![]() The detailed choice of implementation will depend on the data already collected during registration and may possibly imply adding information in the registration forms. ![]() you can choose to implement only 1 a and not using security questions. Steps 1.a and 1.b can be complementary, e.g. In case of fraud, the victim will therefore be warned. Confirm that the password has been changed by sending an email to the user (on the primary email address and possibly on the secondary one).Once the secret code is confirmed, display a password change form, asking for the new password.This secret code must have a limited validity in time and must be deactivated once used a first time. The user will possibly choose which channel they prefer. Send a simple secret code through another communication channel (secondary email address or mobile phone). ![]() Ask for answers to security questions previously given during registration (“what was you first home phone number during your childhood?”, “name of your first pet?”… ) Ask for some personal data, like last numbers of social security number, date of birth, client number…ī. Let’s look at a secured password recovery process This process is badly secured and is not recommended, especially if the web application provides access to sensitive data or transactions. if a bad guy changes the password (knowing the date of birth), the real account owner is not made aware of the change and cannot react.it is quite easy to get the date of birth of someone along with their email address (if you know that person, of through social engineering).Poorly secured password recovery scenario Ask for the new password the user wants to define.Ask for the connection ID (email or ID) as well as the date of birth.Poorly secured password recovery scenario: The objective is to find the best scenario, simple enough to allow users defining a new password without going through exhausting and complex steps, but secure enough to avoid account hijacking by malicious people. One key aspect of a password management strategy is the way users will recover a password they lost. In a world where passwords remain the most implemented way to authenticate someone, setting up a website password management strategy both simple and secure can sometimes be quite challenging.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |