Closed ghost closed 8 years ago
Well, you could handle the right events in MR and use the phone number to deliver the password reset, but the logic about mobile being verified is not in MR core for password resets.
Thanks for getting back to me so quickly. So let's see here. I need to do something like:
Would it be easier to just send the password reset to a backup email using Step 1 above?
Thanks for all your help.
Not sure off the top of my head -- things like this require a lot of time to think about it, since we're talking about security and ensuring there are no attack vectors.
In short, to use mobile for password resets you need to first ensure that the mobile phone has been confirmed first. Once that's done then it can be trusted for password resets.
Thanks for your help, Brock. I think i have a clear path to implementing this now. Closing this question.
Hey,
First off. thanks a ton for all your great work on MR, it's been super helpful.
I'd like to use the user's mobile phone for password resets (send code, enter code and new password) as opposed to the current email flow. Current recommendations (owasp etc.) for password reset is to use an out of band / side channel for verification.
If there a way to configure/extend membership reboot to do this?
Thanks.