Email Security for End Users Through Two Factor Verification

  • Email security is quite the challenge. Just training users isn't enough. It helps, of course. In fact, it is the best thing we have today. But even trained users can forget, make mistakes, or just be tricked anyway. Training isn't magic, it just helps us to improve our existing defenses which, aren't really all that good. The ability to trick people is pretty strong. People have pretty poor defenses against any degree of sophisticated trickery.

    So what can we do? Malware scanners can't be the answer alone. Not all attacks are malware, and not all malware gets caught. Spam filtering can't do it along, most dangerous email isn't actually spam. User training can't do it alone, users are gullible and easily confused or else we'd never have needed to train them in the first place. Putting loads of these things together, along with forced TLS, checking blacklists and SPF records and more all help. Layers of security, as people say. But as we know, it all adds up to still being pretty heavily at risk.

    So MailBear is proposing a new solution. Two factor email verification. Basically a system by which when an email is sent, there is an ID code included in it that the receiver can use to reference the message; more or less a UUID. Then the receiver, upon receipt of the message, reaches out automatically either to a person or an automated system to ask if that system had, in fact, sent that message with that ID. This is done via a totally separate channel such as SMS, and essentially acts as a two factor mechanism.

    By doing so, the recipient of the email would have an incredibly strong trust that, once verified, the email had truly come from the person in question. It does nothing to protect against malware in case that other person's machine had been infected; but it does ensure that the other party did, in fact, intend to send the message protecting against things like spam and phishing or automated attacks.