🖼️Security Images
What are security images, and how are they used by OTP Guard?
The abstract pattern or image that is present on top of every logged-in OTP Guard page is a security image. Security images are a feature of OTP Guard to improve phishing resistance and make it easier to work with multiple organizations.
All users have a personal security image for managing their personal account, and a different image for each organization they are a member of. This is meant as a visual cue to quickly identify which organization is active.
Everyone in an organization will generally have a unique, personalized image, although it is not a problem if some accounts happen to have the same image.
Security images are randomly selected when a user account is created, or when an organization is attached to an existing account. The security image can be changed to suit your preferences. Security images are a small cue that offers defense in depth - they help increase confidence you are on the correct site, and working with the correct organization.
Changing Security Images
Security images are securely and randomly selected when an account is created or an organization is first attached to an account. If the selected image is not to your taste, then we encourage you to set the security image to something pleasing and memorable. Make OTP Guard yours. For personal accounts: go to dash.otpguard.com and select the Security Image link under "My Account". For organization images, go to the organization page and select the "Security Image" link.
If you are a member of multiple organizations, it may help to make the security images as differentiated as possible so it is easy at a glance to know which organization that you are working with at the moment.
Security Image Confidentiality
Security images are not a secret. They have a level of confidentiality similar to that of a home address. They are somewhat private in that you don't necesssarily want the world to know what it is, but not a secret that cannot be revealed. Sharing a screenshot that includes the security image with trusted parties, such as team members, is not a problem. However, no one should ever ask for your security image, and beware of anyone that does. If a phisher were somehow able to get ahold of your security image(s), then they could impersonate some aspects of the OTP Guard website. However, OTP Guard's other phishing-resistant features, such as passkey and security key authenticators, and tight GitHub integration, make any phish unlikely to have a large impact.
Phishing Protection
Security images offer a small degree of phishing protection. Without a valid OTP Guard session credential, phishers would not be able to generate the correct session image. This makes OTP Guard harder to impersonate, because any fake pages would not appear correct.
If the security key does not appear correct, look closely at the URL in the browser - the host name should begin with https://dash.otpguard.com
Last updated