On (2015-05-26 17:44 +0200), Owen DeLong wrote: Hey,
> I think opt-out of password recovery choices on a line-item basis is not a > bad concept. This sounds reasonable. At least then you could decide which balance of risk/convenience fits their use-case for given service. > OTOH, recovery by receiving a token at a previously registered alternate > email address > seems relatively secure to me and I wouldn???t want to opt out of that. It's probably machine sent in seconds or minute after request, so doing short-lived BGP hijack of MX might be reasonably easy way to get the email. > Recovery by SMS to a previously registered phone likewise seems reasonably > secure > and I wouldn???t want to opt out of that, either. I have tens of coworkers who could read my SMS. > Really, you don???t need to strongly authenticate a particular person for > these accounts. > You need, instead, to authenticate that the person attempting recovery is > reasonably > likely to be the person who set up the account originally, whether or not > they are who > they claimed to be at that time. As long as user has the power to choose which risks are worth carrying, I think it's fine. For my examples, I wouldn't care about email/SMS risk if it's linkedin/twitter/facebook account. But if it's my domain hoster, I probably wouldn't want to carry either risk, as the whole deck of cards collapses if you control my domains (all email recoveries compromised) -- ++ytti
