On (2015-05-26 17:44 +0200), Owen DeLong wrote: Hey,
I think opt-out of password recovery choices on a line-item basis is not a bad concept.
This sounds reasonable. At least then you could decide which balance of risk/convenience fits their use-case for given service.
OTOH, recovery by receiving a token at a previously registered alternate email address seems relatively secure to me and I wouldn???t want to opt out of that.
It's probably machine sent in seconds or minute after request, so doing short-lived BGP hijack of MX might be reasonably easy way to get the email.
Recovery by SMS to a previously registered phone likewise seems reasonably secure and I wouldn???t want to opt out of that, either.
I have tens of coworkers who could read my SMS.
Really, you don???t need to strongly authenticate a particular person for these accounts. You need, instead, to authenticate that the person attempting recovery is reasonably likely to be the person who set up the account originally, whether or not they are who they claimed to be at that time.
As long as user has the power to choose which risks are worth carrying, I think it's fine. For my examples, I wouldn't care about email/SMS risk if it's linkedin/twitter/facebook account. But if it's my domain hoster, I probably wouldn't want to carry either risk, as the whole deck of cards collapses if you control my domains (all email recoveries compromised) -- ++ytti