Reputation: 161
Security, lost or forgotten password
first of all, I don't really know if this is the right place to ask this, if this should be moved, please do so or let me know.
I'm building a mobile app (using phonegap) which is kind of a banking app, hence, I need a really secure method for resetting a lost/forgotten password.
I do not want to use email links or sms codes to proceed to the resetting part because:
- Email address can be already compromised.
- (Where I live) Phone can be stolen (most likely) and the email could be linked to phone, so SMS would be pointless as well.
So after a bit of reading I have come up with the next idea, inside the app when user clicks forgotten password:
- Ask user email of registration.
- Ask which country, state and city were selected when registration occured.
- Ask if the user had login successfully in the last 3 or 7 days (maybe less is better?).
- Ask the last amount of money received (if any).
- Ask the last amount of money sended (if any).
- Ask the date of the last transaction known (sended or received before or during the last successfull login).
If all that information proves to be correct, let the user set a new password. Else just show a message telling the user that something in the information was wrong, never ever specifing what was wrong.
Those are a few question but I'm writing this as it just occurs to me. There will be more question based on the user expirience using the app.
My Questions:
- Is this secure?
- Which are the weaknesses of this idea?
- Does this effectively replace the email/link combination or phone/sms?
Thanks in advance.
Updates:
I dont like setting security questions during registration because most people forget the answer or type carelessly and then they are trapped with a forgotten account.
I will not be using any bank account or credit/debit card information.
All operations will be in effect inmmediatly.
Maybe I should use questions only related to the use of the app?
Upvotes: 1
Views: 67
Answers (1)
Reputation: 1982
This method is relatively secure as password recovery goes. However, it is not very user friendly, and it is very likely that the user can get locked out. On the other hand, a thief may easily still recover a password. Taking all the questions one by one:
Ask user email of registration.
An thief who has stolen a phone has access to this (most likely).
Ask which country, state and city were selected when registration occurred.
This will also be easy to retrieve if the thief searches in the emails of the user. Even if no such info is displayed there, knowing the name of the user, the thief can look in whitepages websites or Facebook and get valuable info.
Ask if the user had login successfully in the last 3 or 7 days (maybe less is better?).
A lucky guess with 50% chance can get the thief past this. A legitimate user might also not remember, which causes the first usability problem of this method.
Ask the last amount of money received (if any).
This is very hard to remember, especially if this does not happen a lot, or happens all the time and the amounts vary. A thief who knows the bank account of the user (maybe info like the IBAN is in the emails) can also transfer a small amount to that account and get past this stage.
Ask the last amount of money sent (if any).
If this involves transactions as well (paying using a credit card), a thief can follow a legitimate user and observe the money spent in the last transaction. If not, it is still a big usability issue, as the user is not likely to remember. The thief can also check the emails of the user and see if there were any goods bought online (Amazon for example sends a confirmation email) and input this as the amount.
Ask the date of the last transaction known (sent or received before or during the last successful login).
Again, this is very hard to remember for the legitimate user. Especially when it comes to receiving money, it can take days, so even if the user knows that a payment to him/her was due at day X, there might have been a delay of a few days.
If I were you, I would put email, username, last password that the user remembers, and 2-5 recovery questions that the user has to set up in the beginning. I would let the user try a total of 3 times, and all these events are logged and the bank notified. Otherwise, the user has to contact the bank in order to change it. Calls are recorded, and personal info is requested, along with a phone banking password. If the user fails again, he/she has to go to the bank with some form of photographic ID.
Response to updates: If an app is not being used on a daily basis (banking-like apps are the case for many users), it might not be a good idea to ask questions regarding the use of the app.
Regarding security questions, maybe if you set a message that warns the user that they might get locked out of their account if they forget them, might convince them to be more careful. Maybe you can let users choose both questions and answers (just make sure the questions and answers are different each time, and they are longer than 1-2 characters).
Upvotes: 1
Related Questions
- Implement password recovery best practice
- How can I implement password recovery in an iPhone app?
- How to securely store a password in a mobile application
- Appropriate forgot password approach using SMS Android
- how to handle forgetPassword in android application while data fetching from magento procedures
- How to secure my app if the mobile device is stolen/lost
- Best way to handle "forgot password" in a stand alone application
- Password Protected Android App
- remember password in android app