Secure way to do password retrieval/resetting?

Question

Before I begin, my reason for not using OAuth is I believe it is not really something we should be using on this project, we're targeting a platform that will be packaged and resold to companies, which connect to their own set of uses that we really don't want to have accounts that we are not %100 in control of, we don't want it to be a shared-login with other services, and we don't want to force people into getting a google/yahoo/openID/aol/facebook/blogger/wordpress/whatever account.

Now then, What I would like is the best way to let users re-set a password.

I hate the concept of secret-questions: What school did you goto? Well, lets check your facebook page. What was your first-grade teacher? Lets just ask them casually.

I hate using one-time-passwords via email: Since when is email secure? Your boss reads it. Your sending out spam emails to me every day. It went into your junk-bin. It's not sent encrypted.

I don't want to use a password to reset a password either. This just doesn't make sense.

I'm really out of ideas here for the best way to do this, so I figure I would ask the community.

Answer 1

Your problem is that you need to outsource trust. If the user forgets their password, you no longer have a direct way to trust them, so you have to use an outside source to reestablish your relationship.

If you think email is insecure (which it is, actually), you could try telephone. Give them a call with the temporary password. Or a fax. Or snail mail, or an SMS, etc.

This is as secure as the phone lines/postal carriers over which the reset travels, and in most areas, telephone intercepts or tampering with the mail is strictly punished by the law.

If that's no good, consider issuing users an OTP token, or smartcard, or something.

Answer 2

Barring being able to vet the person in person, I think you've listed all the reasonable options I've seen. In my opinion the one-time-password via email is the superior option as people tend to at least want to keep their email private. I personally hate secret questions - too big of a chance of the answers being public (see Sarah Palin email incident). If you are going to do secret questions, at least let the user choose their own questions.

Answer 3

I think this requires a difficult implementation but sending new password to user's mobile phone as a text message may be an alternative solution. Mobile phones are much more secure than personal inbox.

Then, users are asked to enter their mobile phone numbers. Users that doesn't want that functionality are provided new passwords by email.

Answer 4

Make users select a secret image (or images). Or make user upload their own image.

This works better than secret questions. Secret questions have two common problems:

1. user gives an answer that can be easily obtained by others.
2. user knows about first problem and instead of a real answer gives a random answer, later on forgetting themselves what it was.

By making user to select secret image(s) or better yet upload their own images. It'll be easier for user to recall it later when recovering the password, since it's easier to make visual associations.

When recovering the password present user with several choices to pick the right image.

Answer 5

So you actually want the user to prove that he is who he claims he is, without revealing information about himself (assuming you can get ANY information with social hacking)

There are 3 ways for authentication: Something you are (biometrics), Something you have (dongle for example) and Something you know (password,response...). 2 or 3-way authentication is much more secure than 1-way.

Password reset/recovery, by definition reduces the security of the authentication procedure, because its now not A, but (A or B). (A= password, B=recover-password)

Therefore, even if your authentication procedure is 1-way (password), your recovery processes should be a 2-way authentication.

Let's see what are your options for the password recovery process:

1. Something you are (SysAdmin that recognize you - usually not good for 5000 workers organization, Voice-print - too expensive to implement, ...)
2. Something you have (e-mail account, phone number, ...)
3. Something you know (personal details)

Notice that corporate-ID tag with picture is a 2-way authentication (both something you are and something you have).

I think the best procedure is for the employee to physically go to the IT department, show his picture ID, and ask for a password reset.

If this is infeasible (too far - a remote branch for example), try to use a deligator who is recognized and can be trusted over the phone, so the employee will have to show the ID-tag to a local deligator.

If you can't use the 'Something you are' - you're left with something you have (e-mail, phone-number,your own PC) and something you know (personal details...). You can't escape it.