|
Implementing password resets is hard. The problem comes down to how we authenticate a user who forgot the common secret(s) we shared. We all know, that "password reset questions" are often just weak "password bypass questions," and can not be used to authenticate a user reliably. [OK OK OK... I see the comments already: "But I don't answer them correctly." Sure: you do. but you are also reading a blog about password reset questions. ...] Let's talk about resetting passwords. In my opinion, password reset questions should never be considered as an authentication mechanism. Let's call them a rate-limiting tool: They prevent an attacker from flooding a victim with password reset e-mails. But this is about all they are good for. So what else can we do? SMS or automated phone calls can be a reasonable option for some sites, but NIST in recent guidance regarding two-factor authentication pointed out that it is certainly possible for an attacker to obtain access to someone's SMS traffic. To do so, an attacker has to convince a phone company to add a new phone to the account. The process usually involves answering some questions similar to password reset questions, or some social engineering. The phone/SMS authentication isn't any better than the weak password reset questions we try to get rid off. There is another method I have seen implemented a couple of times. I call it "password buddy". When you set up an account, you select a few individuals that may approve password resets on your behalf. In a corporate environment, these may be coworkers or your boss. But it could also be a family member. For this to work, both parties need to have an account at the same site. Here is a quick workflow how this works:
So this is the rough outline of the process. There are some possible problems with it:
If there is something else that doesn't work in security, then it is central "anonymous" help desks. They can almost always be social engineered. The idea behind this system is that you authenticate to someone who you work with daily, maybe you can even just walk over to them and ask them for help in person. Or a family member that knows you very well. The "buddy" will never see your password. They just approve the fact that you changed it. They will also not know your password reset questions and any other details about your account. How they authenticate you is up to them, but in a corporate environment, you may want to set up some rules around how the authentication should happen (in person, over the phone...) --- |
Johannes 4352 Posts ISC Handler Oct 4th 2016 |
| Thread locked Subscribe |
Oct 4th 2016 5 years ago |
|
This is essentially a 'trusted introducer' concept I proposed at Delta Air Lines in 2000 as a way of handling a highly dispersed workforce with needs to perform password resets at possibly odd hours from usually strange places.
The option of having more than one trusted introducer/"buddy", and requiring at least N (>1) of them, is taken directly from 1 < M < N, require M-of-N schemes for distributing pieces of primary cryptographic keys (or key recovery material). To a limited degree, Google and LastPass (and I think Apple, but as I don't use Apple at all I'm not sure) have this, I think called "security email address". I agree with Johannes - this would be a useful system. It needs to be gotten right, and each of us must choose our trusted introducers/ buddies very well, but it would help with some current challenges of too-weak recovery systems on the one hand, and too-hard-to-use recovery systems on the other hand. |
Anonymous |
| Quote |
Oct 5th 2016 5 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
