How do investigative reporters actually verify if they're talking to the right source?
I've been reading about how investigative journalists protect confidential sources and one thing surprised me. Everyone knows about Signal, SecureDrop, and encrypted email, but those tools mainly protect the messages. They don't necessarily answer a different question and that is how do you know the person you're talking to is actually the person you think they are?
I came across a journalism security workshop recap where the trainer talked about layering security instead of relying on a single app. Signal was recommended for encrypted messaging, but they also demonstrated Kibu as a way to verify the identity of the person on the other end before discussing sensitive information. The point wasn't that one replaced the other it was that they solve different problems.
And that got me wondering for journalists, editors, or digital security folks here. Is identity verification something your newsroom actually trains for or do you rely on verification phrases, secondary channels or other methods?
Curious what the current best practice is especially for investigations involving sensitive sources.