This post first appeared on my SAP blog on November 10, 2015.
Have you ever forgotten a password? I know that I have. I do all the time, in fact, although over the last year or two, I’ve gotten better at managing my password schemes (yes, I have schemes that I’ve memorized to generate new passwords). But forgotten password recovery is a “popular” mechanism in which bad guys can gain access to your account. So, we must incorporate a number of checks to disrupt and prevent attempts to gain access to accounts.
While there are a number of initiatives ongoing to actually replace passwords, the reality is that passwords as security mechanisms for online accounts will be with us for some time to come. Thus, we need to provide reasonable security for those of us who will forget these passwords.
During an appropriately secure password reset, part of the process is to provide an “out-of-band” channel. This is where 2FA plays a role to mitigate a hacker who may have compromised a user’s account. In fact, leveraging the forgotten password recovery mechanisms are common ways that hackers can get into your accounts – especially if they can access your emails. That’s why, first and foremost, it is a good idea to have your email account(s) protected with 2FA. You need to protect your email accounts and 2FA is a great way to do it.
Many password recovery solutions in place actually do a good job of asking for details that only the account owner would know – like for credit cards with the various codes that are only visible to someone in possession of the card. The passwords should (and do) expire and need to be reset after some period of time. But many, many more accounts will simply ask a few (or no questions) and email a link to change the password or send a new (plaintext, no less) password through email. This is just asking for trouble. Email is not secure and not encrypted. Now this post is not about all of the aspects of resetting or recovery of a lost password. But one thing to keep in mind is that it isn’t about recovery of a lost or forgotten password. In reality, the password should never be recovered, but always reset.
There are two very good references that I’ve found that I would point you to:
- Everything you ever wanted to know about building a secure password reset feature (by Troy Hunt of troyhunt.com)
- Forgot Password Cheat Sheet (by the OWASP or Open Web Application Security Project)
Both sites offer outstanding guidelines in easy-to-understand language about the best practices for resetting passwords. One of the common elements of both of these guides is that they recommend incorporating two-factor authentication. The point is that most of the password reset process is based around something the user knows. The 2nd factor leverages something the user has – a mobile device or a “side-channel” token as the OWASP describes it. One of the guides notes (correctly) that sometimes the device that receives an SMS with a token is the same device that the consumer is using to also try to reset the password. While it is the same device, it is a phone number-based channel so OWASP’s point of being a “side-channel” is correct. To add further security, the code generated should only have a validity period of a short time – say 5-10 minutes before it expires.
Some best practices guidelines question the reliability of sending a token via SMS due to delivery problems. That may have been an issue in the past; however, we’ve found that as long as the message is delivered through proper mobile operator SMS delivery connections to validated phone numbers (the phone number should have been validated with a verification code during registration), then the overall reliability goes up considerably – well over 95%.
Certainly 2FA for password resets and various other functions is not 100% immune from sophisticated cyber criminals. But for the most part, the bad guys would have to (1) have your mobile device, (2) have the passcode to your mobile device [you do have one, don’t you], (3) have access to your email / account / password, (4) know or able to guess answers to secret questions. Number 3 is pretty easy and certainly a gateway into compromising accounts; however, also obtaining 1 and 2 becomes quite rare. There are other vectors into being able to compromise mobile devices in order to steal 2FA codes, but these are also exceedingly rare. That notwithstanding, let’s not lose sight of the fact that the inclusion of an alternate or out-of-band channel such as 2FA over SMS can greatly increase the security of a properly-designed password reset function.