Hacker News new | ask | show | jobs
by richardwhiuk 2730 days ago
You probably want to request a reset.

When a reset is requested, you should then allow a grace period - possibly up to a month for the reset to be cancelled. You should notify the user via email/out of band mechanism that a reset has been requested.

On each login you should prompt that the reset is ongoing and that it can be cancelled.

Finally after a month, you revoke the 2FA and allow a new device to be activated.

Or alternatively/as well, you require that the user sets up a new account. You may allow them to merge this account after the reset has completed.

Fundamentally the question is "if a user took over someone else's account what the impact be?"

On reset, you may want to delete any sensitive recoverable data - e.g. Credit card details or Passport info.
1 comments
Klathmon 2730 days ago
This is the one that I like the best if manual human review doesn't work for your use case.

Set a reasonable time period (a month seems like really long, I was thinking more along the lines of a week), use every piece of information you have to attempt to alert the user multiple times that a reset is happening (email, text, in-app alerts, etc...), make sure that each "alert" gives the user a one-click way of stopping the reset, and when the reset is successful, delete all information that is easily replaceable (like saved credit cards or addresses, or as much personal information that you can get rid of).

link
nmalaguti 2730 days ago
One of the problems with that is it makes account recovery after a compromise that much harder. If an attacker manages to prevent you from seeing those notifications (compromised email/sms) and you aren’t actively signing in, it’s possible for the month to lapse.

Once the attacker has control and you try to reassert ownership, the attacker gets a loud warning every time you try to login/change the TFA and a month to respond.

link
Klathmon 2730 days ago
That's very true, so I guess at the end of the day manual verification is needed for just about everything where you absolutely need a user to be able to recover their account.

A scheme like the above still helps cut down on the number of times that manual verification will have to be used, and hopefully can be made rare enough that you can spend the proper amount of time verifying each one to do your best to prevent "stolen identities" from being used.

link