add a per account image as a way to prevent authentication spoofing

[nicolasburtey]

I am not sure if I could explain my point correctly. Example.

1. some-app.io ask for blink email address, user enters, app calls /auth/email/code
2. user receives email with otp, enters code to some-app.io, which calls /auth/email/login
3. some-app.io has access to all token authenticated API endpoints of user

a way to limit this, is to present a custom image, consistent login after login, after the user have added his email, but before he has added his code.

so that if the user is not able to see this image, he would not something might be off, and would not put the code received by email or phone

[designsats]

Email would have to contain the same image for verification. Most users, me included, would not remember what picture wallet showed them months ago. Could the wallet just invite user by their username "Welcome back usernamne" - since attacker wouldnt know their username?

[nicolasburtey]

Username is a pseudo public information so I don't think this is a good heuristics

An alternative that some banks do is to ask for the user to provide a mnemonic (like 2 words the user choose) instead of relying on a random image.