0

I visited my bank's website today with the intention of logging in to do bank stuff. I entered my username and hit enter on accident without entering a password. It took me to a page to select how I wanted to get my security code in other words the forgot password page. I selected my phone number to call me and upon entering the verification code, it took me to a page to reset my password.

I assume that many services implement a model similar to this but it seems fairly trivial to find a situation where someone used some sort of publicly accessible computer, whether that be at a coffee shop or some sort of work environment, to access their bank account and let the browser remember their username. Acquiring the phone might be a little more tricky but not impossible and because it is a phone call I don't need to know a PIN number to get in, I just have to be able to answer it when it rings.

Wouldn't an email with a password reset link be a better model?

Maybe I am oversimplifying the complexity of the problem, but it doesn't seem like someone with questionable motives would have to be that ambitious.

ninja coder
  • 101
  • 1

1 Answers1

1

While less common, requiring something to physically be in your possession is a perfectly valid form of authentication. Many two-factor login systems use SMS or phone calls as a second factor.

I assume that many services implement a model similar to this but it seems fairly trivial to find a situation where someone used some sort of publicly accessible computer

Public computers are never to be trusted for any sensitive work, ever. With public computers keyloggers (both hardware and software-based) are likely to be your most dangerous threat, and in that case the reset email is probably worse. By capturing your email login, the attacker would get access to any account that has password reset linked to that email.

So in short, both methods have their pros and cons. Which one is better depends on the kinds of threats you want to protect against.

tlng05
  • 10,244
  • 1
  • 33
  • 36
  • I understand that you shouldn't use public computers for sensitive work, and I don't. I was imagining this scenario in some sort of office environment where maybe you have 500+ co-workers and each person has their computer and they leave their computer unlocked and their phone on their desk while in a meeting. – ninja coder Jan 14 '17 at 03:50
  • 3
    @ninjacoder A work computer should be treated as a public computer, since you do not know what software the employer may have installed. And if co-workers are hacking each others' bank accounts, then I would say you have a serious cultural problem on your hands, not a technical one... – tlng05 Jan 14 '17 at 03:55
  • You are absolutely correct. I apologize for wasting your time with a scenario that could never happen. I simply forgot that everyone follows all the rules of computer security all that time. – ninja coder Jan 14 '17 at 15:17