[messaging] Password reset mechanisms with an SRP authentication framework
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Wed Apr 23 09:04:30 PDT 2014
Dave Baggett <dmb at arcode.com> writes:
>So I'm soliciting clever ideas for ways to improve the usability without
>changing the fundamental security properties.
Force users to print out recovery information (e.g. a two-part key share) as
part of the sign-up process, and tell them to treat it like they're treat
their passport (this is assuming it's web-based, so you generate a printable
web page that contains the information they need). Allow them to skip it, but
only with the direst warnings. To quote the book I'm working on:
To protect against lost passwords you can either advise them to write down a
second copy and keep it with other long-term important documents like their
birth certificate and insurance paperwork (as with the earlier credit-
card/passport metaphor these are familiar things that people inherently know
how to deal with) or you can make the whole process explicit and have them
print out a form containing their main password and a backup recovery
password that you assign to them in the same way as the main password.
You’re going to have to be pretty forceful with this, for example by
building the operation into the workflow of setting up a password, otherwise
people won’t do it. This is exactly what Microsoft found out with their
Bitlocker recovery keys, which people are encouraged to print out and store
somewhere safe when they’re setting up the encryption. No-one does [ ].
The printed form contains instructions to cut it in half and store the two
parts as appropriate, a type of procedure that’s standard operating practice
for many businesses where availability is as important or even more
important than security. To guard against business-continuity problems the
business records a backup copy of passwords used by employees and stores
them in a safe location where they can be accessed in case of an emergency.
Another situation in which this type of paper-based backup is useful is in
the case of the incapacity or death of the original password holder. Before
the widespread use of computers, taking care of someone’s estate used to
involve little more than dealing with a will and possibly figuring out which
safety deposit box the unlabelled key belonged to, but today it can involve
tracking down arbitrary numbers of accounts, passwords, and encryption keys
. By recording key backup data in hardcopy form and storing it in a safe
place (or split across several places), it’s possible to provide for
recovery and continuity if something ever happens to you.
If you assign a recovery password in this manner, make it a true recovery
password rather than just an alternative to the main one. When the user
logs on with the recovery password they’re assigned a new primary and
recovery password as they were when they signed up, and the previous
passwords are disabled. If you’re the sort of organisation that sends out a
monthly printed statement, record the details of the password change (or
changes) on the statement. Printed statements are the single most effective
account audit mechanism that there is (see the discussion in “Password
Lifetimes†on page 542) and if there’s a problem then you want to give your
users every chance of noticing it and reporting it.
In addition if there’s payment information like credit card details stored
with the account data, delete it when the password is reset so that an
attacker who compromises the password reset mechanism doesn’t gain much from
the newly-acquired account, and let the user know why they’re being asked to
re-enter their payment details (some sites already enforce similar security
measures when you do things like change your shipping address, requiring
that you re-enter your credit card information as an additional
authentication step).
Peter.
More information about the Messaging
mailing list