2

I've been tasked to work on a password reset tool for my company website. This tool is for a support person to provide a new reset password over the phone in case the customer does not receive the email or is locked out of their email account.

Now firstly I would personally say this isn't ideal as I believe there are other methods such as receiving a reset code via phone - however as that's apparently not an option I was left with the task.

So I was tasked to add 2 security questions to the users' accounts, where the questions are pre-selected (by the user) out of about 14 questions. The idea being that a user will call and be asked the questions and if both answers were correct then the password would be reset and given to the end user.

While building the reset form I went ahead and decided for extra security to add a post code (UK company and customers) and their primary contact number - both which are required on sign up. The process then being: take users email, confirm post code and primary phone number, ask for security question answers - if all ok then give new password.

The disagreement I had was with the other members of my team who thought this amendment was completely unnecessary. Personally I thought this would be an additional step from a data protection point of view and an added level of security.

My question is who is right? Am I being too protective or are the other members of the team being too hasty?

PwdRsch
  • 8,341
  • 1
  • 28
  • 35
Sparkz
  • 21
  • 1
  • 1
    Cant you call the customer on the primary contact phone number to confirm that they are actually who they claim to be? Security questions are generally a very weak form of security, no matter how many of them you have. – Anders Apr 06 '17 at 06:25

1 Answers1

2

Personally I thought this would be an additional step from a data protection point of view and an added level of security.

This is correct.

The disagreement I had was with the other members of my team who thought this amendment was completely unnecessary.

This might also be correct.

The more information you can get from the user, the more confidence you have that it's actually them. But that's not the only thing in play. Why limit this idea to password resets? Why not ask them for their birthdate and phone number on every login? Or every page?

Security always needs to be considered in the context of a threat model. What sort of attackers are you going to protect against, and what sort aren't you? This needs agreement across the business, because it might vary depending on what sort of information you're storing, or how important UX is to your business, or how much of a selling point security is, or what your budget looks like.

We can't tell you if your plan is too much (or, for that matter, too little) for your product. That's a judgement call, and one that your team will have to make.

What we can say is that it's pretty common to just require a few security question answers before resetting. There is also often some leeway for the customer service representative, where they can ask more or fewer questions depending on how sketchy they feel the person on the other end is acting.

But again, there's no fits-all answer.

Xiong Chiamiov
  • 9,384
  • 2
  • 34
  • 76