Web password recovery --- a necessary evil?
Fatma Al Maqbali, Chris J Mitchell
TL;DR
This paper analyzes web password recovery systems, providing a framework for systematic evaluation and offering recommendations to enhance security while acknowledging inherent vulnerabilities.
Contribution
It introduces a comprehensive model for analyzing web password recovery and offers guidelines for secure implementation.
Findings
Identifies key vulnerabilities in password recovery systems
Proposes best practices for secure implementation
Highlights areas for future research
Abstract
Web password recovery, enabling a user who forgets their password to re-establish a shared secret with a website, is very widely implemented. However, use of such a fall-back system brings with it additional vulnerabilities to user authentication. This paper provides a framework within which such systems can be analysed systematically, and uses this to help gain a better understanding of how such systems are best implemented. To this end, a model for web password recovery is given, and existing techniques are documented and analysed within the context of this model. This leads naturally to a set of recommendations governing how such systems should be implemented to maximise security. A range of issues for further research are also highlighted.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsUser Authentication and Security Systems · Advanced Authentication Protocols Security · Internet Traffic Analysis and Secure E-voting