0

Which is more recommended?

The user security questions are asked before the forgot password reset link is send to email?

or

Security questions are asked in the page that shows up right after the forgotpassword link is clicked when received in the email?

What are the pros and cons for each? We implemented the latter. Just making sure we covered all bases in this approach,

1 Answers1

1

Security questions are no longer considered a good enough mechanism to protect account recovery, they are often guessable or easily obtainable through OSINT.

Source : https://nudatasecurity.com/blog/risk-based-authentication/4-big-problems-with-knowledge-based-authentication/

Source 2: https://www.howtogeek.com/185354/security-questions-are-insecure-how-to-protect-your-accounts/

Source 3: https://www.wired.com/2016/09/time-kill-security-questions-answer-lies/

You should look at using reset tokens and send that token to your user via email.

If you do insist on using security questions, then there are a few things to consider. Having the questions before the reset link means if you know the user's username or maybe an email address, you can access their questions, do some research and find answers to those questions.

Having them after the reset email has been issued means the user must have access to that email account to even access the questions in the first place.

OWASP Guidance says you should verify questions before sending a token: https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet

If you are transmitting answers between your client and server, treat them securely as you would a password. Use POST over HTTPS, don't put them in the URL or in headers. POST them back in a secure form.

This post here on Security Stack Exchange is also worth reading: How to implement “forgot password” functionality?

iainpb
  • 4,142
  • 2
  • 16
  • 35