@zekuzelalem was it asking for your login credentials including password, or just for your Mastodon handle and other identity info?

@fencepost so first it asks for your mastodon instance name, then after you've filled that, your account email and password. Red flag on the play no?

@zekuzelalem not certain and no time to look at it right now, possible it's doing the same kind of third party authentication that's common with signing into sites with Google or Facebook accounts.

@fencepost Makes sense, but at least with Fb and Google, we have globally renowned entities and kings in their domains. I dont think we can say the same about this thing though.

@zekuzelalem @fencepost

I think you got this backwards: the authority in this case would be your (own) Mastodon/ActivityPub instance (which, at least for serious use, you might wanna trust, at least to some degree). The fishyness (phishiness?) of the “verification” site remains, anyhow.

For starters, in order to give evidence about my account being mine indeed I’d just publish a signed message that states this, e.g. using OpenPGP and by putting this info (or a link to it) into my profile description. In case the account becomes compromised I could at least revoke this statement (i.e. tell the world I got “hacked”), and should it ever happen that my crypto key gets into the wrong hands I’d, of course, have to revoke it in a similar fashion.
Yes, very technical, indeed, but maybe keybase.io is more appealing to some (never have tried it myself).

Fun fact: all journalists at The Intercept (which, in general, delivers serious journalism – contrary to a lot of “mainstream” outlets) have a PGP key ready on their web site (which, I’m afraid to say, is all but standard among press and other entities).