thefullstackciso.com
Security, shipped
Vol. I — No. 7Falls Church, Va.Thursday, July 16, 2026Price: free, always

The Full Stack CISOSupply chainPage A6May 23, 2026
Supply chain

OTP-only auth: when the email IS the identity

A one-time code stops password theft. It does not stop disposable inboxes from farming accounts — each one with a fresh set of cost caps.

If your only credential is a six-digit code sent to an email address, then the email address is the account. That is clean, until you remember how cheap email addresses are.

The disposable-inbox problem

A CAPTCHA stops bots at the door. It does nothing about a script driving a real browser through a throwaway-inbox service, collecting a fresh account and a fresh set of usage limits every time. The counter you so carefully built resets per identity, and identities are free.

Reject throwaways, but fail open

A before-user-created hook can reject known disposable domains. Write it so that a bug in the hook can never lock a real user out of signing up.

A control that protects signup must never become the reason signup is down.

Fail open here, not closed. The worst case for a broken filter should be a few junk accounts, never a working reader who cannot get in.

letters to the editor

Loading the letters…

sign in with your email · your CertScore shows on your letter