> is having me click on an email going to make it more secure?
We implemented this at Mercury recently to stop phishing attacks, and I believe Coinbase implemented it for the same reason [1].
TOTP authenticators are super ineffective at combating phishing. If a user is willing to give their email and password to a phishing site, there's very little standing in the way of them also providing their TOTP code.
WebAuthn solves this by working with the browser to tie authentication to a particular domain, but not everyone has a WebAuthn authenticator yet.
Meanwhile, email verification links are a really simple and effective way to shut down these phishing attacks. The phisher can't click the links, because they don't have access to the user's email. The user can't click the links on behalf of the phisher, because clicking the link only verifies the device that clicks the link.
I've been using DDG for around six months now, largely because I love their keyboard shortcuts. Weirdly there doesn't seem to be a shortcut to help insert bang commands.
I've been using this greasemonkey script[1] as a workaround, but I'd love to have an official solution.
https://mercury.com/404
My high score today is 33.