Password recovery procedure idea

4 points by jvdongen ↗ HN
In relation to the recent hack of Mat Honan's accounts I was thinking about how the password reset procedures involved could be improved without adding too much complexity. Mind you this was no social engineering attack - as far as I can tell the service reps involved (both Amazon and Apple) sticked to company procedures. If the process had been automated (i.e. no humans involved), the end result would have been the same.

I was thinking alone the following lines:

* Upon account registration you submit one or (preferably) more e-mail address of close friends/relatives to the service provider you're registering with

* if you've lost your password, you click the password reset button. Then two things happen: a) a password recovery link is sent to you and b) a n-digit pin code is sent to your friend(s) e-mail addresses.

* the names and/or e-mail addresses of said friend(s) are never shown, so it will not be entirely clear to an attacker who to target next (based on social network data he may take a guess though).

* You click the password recovery link and get a form that asks you to enter the n-digit pin.

* You call one of your friends to retrieve the pin code and enter it (optionally different pins could be sent to different friends to aid forensics in case something goes wrong after all).

This scenario basically shifts the burden of verifying that you are actually you from some random service rep to one of your close friends. There's still a chance that (s)he gets social engineered, but quite probably (s)he has a far higher chance of getting it right than some service rep - besides plain voice recognition it's very hard to convincingly fake the minute details that make up a multi-year real life relationship of any kind. And because a close friend or relative cares for you (I hope ;-) they have a bit of incentive to get it right as well.

7 comments

[ 0.28 ms ] story [ 29.3 ms ] thread
Hmm, looks nice: use the already existing web of trust. Alas, I do most of my password resets around 3 AM; perhaps I should get some friends in other timezones ;)
Do you really want I send my friend address to a website ?

Some users already have difficulties with simple procedure and you want to complicate it. Without talking about issues with old "friend" who will hack you.

I think it is a good thing for an company intranet where you replace friends by collegues. But not for an end-user.

I don't think the meaning of "a Facebook node which may or may not actually be a human person"-friend is intended here; if you use the old-fashioned meaning "someone you know in real life, someone you trust and on whom you can depend" of "friend". Then the fear of "but won't my friend hack me?" is defeated by the very definition of "friend".

Also, the PIN alone isn't sufficient for login - your "frenemy" can only use it to verify your request, not to impersonate you.

Indeed - that was the whole idea. But may be I'm becoming old fashioned ;-)

Also, if something like this gets implemented by a few (or even a single) high profile site being someones 'password buddy' will probably quickly become an accepted, may be even honorable, thing.

Instead of a friend's email, why not have a second email address of yourself where the PIN is sent. Of course, hopefully the passwords of both emails are different :). Sort of like ATM card and PIN sent in separate mails in the US. I don't think adding a friend's email will be a good idea especially if i want to reset in the middle of the night as someone mentioned.
I think "no password reuse" is an over-optimistic pipe dream for most users; also, it's unlikely that two people will be compromised at once by the same (not specifically targeted) attack; a compromise of all accounts of the same person is much more likely.
Indeed - that is exactly what went wrong in the case of our unfortunate Wired reporter.

Also, there's a big chance of course that if someone has lost the password to a services he uses more or less regularly, he'll also not be able to remember the password of a service (the secondary mail account) he uses almost never ...