Should I send email activation link on password change (NOT a reset or forgotten password)?

StackOverflow https://stackoverflow.com/questions/23354575

Question

I have searched all over and can't find any answers on this. It's clear that for a password reset scenario, where the user has forgotten a password, the system in question should send a temporary token/link to the user's registered email that takes the user to a secure page that allows the user to select a new password.

What I'm asking about is the case where a user knows the current password, and wants to change it. I'm proposing either 1) the user could enter the old password and new password, and an email will be sent off asking to click a link to confirm the change (which also serves to notify that a change request has been made), or 2) the user could enter the current password and gets sent an email with a link that takes them to a new password selection screen.

Yet, I don't see this process being used anywhere. Is there a reason this approach doesn't buy you any more security, or is there a security flaw in this approach?

It seems to me that this would add an extra layer of security, as it's a type of two-factor authentication. Consider the case where the user's password has been compromised, but the password is different from the user's email password, and the attacker has no other method of accessing the user's email. The attacker would not be able to lock the owner out, since the attacker would not be able to click the confirm password change link. As an added benefit, this would serve as a notification to the account owner that someone was trying to take the account over.

Is this simply deemed not worth the extra hassle?

Was it helpful?

Solution

I can think of 2 reasons.

1) It will annoy the user. Every extra step tries the users patience.

2) It doesn't add security. If someone has the current password, they already have access to the account. If the attacker doesn't have access to the email account, they can't permanently lock the user out anyway.

What you should require email verification for, is changing the user's email address.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top