New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
How to deal with (possible) users who "loose" their 2FA
I am currently trying to write some formal policies for account recovery (assuming the provided "recovery code" is also lost) in this situation.
In my experience we have required positive proof usually based around the payment source. However this is not always possible (i.e those who pay via crypto or CC). We don't keep statistics on it but I think we recover accounts at most 50% of the time. I'd like to improve this, but not at the expense of security. I'd also like for our policy to be more formally defined (potentially partially publicly) and consistently applied.
Any suggestions from your own experience? Either as a provider (hosting or SaaS) or as a customer/user.
Thanked by 1Not_Oles
Comments
In at least some sites a user who loses or breaks his Yubikey or who forgets his Yubikey password can click "Forgot password" and receive an email link which permits setting a new password and authentication without the Yubikey.
Dunno how this applies to other forms of 2FA.
Dunno whether such a simple workaround really is appropriate for a 2FA enabled situation. Somebody with access to the user's email might get around both the password and the Yubikey.
Maybe more than just clicking "Forgot password" ought to be required. But what, when there are many thousands of users?
PS Recently saw on HN a post with several guys commenting on broken or malfunctioning Yubikeys. FWIW.
@Not_Oles thats my concern too. Even positive verification with the payment method (sorry vauge term) is risky because a compromised email can provide payment details and access (e.g to paypal).
If you say "no we can't recover that" you will get charged back or accused of theft. If you incorrectly allow access to an unauthorised persons account potentially sued - or at the very least its bad situation.
Oh and we do get active threats where people try and take offline sites by gaining account access. Its not a theoretical threat. More recently we have had it alot of false C&D spam to us, our upstreams and transits.
Mines worked well all these years, thankfully. I am meaning to replace it though. I wouldnt mind a more user friendly solution now that some of my devices are USB-C only.
What about using a government ID proof for name with blacked out ID number/etc and just government and name if you require identity during signup.
@BruhGamer12 I would really like to avoid that if at all possible. While its a decent verification option its awfully intrusive. And for countries whose primary language is not english ID forms can be really hard to verify without scale.
Also strangely the same people who pay the least attention when actioning things are usually those who pay with "friends Paypals" or other things that make it absurdly difficult to verify access.
That can probably be forged especially for customers outside of the host's country. Unless you have the literal document (passport book, drivers license card) at hand, you can't be sure that it wasn't fabricated with AI or Photoshop.
OP: I think you can take some inspiration from the Steam account recovery page. Considering some people have inventories valued well above thousands of dollars, I would reckon their process of recovery is fairly robust: https://help.steampowered.com/en/faqs/view/40A0-8B4B-B54B-C51A
I think a combination of verifying payment information, asking basic questions like "What was the date and transaction amount for the most recent invoice?" and "What was the date of your very first invoice?", and checking the client's IP address (i.e. check if the IP address of the client opening the help request matches what the account used regularly) ought to be sufficient.
But ultimately, one of the best ways is to stick it into people's faces to SAVE THEIR RECOVERY CODES in big red scary text, including physically printing it onto a piece of paper.
Should I make it blink
NOTE: Not a real code.
@PineappleM the steam suggestion is really good. Lots of inspiration there for the public documentation.
Maybe I should just add another stage, a button labeled "I have saved these details, enable 2FA"
That might be more productive.
I see your issue about a global service I was thinking country specific you make a good point about different types of IDs. I personally don’t like this but some companies make you type your code back our(the entry box disables copy paste) which I guess means you have to at least paste it somewhere and then copy it back down. Idk how effective that is and I personally don’t like it.
Only allow 2fa to be enabled if
Prevention better that a cure 🙂
There is levels of recovery and auth:
0.. Billing
1. Email
2. Phone
3. 2FA app
4. Yubikey
Now, if lvl 3 fails, go to lvl 2 etc. If access to the email is lost also, user usually sends last transaction info (invoice with paent statement) and you unlock lvl 1.
After they hit "next", make the next step to enter one of the recovery codes to confirm they actually saved them.
SMS 2fa is vulnerable to sim swap, but if you understand that and they have a number on file you could fallback to that.
Or, allow 2fa through something like telegram. Harder to completely get locked out of a telegram account compared to losing 2fa backup codes.
It isnt safe to do 1 with 2FA, and 0 technically can be tied very closely to email (but is what most people seem to do). 2 isnt usually easy to do reliably internationally.
You seems overthink. You offer tools and customer decides what he use. If miss-use happen, customer may address law enforcement (sim swap, fake docs, cracked mail acc etc.).
If you still want to invent wheel, than just copy/paste amazon, google or m$ policies regarding acc restoration.
I disagree @LTniger . If you are going to use email to recover 2fa then you might as well not offer 2fa. It's not a second factor at that point.
Well, you can always go to the point 0. You are trying to overthink big players policies.
When I lost Yubikey, I initiated recovery procedure and Amazon drone called me in the phone and verified that I'am living human. He sent link to the email with password reset during that call. Call was recorded. If sim swap would be an issue, Amazon simply pass call to the police.
Your duty is to keep customer data safe. Customers duty is to keep his data safe. If you trying to much - you will fail by creating steps which repels customers and damage your sanity.
Since X4B somehow resembles Cloudflare, I think CF customers would be your customers. So, just copy/paste CF policy. Your customers will be familiar with it.
In general, the "correct" way, as suggested by literature and experts, is to use two accounts. The "master" one is full admin and used only for registration and sub-account management, it should be never used for daily business operations. The password and recovery options should be stored off-site. For daily activities you should use subaccount with just enough privileges. I know it sounds "corporate" but it works. For MFA recovery there is no "perfect" way, the only option is to have multiple channels or delegate the recovery to a third party, for example you can send two 0.xx payments (refunds) to given payment channel, where xx are two random values, and ask user to provide you those values. This way you delegate the recovery to PayPal/bank/CC provider.
When user loses 2FA and wants to downgrade to email, enforce a waiting period between 24 hours and 7 days before giving access.
In the case that an email inbox was stolen, the real owner is expected to regain the email inbox within that waiting period, hence preventing the hacker from getting access.
I got rid of my Yubikey about 5-6 years back because of this. It worked fine for about a year, year and a half and then it started getting really warm after plugging it in. Started having issues with the code not going in properly, so would have to try it a couple times. Not sure how long after that but one day after that it got REALLY hot (burn your fingers hot) and then it stopped functioning altogether. Lost access to everything for 3-4 days until I received my replacement.
After that point I realized I'd be stupid to go that route again. I just tossed them both in the trash. Only thing I'd trust like that again would be one of those RSA SecureID tokens.
@Don_Keedic like with the screen (banks used to use them here).
Is there a brand of them like yubikeys?
It's probably sideways to this topic but I am interested in a yubikey replacement.
Yubiko's industry standard for security. Blabering about faulty stick does not void benefits it brings. It is convenient, secure and simple. If you afraid to loose yubiko, buy 2 or 3 and make them clones.
I don't think so unfortunately
They offer the regular token (with the screen) and then it's a bunch of other non-hardware options. It sucks because Yubikey as a product is a great idea but not having that rock-solid reliability you'd need to truly trust it just isn't there, for me anyways.
@LTniger my reason for replacement is just user-friendlyness. Expecially with some type c only devices (and some type a only).
Mine still works fine
I get it, but folks vouch for rsa secure id which is pretty primitive. Yubiko also works via nfc, this makes usb type c or a optional for verification via mobile device or via pc if you have nfs reader.
On a non serious not users whoops their 2fa are probably better Loosing their account.... we have a system and we spent 13-14 hours with a particular member of staff over a 6 month period ... resetting forgotten passwords ... now if they are smart enough to setup 2fa and not start enough to know they need to backup their 2fa auth to something (Google, last pass or wherever) .... they are clearly going to be a repeat offender and cause you more issues than they are worth
ask them to send their eyes with their government id in the post.
would probably run.
I found one Swiss company sell those TOTP with multi-profile. Most others (if not all) only sell single profile device.
https://www.token2.ch/shop/product/molto-2-v2-multi-profile-totp-programmable-hardware-token
Have not tried it out myself, though I will buy a pair soon™.
@hades_corps please do tag me if you review them.
The most recent example issued a PayPal dispute after getting their account recovered through support verification.... so that holds true.