When users designate their devices as trusted devices on a service, a cryptographic key unique to that hardware is generated and stored. See if there is a way to save them (printing out backup codes is not a bad idea), or remember to go back to the accounts to regenerate the keys to replace the lost ones. Remember, though, if you are wiping or reinstalling your device, you may lose security keys, backup codes, and code keys. Many of the web services I looked at offered some kind of backup/recovery codes or special recovery codes that could be downloaded offline. The storage location should be physically or digitally secured. Therefore, the recovery key must be protected, and protected well. If the key is lost, the account owner loses the ability to recover the account. The key proves the owner is the legitimate owner and is allowed to add new information and credentials to the account. There are various cryptographic schemes that can be used, and the most practical one would involve public key (or asymmetric) cryptography. Unlike security codes which are generated during login, recovery keys are generated during initial account creation and can be stored offsite or offline. Each one has its own strengths as well as trade-offs. There are different types of recovery schemes: Recovery keys, trusted devices, alternate email addresses and phone numbers, and a form of personal identification, such as a driver's license or a passport. While passwords may be involved, account recovery isn't your basic password reset. The options available, what they are called, and where they can be found are accurate as of February 2018. Note: Everyone names things differently and pages sometimes change. Setting up secure account recovery is hard enough, but if the account isn't protected from forgotten/stolen/phished passwords, then the entire process becomes moot. I noted the minimum level of security required to access the account, the instances when extra security steps were required (such as during recovery), and additional security features beyond the basic password and two-factor authentication options. I looked at each provider's account recovery process as well as what type of security was in place to protect the account. Cryptocurrency made the list because I wanted to be cool. I included Apple because Apple ID is required for shopping on iTunes and Apple Music. The list included email providers Gmail, Yahoo, and Microsoft's social networking platforms Facebook, Twitter, and LinkedIn tech hubs Reddit and GitHub online retailers Amazon and Apple and cryptocurrency exchanges Coinbase and Kraken. As expected, some had better layers of security than others. So I looked at how 12 popular web services handled account recovery and found slight differences in each of their processes. The extra steps help "recover" the account to its rightful owner: You.Īs a long-time hacker, there is nothing more fun than using the real world as a laboratory. We expect to have to take extra steps to identify ourselves as the account owner, but we also expect some level of security to prevent someone else from forging our details. If you’ve ever needed to get back into your account on an online service after changing your email address or getting a new phone, you went through account recovery. He needs a way to prove to the service provider he is really the Hunter Smith in question and not some sneaky imposter. Or he has his password, but he also turned on two-factor authentication on his account and he'd recently changed phone numbers. To make things worse, he can't reset the password because he originally signed up with the email address for a previous job. Hunter Smith's dilemma should be a familiar one: He forgot his password and cannot access his online account.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |