I think the security questions are a great idea! It might also be worth investigating SMS recovery like LastPass is doing (with locally saved one time password): https://helpdesk.lastpass.com/account-recovery/
You get a sense of the possible limitations of this here but who know... https://lastpass.com/support.php?cmd=showfaq&id=375 -- Alex Davis // Mountain View Product Manager // FxA & Sync On Tue, Aug 23, 2016 at 5:00 AM, <[email protected]> wrote: > Send Dev-fxacct mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > https://mail.mozilla.org/listinfo/dev-fxacct > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Dev-fxacct digest..." > > > Today's Topics: > > 1. Re: Improving password reset (Sean McArthur) > 2. Re: Improving password reset (Julien Vehent) > 3. Re: Improving password reset (Richard Newman) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 23 Aug 2016 01:03:46 +0000 > From: Sean McArthur <[email protected]> > To: Julien Vehent <[email protected]>, Ryan Kelly > <[email protected]> > Cc: [email protected], Ryan Feeley <[email protected]>, Richard > Newman <[email protected]>, dev-fxacct <[email protected]>, > Tanvi Vyas <[email protected]>, sync-dev <[email protected]> > Subject: Re: Improving password reset > Message-ID: > <CAHrH6bMtL_TkEx-hbmUY2CHOcNxj9jR+gbhBcHiTPQEo_ > [email protected]> > Content-Type: text/plain; charset="utf-8" > > I thought we all assumed 'security questions' are just security > vulnerabilities, and just fill them in with `crypto.randomBytes(64)`. > > On Mon, Aug 22, 2016 at 5:59 PM Julien Vehent <[email protected]> wrote: > > > On Tue 23.Aug'16 at 10:48:28 +1000, Ryan Kelly wrote: > > > On 23/08/2016 10:43, Richard Newman wrote: > > > > Under the hood there would be a bunch of shamir's secret sharing > > and key > > > > wrapping palaver to actually make things go. > > > > > > > > You mean like wrapping the user's kB with their own kA (prove > ownership > > > > of your account) plus your friend's kB (prove non-resetness of their > > > > account)? Yeah, that's a dance, but it could work :) > > > > > > Right, something like that. Alternately, wrap kB with an escrow > > > recovery key kR, shamir split the secret kR, and encrypt the different > > > parts of it in different ways - one part with the user's kA, one part o > > > with the buddy's kB, one part with answers to security questions, etc. > > > > > > But at that point I may be wandering into "fun crypto games" territory > > > rather than "solve a user problem" territory, which does happen to me > > > sometimes :-P > > > > Just to be a downer here (apologies in advance). > > > > I think that works great in theory. In practice we would end up with > > a bunch of users who listed their ex-spouse who left with the dog and > > the microwave 2 years ago and can't be reached out. I can already see > > the bugs coming into triage... > > > > I like the algorithm Richard described, but as a user, I rarely remember > > any of my security answers. To the point that I write them down in an > > encrypted file. I'd be curious to know how non-tech users handle them. > > > > - Julien > > _______________________________________________ > > Sync-dev mailing list > > [email protected] > > https://mail.mozilla.org/listinfo/sync-dev > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: <http://mail.mozilla.org/pipermail/dev-fxacct/ > attachments/20160823/267fef23/attachment-0001.html> > > ------------------------------ > > Message: 2 > Date: Mon, 22 Aug 2016 20:58:42 -0400 > From: Julien Vehent <[email protected]> > To: Ryan Kelly <[email protected]> > Cc: [email protected], Ryan Feeley <[email protected]>, Richard > Newman <[email protected]>, dev-fxacct <[email protected]>, > Tanvi Vyas <[email protected]>, sync-dev <[email protected]> > Subject: Re: Improving password reset > Message-ID: <[email protected]> > Content-Type: text/plain; charset=us-ascii > > On Tue 23.Aug'16 at 10:48:28 +1000, Ryan Kelly wrote: > > On 23/08/2016 10:43, Richard Newman wrote: > > > Under the hood there would be a bunch of shamir's secret sharing > and key > > > wrapping palaver to actually make things go. > > > > > > You mean like wrapping the user's kB with their own kA (prove ownership > > > of your account) plus your friend's kB (prove non-resetness of their > > > account)? Yeah, that's a dance, but it could work :) > > > > Right, something like that. Alternately, wrap kB with an escrow > > recovery key kR, shamir split the secret kR, and encrypt the different > > parts of it in different ways - one part with the user's kA, one part o > > with the buddy's kB, one part with answers to security questions, etc. > > > > But at that point I may be wandering into "fun crypto games" territory > > rather than "solve a user problem" territory, which does happen to me > > sometimes :-P > > Just to be a downer here (apologies in advance). > > I think that works great in theory. In practice we would end up with > a bunch of users who listed their ex-spouse who left with the dog and > the microwave 2 years ago and can't be reached out. I can already see > the bugs coming into triage... > > I like the algorithm Richard described, but as a user, I rarely remember > any of my security answers. To the point that I write them down in an > encrypted file. I'd be curious to know how non-tech users handle them. > > - Julien > > > ------------------------------ > > Message: 3 > Date: Tue, 23 Aug 2016 01:47:07 +0000 (UTC) > From: Richard Newman <[email protected]> > To: Julien Vehent <[email protected]>, Ryan Kelly > <[email protected]> > Cc: dev-fxacct <[email protected]>, [email protected], Tanvi > Vyas <[email protected]>, Ryan Feeley <[email protected]>, > sync-dev > <[email protected]> > Subject: Re: Improving password reset > Message-ID: > <343D6D50842632D1.9944AC3B-9652-4D82-8642-93F1DE7484A0@ > mail.outlook.com> > > Content-Type: text/plain; charset="utf-8" > > My suspicion is that non-tech users do one of these things: > 1. Blame themselves if they can't remember the answers. They remember > going through the process? gosh darn my bad memory, I'm just not good with > computers.2. Get the answers right (at least after trying different > capitalization), because they choose a question they know the answer to for > each option. Their favorite teacher or pet's name doesn't change. That's > the motivation for using memorable questions, despite the obvious > weaknesses.3. Write the answers down and put them in the fire safe/Keychain > notes/Excel spreadsheet. This is actually a pretty decent security > tradeoff, and the process (particularly for FileVault!) strongly reinforces > that you can't screw this up. Similarly, it gives you a key to write down > and put in a safe place. I could find mine if I really looked for it, I > guess. > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: <http://mail.mozilla.org/pipermail/dev-fxacct/ > attachments/20160823/0004071b/attachment-0001.html> > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > Dev-fxacct mailing list > [email protected] > https://mail.mozilla.org/listinfo/dev-fxacct > > > ------------------------------ > > End of Dev-fxacct Digest, Vol 36, Issue 11 > ****************************************** >
_______________________________________________ Dev-fxacct mailing list [email protected] https://mail.mozilla.org/listinfo/dev-fxacct
