Abusing Password reset functionality to steal user data (Part–3)
We saw different implementations of a password reset functionality to ensure application security along with their best practices in the first and the second blogs of the series. In this final blog of the series, we will discuss the concept of Multi-Factor Authentication (One Time Passwords i.e. OTP) for the implementation of a reset password functionality. We will be covering the advantages of using multi-factor authentication for a password reset feature along with the proper implementation of the same.
So, what is a Multi-Factor Authentication scheme?
Wikipedia defines it as “Multi-Factor Authentication (MFA) is a method of computer access control which a user can pass by successfully presenting several separate authentication stages through credentials based on knowledge (something you know), possession (something you have), and inherence (something you are).”
For example, suppose you have to enter a secured room and there is a multi-layer security present. To get into the room, you have to provide three details – something you know (a password, maybe), something you have (an access card) and something you are (your voice or fingerprint scan). This is a crude example of a Multi-factor authentication system.
Two Factor Authentication (2FA)
Two Factor Authentication is a Multi-Factor Authentication scheme wherein a user is identified on the basis of two factors. The factors include something the user knows, something the user has or something the user is. Two Factor authentication has been used by various applications to authenticate requests. These applications include banking applications, payment gateways, email applications etc. A common example of a 2FA scheme is the usage of One Time Passwords (OTP).
One Time Passwords
As the name suggests, a one-time password is a password that is valid for a single use and for a limited time on a digital device. It is being extensively used in applications today for implementing a two-factor authentication. It provides an extra layer of security plus it can be easily implemented. Today, many OTP generating applications such as Google Authenticator and Authy are present that can be easily synced with your email applications, payment gateway applications, etc. Some applications implement OTPs for sensitive requests such as change passwords and reset passwords.
Let’s consider an example where OTP is used for resetting a password:
1. A user visits the homepage of the application and clicks on Login.
2. Since the user does not remember the password, he clicks on the ‘Forgot Password?’ option.
3. The user is redirected to a new page asking for his email address or username depending upon the option incorporated by the developer of the application.
4. When the user submits the username or email id, he is prompted with an OTP (one-time password) using SMS or a voicecall on the contact number associated with the user’s account.
5. When the user enters this value in the ‘Enter Verification Code’ field, he is redirected to the reset password console.
Problems that may arise in this implementation
1. The OTP maybe valid for a relatively longer time and does not expire after it has been used.
2. It maybe possible for an attacker to forge the ‘Send OTP ‘request if the contact number associated with the account is included in that request and is not validated at the backend, i.e., the application trusts this value and sends an OTP to that number without cross checking it with the database.
Best Practices to follow in this implementation
1. It goes without saying that this feature must be implemented over a SSL connection.
2. The OTP generated should be valid for a period of 30-60 seconds. Also, it should expire once it has been used.
3. The OTPs generated should be random enough.
4. The ‘Send OTP’ request parameters should be properly validated.
No doubt, a 2FA scheme provides an extra layer of security to your business. Properly implemented, it is a great tool but an improper implementation puts your business at risk. Hence, best practices must be followed while implementing a 2FA scheme.
