Hacker News new | past | comments | ask | show | jobs | submit login

What are the other potential problems of the "email is authentication" pattern, under the following prescribed conditions? Maybe just these two?

(Prescribed Conditions)

- "Credential Recovery" complies with OWASP ASVS and is "adequately secure".

- "Credential Recovery" is the "weakest link" of authentication. (Other authentication methods require TOTP, etc.)

(Potential Problems)

- The financial cost of sending emails.

  - my guess is that, since I could not find of news of this issue,
    these users are only a small percentage (hopeful not yet)
- End-to-end response time for the "Credential Recovery" authentication process

  - my guess is that users who choose "Credential Recovery"
    authentication over other "happy-path" authentication are willing
    to wait, or are use to waiting.
(Non-problems)

- If the above conditions are specified, authentication security is not compromised.

(Terms)

- "Credential Recovery" as in OWASP ASVS V2.5 Credential Recovery, or "Self-service password reset" as in Wikipedia, or "forgot password" flow.

https://en.wikipedia.org/w/index.php?title=Self-service_pass... https://owasp.org/www-project-application-security-verificat... https://github.com/OWASP/ASVS/raw/v4.0.3/4.0/OWASP%20Applica...

- "adequately secure" as in NIST SP 800-160 Vol. 1 Rev. 1, 3. System Security Concepts, 3.2. The Concept of an Adequately Secure System.

https://csrc.nist.gov/pubs/sp/800/160/v1/r1/final https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.S...




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: