Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I am working with another UX guy and he\'s let me know that there have been some

ID: 654070 • Letter: I

Question

I am working with another UX guy and he's let me know that there have been some studies surrounding the fact that when a person goes through a "forgot username/email" process, they enter in extra information and that this extra information should be enough for a user to be logged in without having to enter a password.

In our case, the user has two options - either enter their phone number, last name and DOB then receive a text message (or call) to confirm; OR they can enter social security number, last name and DOB.

Then the next step is to answer their security question (1/3 questions). If they answer this question correctly, they move on to a logged in state in their account. No password necessary.

Is this common practice these days? Is this still relevant for a financial company? Can a user just keep doing this as another option to log in?

I have a feeling that all of the information needed to log in can be found in the user's email. Assume their email address has been hacked... We require the same information for forgot password as well, though the password is something that users inherently make secret. Everything else can be found fairly publicly, unless they don't answer the security questions properly on purpose (like I do)

Explanation / Answer

No, don't make password reset based on anything submitted in a form. You need to determine the users identity through a method besides your own website. Either via two factor authentication (usually phone) or via a known email address. The danger here is brute forcing, guessing, or stealing the data needed for a password reset. Yes, it is often quite possible to maliciously aquire a user's ssn, dob, and phone number. Stealing their phone or compromising their email is often far, far harder. Also, be very careful about storing or asking for the users ssn - this can be treacherous, especially if an attacker manages a man in the middle or sql injection attack.

Stick with e-mail Auth or two factor Auth for password resets.

Related Questions

I am working on question number 10 is 33 kJ mol-. Calculate the boiling point of
Question #556306
I am working on reverse polish notation calculator assignment in java for school
Question #3859300
I am working on reverse-engineering and need to write a C translation of the NAS
Question #3817706
I am working on small project. There is an organization in which it has 100 arou
Question #653423
I am working on some Bash Scripting, working with matrices and I need help with
Question #3881323
I am working on some practice problems regarding bubble sort. I have to find the
Question #3789555
I am working on sorting out my Javascript code. Currently I have views implement
Question #646659
I am working on the Paige Turner tax project, I have the W2 form, Schedules B,C,
Question #2454909
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
I am working with a set of DNA motifs that are predicted as potential regulatory
Next
I am working with creating children\'s \"video\" books which: Display a static i

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.