-
-
Notifications
You must be signed in to change notification settings - Fork 679
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"2.5.6 Verify forgotten password" / MFA issue #2475
Comments
Have you read through the "bleeding edge" version of chapter V2 where we have tried to start clarifying things? Also did you see the discussion in #2457 which is specifically about forgot password? |
Thanks for linking those resources as I wasn't aware of them but have skimmed through them. So this makes it clear that a second factor authentication is necessary for the forgotten password process only if that user has opted in to do this. But what would a secure forgotten password journey look like for a user that does not opt-in to use MFA just as an example? I looked through the forgotten password cheat sheet and I couldn't see a method that this can be done that doesn't use either a second factor authentication (that isn't 'something you know', excluding sec questions of course which is no longer considered secure), or a side-channel that is still considered secure enough. |
So if you are talking about the fact that the cheatsheet refers to using email as an out of band channel, I'm pretty sure that when NIST says that email is not allowed as an out of band authenticator, it is talking as a primary authentication factor and not as a recovery mechanism. Clearly the use of email as a recover mechanism for a password is pretty universal. |
Also bear in mind that there is an updated NIST draft which is supposed to be clearer in general... |
Under the 2.7 summary it says: "In the past, a common out-of-band authentication mechanism would have been an email or SMS containing a password reset link. Attackers use this weak mechanism to reset accounts they don't yet control, such as taking over a person's email account and re-using any discovered reset links. There are better ways to handle out-of-band verification..... Unsafe out-of-band authentication mechanisms such as e-mail and VOIP are not permitted. PSTN and SMS authentication are currently "restricted" by NIST and should be deprecated in favor of push notifications or similar. If you need to use telephone or SMS out-of-band authentication, please see NIST SP 800-63B § 5.1.3.3." So I think it was the talk of email/SMS containing a password reset link being weak, followed shortly by e-mail not being permitted as an out-of-band authentication factor is what led to my confusion here. I still don't compeltely understand the logic by NIST here though. "when NIST says that email is not allowed as an out of band authenticator, it is talking as a primary authentication factor and not as a recovery mechanism." It sounds like NIST is saying that email tokens are are too weak to be considered primary authentication, but not as a means of resetting the primary authentication. Ideally the reset process has to be just as robust as primary authentication so as to not be used as a bypass. Appreciate the help with my questions! |
Did you check what the updated NIST draft says about this? |
Hey, I skimmed through but I couldn't find anything that explicitly explains why one should be allowed and the other disallowed - maybe I missed it? |
Ok, so section 2.7 refers to NIST 5.1.3 but I think that is talking about something slightly different than reset password. Practically speaking, draft 4 seems to specifically allows credential recovery via various options : |
The requirement to use equally strong authentication pathways isn’t required under L1, which I think aligns with the rest of the documents. (On the other hand, NIST appears to require this requirement for all AALs.)
However, I do not see the benefit of disallowing email-based authentication when there is already a loophole allowing password resets via email.
|
I think there is a benefit to having a password reset as an exceptional event compare to magic link authentication from an alerting and monitoring perspective. |
Hi all,
I'm trying to wrap my head around the requirements around MFA / forgotten password on an application I'm trying to ensure adheres to L2 requirements but services older / less tech savvy users.
Basically the TLDR version is:
I'm submitting this as a potential issue, although maybe I'm overlooking something, if so it would be good to hear where. Thank you!
The text was updated successfully, but these errors were encountered: