Hacker News new | ask | show | jobs
by ryanlol 4033 days ago
Customer support. A human can then verify the user even if they can only remember a part of the password.
1 comments
stephenr 4033 days ago
Sounds like a security flaw ripe for social engineering
link
ryanlol 4033 days ago
Customer support by itself tends to be a security flaw ripe for social engineering.
link
stephenr 4033 days ago
Phone support can be tricky yes, but there are other ways to identify the caller without storing their password in plaintext
link
ryanlol 4033 days ago
Callbacks? Users PII? There's really no good ways to do phone verification. You can't use any kind of shared secrets as people forget those.
link
stephenr 4033 days ago
My bank uses an automated system to verify a pin (ie the operator transfers you to confirm identity then you come back)

But it also depends on the realm. Before the saas craze, a lot more support was performed in-house meaning you didn't have the same scale of problem.

link
ryanlol 4032 days ago
Verify a pin? But that's still something you have to remember, not providing support for users who have forgotten their passwords doesn't tend to be an option.
link