-3

You can see the link "Forgot Password?" nearby almost all login form.

Since passwords are completely protected from outside access, I come up with this question. I accept that the forgot password process is highly secure. However, I want to make my application a little bit more users-friendly.

I want to skip this whole process:

  1. Get user email id.
  2. Generate temporary password/encoded token.
  3. Send it to user's email.
  4. Force the user to sign-in their email.
  5. Get them back to application through attached link
  6. Ask them to enter new password and more if any further authentication is needed.

Yes, I know that OAuth is another option. But instead, I would like to give the option to use dual passwords to the user. So that if the user forgot the password, he/she can use the second one to get into the application.

What would the security issues with such a dual password system be?

The worst case scenario is if the user again forgot the password for the email account or if the account is deleted. What would the alternative way be?

Why should I become dependent on a third party (OAuth)?

Anders
  • 64,406
  • 24
  • 178
  • 215
HILARUDEEN ALLAUDEEN
  • 203
  • 2
  • 6

1 Answers1

11

First, this exists in practice in one form which isn't very secure: “security questions”. The second password is (if the security questions are used as intended) something that is easily memorable, but that is known by other people.

There is no security reason not to have two passwords: one for daily use, and one (longer, non-memorable) for recovery. Indeed, this is a common practice in certain scenarios, such as:

  • An enterprise setting where documents are encrypted with users' PGP keys, and also with an enterprise PGP key whose private part is kept in a safe and used only if no employee can be found to decrypt a document.
  • Mobile phones or SIM cards, which have a PUK (often 8 random digits) which can be used if the regular PIN (user-chosen, usually 4 digits) has been forgotten (or more generally if the device has been locked due to 3 incorrect PIN attempts).

The reason this is not done for websites is that there is very little point. If a user wishes to have a recovery password in case they forget their regular password, they can already do this by writing down their regular password. Unlike the enterprise case above, where the regular password and the recovery password (or key) are held by different entities, there is no difference in who holds the passwords.

You could follow the SIM card model and generate a long, random password that users could use for recovery. However, consider how would you communicate that password to users. You can display it on the site — and then most users would not pay attention to it and would therefore not have access to it when they're locked out. You can send it by email, in which case not only you depend on the email, but (unlike temporary password reset links, which are temporary), if the email is ever breached, so is the account, with immediate effect, and no need for the attacker to do any digging or to take any action on the site that would be logged.

Thus while dual password can work, it's an additional implementation effort and an additional attack surface for a very moderate benefit.

Furthermore, dual password would not eliminate the need for email as a recovery method. If the second password is forgotten as well, which is likely in practice, you need the email recovery.

If you choose to allow a second password, don't do it in the form of security questions: they weaken security, unless they are combined with other forms of authentication (and even then it often doesn't work out well). And don't expect more than a tiny fraction of users to make effective use of it.

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179