Protecting Your Account: Why You Can't Use Your Work Email as a Recovery Email in Patr
As the provider of a platform as a service (PaaS), we take security very seriously. One way we ensure the safety and security of our users is by requiring that they sign up with a personal email address rather than a work email. Let us explain what we mean.
The problem
When a user signs up for Patr, they are allowed to add domains to their account so that Patr can automatically update their DNS records for their deployments. However, if a domain is added to Patr, it cannot be used as a recovery email because if the DNS records are ever misconfigured, the user would be locked out of their account without a way to access their "forgot password" email.
How do we solve it?
To avoid this scenario, we have implemented a simple solution: we do not allow domains that are used as recovery emails to be added to Patr. Instead, we require users to use a personal email address as their recovery email. This ensures that even if the DNS records are misconfigured, our users can always access their accounts by using their personal email address to reset their password.
What's the big deal?
Now, you might be wondering why we are so stringent about not allowing custom domains to be used as recovery emails. The answer is simple: phishing attempts. In the world of cybersecurity, phishing is a tactic used by attackers to trick users into giving up their login credentials. Even with stringent security measures in place, there is always a possibility that a malicious user could try to gain access to another user's account. Phishing attacks can come in many forms, including emails that appear to be from legitimate sources but are actually designed to steal user information.
If we were to allow work domains to be used as recovery emails, it would open up the possibility for phishing attempts. An attacker could simply reach out to us claiming to be a legitimate user who needs to reset their password, even if there is no issue with their DNS records. This would make it difficult for us to verify the user's identity and could potentially lead to a malicious actor gaining access to someone else's account.
The Alice and Bob
For example, imagine a scenario where Alice has added her work email domain to Patr and also uses it as her recovery email. Bob, a hacker, sends an email from a different email address claiming to be Alice and asks Patr to reset her account because she can no longer access her email. If we were to grant Bob access to Alice's account, he would have full control over it and could potentially cause harm to her business.
By disallowing work domains as recovery emails, we are taking a proactive approach to security. We are ensuring that our users always have control over their accounts, and that they are not at risk at any point of time. While this may seem like a minor inconvenience to some users, we believe that the added security is worth the peace of mind that comes with knowing that your data is always secure. It's important to note that our users can still add their work email domain to Patr; they just can't use it as a recovery email.
Security is important
At Patr, we strive to make life better for both our customers and ourselves. By implementing this policy, we can ensure that our users always have full control over their accounts and that their data remains safe and secure. While it may seem like a small detail, we believe that the devil is in the details when it comes to security, and we want our users to feel confident that their data is always in good hands. If you have any questions or concerns about this policy, please contact us at any time.