSteffen Ullrich
126k16 gold badges223 silver badges289 bronze badges
answered yesterday
Steffen UllrichSteffen Ullrich
126k16 gold badges223 silver badges289 bronze badges
126k16 gold badges223 silver badges289 bronze badges
1
This approach seems kind of frickle. What if your local IT admin created the account for you? What if the user signed up with a different device? What if the user has set something such as Firefox Focus (acts like incognito mode) as his default browser? What if the user visits your site on chrome, clicks on the mail notification and his smartphone opens the link with Samsung browser? etc pp
– pytago
16 hours ago
@pytago: These points are actually addressed in my answer. Please read the parts "In case the user uses a different browser ... almost all users are handled transparently when clicking the link, the remaining users can continue manually by entering the token and any automatic systems are left out... ". The main point of my answer that it does not rely on some currently incapable analysis which might be capable to click some link or execute script later. It relies instead on missing knowledge and not missing capability by the analysis.
– Steffen Ullrich
16 hours ago
add a comment |
1
This approach seems kind of frickle. What if your local IT admin created the account for you? What if the user signed up with a different device? What if the user has set something such as Firefox Focus (acts like incognito mode) as his default browser? What if the user visits your site on chrome, clicks on the mail notification and his smartphone opens the link with Samsung browser? etc pp
– pytago
16 hours ago
@pytago: These points are actually addressed in my answer. Please read the parts "In case the user uses a different browser ... almost all users are handled transparently when clicking the link, the remaining users can continue manually by entering the token and any automatic systems are left out... ". The main point of my answer that it does not rely on some currently incapable analysis which might be capable to click some link or execute script later. It relies instead on missing knowledge and not missing capability by the analysis.
– Steffen Ullrich
16 hours ago
1
1
This approach seems kind of frickle. What if your local IT admin created the account for you? What if the user signed up with a different device? What if the user has set something such as Firefox Focus (acts like incognito mode) as his default browser? What if the user visits your site on chrome, clicks on the mail notification and his smartphone opens the link with Samsung browser? etc pp
– pytago
16 hours ago
This approach seems kind of frickle. What if your local IT admin created the account for you? What if the user signed up with a different device? What if the user has set something such as Firefox Focus (acts like incognito mode) as his default browser? What if the user visits your site on chrome, clicks on the mail notification and his smartphone opens the link with Samsung browser? etc pp
– pytago
16 hours ago
@pytago: These points are actually addressed in my answer. Please read the parts "In case the user uses a different browser ... almost all users are handled transparently when clicking the link, the remaining users can continue manually by entering the token and any automatic systems are left out... ". The main point of my answer that it does not rely on some currently incapable analysis which might be capable to click some link or execute script later. It relies instead on missing knowledge and not missing capability by the analysis.
– Steffen Ullrich
16 hours ago
@pytago: These points are actually addressed in my answer. Please read the parts "In case the user uses a different browser ... almost all users are handled transparently when clicking the link, the remaining users can continue manually by entering the token and any automatic systems are left out... ". The main point of my answer that it does not rely on some currently incapable analysis which might be capable to click some link or execute script later. It relies instead on missing knowledge and not missing capability by the analysis.
– Steffen Ullrich
16 hours ago
add a comment |
Log in only on POST request. The link in the email should not cause a login: it should simply link to a login page. The URL code can be extracted from the URL and put into a hidden form field. When the form is submitted, which the email scanner will not do, then, and only then, is the user logged in.
If you want to reduce user friction, you can have javascript submit the form automatically once the page loads.
answered 14 hours ago
TRiGTRiG
5064 silver badges13 bronze badges
add a comment |
Log in only on POST request. The link in the email should not cause a login: it should simply link to a login page. The URL code can be extracted from the URL and put into a hidden form field. When the form is submitted, which the email scanner will not do, then, and only then, is the user logged in.
If you want to reduce user friction, you can have javascript submit the form automatically once the page loads.
answered 14 hours ago
TRiGTRiG
5064 silver badges13 bronze badges
add a comment |
Log in only on POST request. The link in the email should not cause a login: it should simply link to a login page. The URL code can be extracted from the URL and put into a hidden form field. When the form is submitted, which the email scanner will not do, then, and only then, is the user logged in.
If you want to reduce user friction, you can have javascript submit the form automatically once the page loads.
answered 14 hours ago
TRiGTRiG
5064 silver badges13 bronze badges
Log in only on POST request. The link in the email should not cause a login: it should simply link to a login page. The URL code can be extracted from the URL and put into a hidden form field. When the form is submitted, which the email scanner will not do, then, and only then, is the user logged in.
If you want to reduce user friction, you can have javascript submit the form automatically once the page loads.
answered 14 hours ago
TRiGTRiG
5064 silver badges13 bronze badges
answered 14 hours ago
TRiGTRiG
5064 silver badges13 bronze badges
answered 14 hours ago
TRiGTRiG
5064 silver badges13 bronze badges
answered 14 hours ago
TRiGTRiG
5064 silver badges13 bronze badges
5064 silver badges13 bronze badges
add a comment |
add a comment |
I'll add my comment question as a possible stated answer.
Block the one-off customer USER-AGENT on your server? Couple with the customer Static IP.
Assuming these are sufficiently unique, you can make it transparent.
Don't hard code the one instance, assume it will happen again and set up a reference table of USER-AGENT and IP to be blocked. That way you can simply add to the table as required.
answered yesterday
user10216038user10216038
2,0604 silver badges11 bronze badges
1
I would imagine that whatever "mail scanner" is in use fakes its user agent. If it announced to every site it visited that it was a mail scanner, it would be very easy for actual malicious sites to serve a benign page to it, "fooling" the scanner.
– gfrung4
yesterday
@gfrung4: While it would seem logical, you'd be surprised how often it doesn't happen. The reasons are many fold: developers didn't know or care, legal concerns about pretending to be someone else, maintenance keeping the ID updated. More often than not it's either completely absent (which is itself useable) or a static semi unique ID. Hopefully the OP will tell us.
– user10216038
yesterday
2
If the mail scanner is behind the same NAT that the customer is, this won't work. If the mail scanner runs on the customer's machine, this also won't work.
– abligh
17 hours ago
@abligh: As long as the mail scanner has a different user-agent than the customer browser, it will work even from the same NAT. Your second point is valid but that would be a very strange and unlikely configuration.
– user10216038
9 hours ago
add a comment |
I'll add my comment question as a possible stated answer.
Block the one-off customer USER-AGENT on your server? Couple with the customer Static IP.
Assuming these are sufficiently unique, you can make it transparent.
Don't hard code the one instance, assume it will happen again and set up a reference table of USER-AGENT and IP to be blocked. That way you can simply add to the table as required.
answered yesterday
user10216038user10216038
2,0604 silver badges11 bronze badges
1
I would imagine that whatever "mail scanner" is in use fakes its user agent. If it announced to every site it visited that it was a mail scanner, it would be very easy for actual malicious sites to serve a benign page to it, "fooling" the scanner.
– gfrung4
yesterday
@gfrung4: While it would seem logical, you'd be surprised how often it doesn't happen. The reasons are many fold: developers didn't know or care, legal concerns about pretending to be someone else, maintenance keeping the ID updated. More often than not it's either completely absent (which is itself useable) or a static semi unique ID. Hopefully the OP will tell us.
– user10216038
yesterday
2
If the mail scanner is behind the same NAT that the customer is, this won't work. If the mail scanner runs on the customer's machine, this also won't work.
– abligh
17 hours ago
@abligh: As long as the mail scanner has a different user-agent than the customer browser, it will work even from the same NAT. Your second point is valid but that would be a very strange and unlikely configuration.
– user10216038
9 hours ago
add a comment |
I'll add my comment question as a possible stated answer.
Block the one-off customer USER-AGENT on your server? Couple with the customer Static IP.
Assuming these are sufficiently unique, you can make it transparent.
Don't hard code the one instance, assume it will happen again and set up a reference table of USER-AGENT and IP to be blocked. That way you can simply add to the table as required.
answered yesterday
user10216038user10216038
2,0604 silver badges11 bronze badges
I'll add my comment question as a possible stated answer.
Block the one-off customer USER-AGENT on your server? Couple with the customer Static IP.
Assuming these are sufficiently unique, you can make it transparent.
Don't hard code the one instance, assume it will happen again and set up a reference table of USER-AGENT and IP to be blocked. That way you can simply add to the table as required.
answered yesterday
user10216038user10216038
2,0604 silver badges11 bronze badges
answered yesterday
user10216038user10216038
2,0604 silver badges11 bronze badges
answered yesterday
user10216038user10216038
2,0604 silver badges11 bronze badges
answered yesterday
user10216038user10216038
2,0604 silver badges11 bronze badges
2,0604 silver badges11 bronze badges
1
I would imagine that whatever "mail scanner" is in use fakes its user agent. If it announced to every site it visited that it was a mail scanner, it would be very easy for actual malicious sites to serve a benign page to it, "fooling" the scanner.
– gfrung4
yesterday
@gfrung4: While it would seem logical, you'd be surprised how often it doesn't happen. The reasons are many fold: developers didn't know or care, legal concerns about pretending to be someone else, maintenance keeping the ID updated. More often than not it's either completely absent (which is itself useable) or a static semi unique ID. Hopefully the OP will tell us.
– user10216038
yesterday
2
If the mail scanner is behind the same NAT that the customer is, this won't work. If the mail scanner runs on the customer's machine, this also won't work.
– abligh
17 hours ago
@abligh: As long as the mail scanner has a different user-agent than the customer browser, it will work even from the same NAT. Your second point is valid but that would be a very strange and unlikely configuration.
– user10216038
9 hours ago
add a comment |
1
I would imagine that whatever "mail scanner" is in use fakes its user agent. If it announced to every site it visited that it was a mail scanner, it would be very easy for actual malicious sites to serve a benign page to it, "fooling" the scanner.
– gfrung4
yesterday
@gfrung4: While it would seem logical, you'd be surprised how often it doesn't happen. The reasons are many fold: developers didn't know or care, legal concerns about pretending to be someone else, maintenance keeping the ID updated. More often than not it's either completely absent (which is itself useable) or a static semi unique ID. Hopefully the OP will tell us.
– user10216038
yesterday
2
If the mail scanner is behind the same NAT that the customer is, this won't work. If the mail scanner runs on the customer's machine, this also won't work.
– abligh
17 hours ago
@abligh: As long as the mail scanner has a different user-agent than the customer browser, it will work even from the same NAT. Your second point is valid but that would be a very strange and unlikely configuration.
– user10216038
9 hours ago
1
1
I would imagine that whatever "mail scanner" is in use fakes its user agent. If it announced to every site it visited that it was a mail scanner, it would be very easy for actual malicious sites to serve a benign page to it, "fooling" the scanner.
– gfrung4
yesterday
I would imagine that whatever "mail scanner" is in use fakes its user agent. If it announced to every site it visited that it was a mail scanner, it would be very easy for actual malicious sites to serve a benign page to it, "fooling" the scanner.
– gfrung4
yesterday
@gfrung4: While it would seem logical, you'd be surprised how often it doesn't happen. The reasons are many fold: developers didn't know or care, legal concerns about pretending to be someone else, maintenance keeping the ID updated. More often than not it's either completely absent (which is itself useable) or a static semi unique ID. Hopefully the OP will tell us.
– user10216038
yesterday
@gfrung4: While it would seem logical, you'd be surprised how often it doesn't happen. The reasons are many fold: developers didn't know or care, legal concerns about pretending to be someone else, maintenance keeping the ID updated. More often than not it's either completely absent (which is itself useable) or a static semi unique ID. Hopefully the OP will tell us.
– user10216038
yesterday
2
2
If the mail scanner is behind the same NAT that the customer is, this won't work. If the mail scanner runs on the customer's machine, this also won't work.
– abligh
17 hours ago
If the mail scanner is behind the same NAT that the customer is, this won't work. If the mail scanner runs on the customer's machine, this also won't work.
– abligh
17 hours ago
@abligh: As long as the mail scanner has a different user-agent than the customer browser, it will work even from the same NAT. Your second point is valid but that would be a very strange and unlikely configuration.
– user10216038
9 hours ago
@abligh: As long as the mail scanner has a different user-agent than the customer browser, it will work even from the same NAT. Your second point is valid but that would be a very strange and unlikely configuration.
– user10216038
9 hours ago
add a comment |
Joel Harkes is a new contributor. Be nice, and check out our Code of Conduct.
Joel Harkes is a new contributor. Be nice, and check out our Code of Conduct.
Joel Harkes is a new contributor. Be nice, and check out our Code of Conduct.
Joel Harkes is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f212933%2fpasswordless-authentication-how-and-when-to-invalidate-a-login-code%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
4
This exact same question has been asked before. I can't find it right now, but I know it is here.
– MechMK1
yesterday
2
Does the one-off customer mail scanner have a sufficiently unique user-agent that you can simply block it on your server? Possibly coupled with the customer static IP ?
– user10216038
yesterday
3
So annoying that I won't make it a real answer: Put a CAPTCHA on the page that the login link goes to.
– Barmar
yesterday
1
security.stackexchange.com/questions/211258/…
– Joe
21 hours ago
3
Possible duplicate of Do mail servers follow links in emails as part of a security scan before inbox delivery?
– MechMK1
13 hours ago