brockallen / BrockAllen.MembershipReboot

MembershipReboot is a user identity management and authentication library.
Other
742 stars 238 forks source link

Using Mobile Phone For Password Reset #592

Closed ghost closed 8 years ago

ghost commented 8 years ago

Hey,

First off. thanks a ton for all your great work on MR, it's been super helpful.

I'd like to use the user's mobile phone for password resets (send code, enter code and new password) as opposed to the current email flow. Current recommendations (owasp etc.) for password reset is to use an out of band / side channel for verification.

If there a way to configure/extend membership reboot to do this?

Thanks.

brockallen commented 8 years ago

Well, you could handle the right events in MR and use the phone number to deliver the password reset, but the logic about mobile being verified is not in MR core for password resets.

ghost commented 8 years ago

Thanks for getting back to me so quickly. So let's see here. I need to do something like:

Would it be easier to just send the password reset to a backup email using Step 1 above?

Thanks for all your help.

brockallen commented 8 years ago

Not sure off the top of my head -- things like this require a lot of time to think about it, since we're talking about security and ensuring there are no attack vectors.

In short, to use mobile for password resets you need to first ensure that the mobile phone has been confirmed first. Once that's done then it can be trusted for password resets.

ghost commented 8 years ago

Thanks for your help, Brock. I think i have a clear path to implementing this now. Closing this question.