Web password recovery --- a necessary evil?
Abstract
Web password recovery, enabling a user who forgets their password to re-establish a shared secret with a website, is very widely implemented. However, use of such a fall-back system brings with it additional vulnerabilities to user authentication. This paper provides a framework within which such systems can be analysed systematically, and uses this to help gain a better understanding of how such systems are best implemented. To this end, a model for web password recovery is given, and existing techniques are documented and analysed within the context of this model. This leads naturally to a set of recommendations governing how such systems should be implemented to maximise security. A range of issues for further research are also highlighted.
Cite
@article{arxiv.1801.06730,
title = {Web password recovery --- a necessary evil?},
author = {Fatma Al Maqbali and Chris J Mitchell},
journal= {arXiv preprint arXiv:1801.06730},
year = {2018}
}
Comments
v2. Revised version