New ask Hacker News story: Ask HN: How do you ask customers for 'secrets'
Ask HN: How do you ask customers for 'secrets'
3 by chrisacky | 2 comments on Hacker News.
We provide API integrations as a service to our customers. We'll frequently need things like a single API key, or a Client + Secret, or a BasicAuth + username/password, merchant vendor codes etc. Once we get the passwords/keys/secrets, they are stored within a vault, but we don't have a good way of asking our customers for them to give them confidence on supplying. Curious what solutions people have come up with? ie. PGP email. (Might be difficult for non-technically inclined people to achieve). Sending half to "Skype" (or generic chat), the other to email/phone. This i'd argue is less secure but seen as more secure to the customer than just having a collection form to let them enter directly. PGP self-hosted form submission which encrypts before sending... The things we want to avoid here is having passcodes all flying around on different medium, and have a single process which is both seen by the customer as secure and is actually secure. The problems I've has is we can make something that is secure, but customers think it's not because it's a simple 'web browser' that is being submitted. We also need a non-technical solution for when clients aren't too capable, if we set something up which isn't convenient, even the technical folk will look at circumventing.
3 by chrisacky | 2 comments on Hacker News.
We provide API integrations as a service to our customers. We'll frequently need things like a single API key, or a Client + Secret, or a BasicAuth + username/password, merchant vendor codes etc. Once we get the passwords/keys/secrets, they are stored within a vault, but we don't have a good way of asking our customers for them to give them confidence on supplying. Curious what solutions people have come up with? ie. PGP email. (Might be difficult for non-technically inclined people to achieve). Sending half to "Skype" (or generic chat), the other to email/phone. This i'd argue is less secure but seen as more secure to the customer than just having a collection form to let them enter directly. PGP self-hosted form submission which encrypts before sending... The things we want to avoid here is having passcodes all flying around on different medium, and have a single process which is both seen by the customer as secure and is actually secure. The problems I've has is we can make something that is secure, but customers think it's not because it's a simple 'web browser' that is being submitted. We also need a non-technical solution for when clients aren't too capable, if we set something up which isn't convenient, even the technical folk will look at circumventing.
Comments
Post a Comment