User-provided phrase to verify email sender- Is this a good idea?



  • Signing up for a medical records service today, in addition to security questions (sigh) I was prompted with a field that read:

    Security Phrase for Email Messages:
    Your security phrase will be included with all email communications to verify that you received the email from (this is not your password or security question answer) Example: I love chocolate. My dog's name is Toto.

    I've never seen this anywhere before and couldn't find anything on it online (maybe I wasn't using the right terms). The reasoning seems to be that only will know your security phrase and seeing it in an email will verify it, because a phishing attack won't be able to duplicate it.

    On the other hand, it seems to me not much more useful than security questions and may even train users to not use other methods of verifying incoming email.

    Is this kind of thing a good way to verify emails from a service? Would it help prevent phishing attacks?



  • This is an extension of the advice on how to verify emails from authorized senders. Usually, you want to see some sort of info in the email content that is not generic or public knowledge. This verification phrase takes that one step further.

    It seems like a fine way to provide tools to users to better verify incoming emails.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2