Web password recovery - a necessary evil?

Web password recovery, enabling a user who forgets their password to re-establish a shared secret with a website, is very widely implemented. However, use of such a fall-back system brings with it additional vulnerabilities to user authentication. This paper provides a framework within which such systems can be analysed systematically, and uses this to help gain a better understanding of how such systems are best implemented. To this end, a model for web password recovery is given, and existing techniques are documented and analysed within the context of this model. This leads naturally to a set of recommendations governing how such systems should be implemented to maximise security. A range of issues for further research are also highlighted.

[1]  Nethanel Gelernter,et al.  The Password Reset MitM Attack , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[2]  Bill Welch Exploiting the weaknesses of SS7 , 2017, Netw. Secur..

[3]  Mike Just,et al.  Personal choice and challenge questions: a security and usability assessment , 2009, SOUPS.

[4]  Evangelos P. Markatos,et al.  Using social networks to harvest email addresses , 2010, WPES '10.

[5]  Serge Egelman,et al.  It's No Secret. Measuring the Security and Reliability of Authentication via “Secret” Questions , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[6]  Jaap-Henk Hoepman,et al.  Client-Server Password Recovery , 2009, OTM Conferences.

[7]  Vashek Matyas,et al.  Codes v. People: A Comparative Usability Study of Two Password Recovery Mechanisms , 2016, WISTP.

[8]  Joseph Bonneau,et al.  Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google , 2015, WWW.

[9]  Andy Lilly IMSI catchers: hacking mobile communications , 2017, Netw. Secur..

[10]  Hassan Takabi,et al.  Security and Privacy Risks of Using E-mail Address as an Identity , 2010, 2010 IEEE Second International Conference on Social Computing.

[11]  Joseph Bonneau,et al.  The Password Thicket: Technical and Market Failures in Human Authentication on the Web , 2010, WEIS.

[12]  Bruce Schneier,et al.  Protecting secret keys with personal entropy , 2000, Future Gener. Comput. Syst..

[13]  David Lie,et al.  Mercury: Recovering Forgotten Passwords Using Personal Devices , 2011, Financial Cryptography.

[14]  David A. Wagner,et al.  Conditioned-safe ceremonies and a user study of an application to web authentication , 2009, NDSS.

[15]  Ariel Rabkin,et al.  Personal knowledge questions for fallback authentication: security questions in the era of Facebook , 2008, SOUPS '08.

[16]  Di Wang,et al.  On the Security of Trustee-Based Social Authentications , 2014, IEEE Transactions on Information Forensics and Security.

[17]  Mordechai Guri,et al.  Personal Information Leakage During Password Recovery of Internet Services , 2016, 2016 European Intelligence and Security Informatics Conference (EISIC).

[18]  Ari Juels,et al.  Error-tolerant password recovery , 2001, CCS '01.

[19]  John Langford,et al.  CAPTCHA: Using Hard AI Problems for Security , 2003, EUROCRYPT.

[20]  Mohd Zalisham Jali,et al.  Password Recovery Using Graphical Method , 2015 .