It’s surprisingly difficult to know whether an email you’ve received is trustworthy.
Why is this so hard? Well, you can’t trust the sender name. You can’t trust the email’s aesthetics. And you definitely can’t trust the copy. To be safe, you need to verify the sender’s domain name and the domain of all outgoing links.
Put yourself in the shoes of a random user and try to decipher “efax.hosting.com.mailru.co” or “drive.google.com.download-photo.net”. It’s unreasonable to expect the average user to be on high alert every time they open their inbox, so let’s find a better way.
The fundamental problem is that the information you need to determine whether an email is safe is 1) hard to find and 2) hard to understand. In a perfect world, this information would be 1) easy to skim and 2) impossible to misread.
There are a handful of ways to verify you’re talking with the right person. You can verify 1) something they are (biometrics), 2) something they have (2FA codes), or 3) something they know (passwords). It’s not immediately clear how we might associate emails with senders’ biometrics or 2FA codes, but we can definitely work off the idea of an “email password”.
We provide websites with passwords to verify who we are all the time. What if websites needed to provide us a password so that we could verify who they were? And what if these passwords weren’t complicated strings but rather easy-to-skim colors?
https://github.com/turbomaze/colorful-phish
Imagine this: the moment you created a password for a website, they created one to use with you. In your welcome email, they told you what this password was: a specific color, unique to your account. From that moment forward, you could rest easy knowing that if an email didn’t contain that exact color, then you were getting phished.
Here’s an example of what one of these welcome emails might look like:
And we’re done. Colors are simple to implement, easy to skim, and impossible to misunderstand. Check out colorful-phish on GitHub for a Node.js implementation that will help you eliminate phishing on your site with 3 lines of code.
If you have any thoughts or want to riff on related ideas, you can find me on Twitter at https://twitter.com/@imigliu.