[Cryptography] Is this a solved problem?

Tue Sep 29 04:45:47 EDT 2020

Den tis 29 sep. 2020 05:29Henry Baker <hbaker1 at pipeline.com> skrev:

> What I will describe is a standard problem in ecommerce today.
>
> A company has a web site, which customers have to 'log into'
> in order to view & purchase products.
>
> The company may also have a smartphone 'app' which provides
> equivalent capabilities for viewing & purchasing products.
>
> Nowadays, companies also have 2FA, which sometimes requires
> that one not only log into the website & provide a password,
> but also respond to an email or a text message sent to an
> email address or a smartphone.
>
> So, the company also mails out special promotions for its
> better customers to their email addresses (most likely
> the same ones that they utilize for 2FA).  Clearly, if a
> customer receives the email on their 2FA account, then they
> are already authenticated. So a link in that email should
> take them to an *already-logged in* web page.  It is a very
> irritating hassle for such a link to require that the
> customer log in again.
>
> But companies don't want these links to work if this customer
> emails these links to his/her buddies.  Aside from them not
> being preferred customers of the company, these buddies would
> also -- in effect -- be logging in as the original email
> recipient, and could conceivably buy products which would
> be charged to the original email recipient.
>
> Now most smartphone 'apps' are considered 'personal', and
> many/most don't require logging in when they are utilized.
> So such an emailed link would prefer to open the smartphone
> app rather than a web page in the user's preferred browser.
> But we still have the same problem if this link activates
> the same 'app' on one of the buddies' smartphones.
>
> So how can the company make a 'link' that only operates for
> the original recipient of the email, and not for anyone else
> who somehow gains access to this link?
>
> Are there any 'standard'/'preferred' solutions to this problem?
>

Don't make it an auto-login link, instead make it equivalent to a 2FA token
that requires the user to *already* have an active user session (account
session cookies) on the same browser where the link is opened.

If they're not logged in then the link may suggest that they log in with
that associated account, but it would otherwise be an unauthenticated
session.

You can even put restrictions on the actions that can be done under such an
"unprompted" 2FA-like token, such as being able to open your wishlist, etc,
but not to complete a new order without additional 2FA.

>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20200929/28536f6d/attachment.htm>