4

Please consider a scenario where a user signs up for a web application with his email and password. After registration the user is sent a confirmation email which requires a login/session to confirm the email address. To reset his password the user has to confirm a reset password mail which is sent to his stored email address.

This is not to be confused with this similar question as the other question deals with a temporary account access which is not given here: Should you be able to reset a password without verifying the email address first? In other words: My question is not regarding an email address change but the initial sign up process.

Is there any security issue if the user is able to reset his password if his email address has not been confirmed yet?

Scenario #1 Alice mistypes her email address

  1. By accident the confirmation email is sent to Eve.
  2. Eve receives the confirmation request but is not able to confirm her email address.
  3. However, Eve is able to reset her password.
  4. Finally Eve is able to confirm her email address and obtain full control of Alice's account.

Result: The login/session requirement for email confirmation is bypassed. Thus, I think this is a bad idea. However, if a password reset is not available without a verified email address than the following could happen:

Scenario #2 Alice forgets her password and has not confirmed her email address yet

  1. Alice signs up with her own email address and password.
  2. Alice loses her session and forgets her password.
  3. Alice is not able to login (wrong password) and not able to verify her email (login/session required). Nor is she able to reset her password (email not verified).
  4. Alice lost control of her account (forever).

So, as you can see scenario #1 produces a risk that is more or less bad (probably not too bad if no other information is collected on sign up). However, scenario #2 gives a good reason to accept that risk and enable the reset without a confirmed email address. Can the risk be accepted or am I missing something?

Community
  • 1
hurb
  • 141
  • 5
  • No, each step should be verified by email. – Aria Sep 22 '16 at 13:10
  • I'd just resend the original signup email when the an unconfirmed user attempts to reset their password. – CodesInChaos Sep 22 '16 at 13:18
  • @CodesInChaos the original signup email doesn't help much because the user would not be able to confirm the email without login/session (this is scenario #2). – hurb Sep 22 '16 at 14:28

1 Answers1

3

The correct sign up procedure is as follow:

  • Alices signs up with a new password and an email address (x@y)
  • the account is created as blocked until email address validation
  • Alices tries to login and only gets a message saying she must activates her account with the mails sent at the address x@y
  • if the validation does not occur in the expected time (between 4 and 24 hours) the account is destroyed - prevents Alice to forget to validate her mail address
  • Alices validates from the mail and is asked for the password. If she cannot give the correct password after three attempts the account is destroyed - prevents Eves to use Alice's account if she received the validation mail

The real problematic case (already seen in real world) is:

  • Alice signs up with a correct mail account from her ISP and validates it
  • later Alice changes ISP, uses a new email account but forget to declare it in its account
  • even later Alice forgets its password. Plonk! She is definitely locked out of its account

I cannot imagine a way to mitigate that problem

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
  • Thanks for your answer @Serge Ballesta. To come back to the question: Should a user be able to reset his password if his email address has not been verified yet? Your answer is NO, correct? However, in your scenario combined with my scenario #2 Alice would have to destroy her own account by mistyping her login three times and sign up again afterwards. This seems to be kinda inconvenient. So, do you think the risk of a more convenient process (allow a password reset without a verified email address) would be inacceptable? – hurb Sep 22 '16 at 14:38
  • @hurb: my opinion is that the initial sign up occurs only once, and I accept to exchange useability for security here. I prefere to be strict at sign up time to be later able to offer a secure password recovery to my users. As a user I would also prefere - but I am used to information security... – Serge Ballesta Sep 22 '16 at 15:01