Account Recovery: How can we do better? Without back doors?

From IIW

Session Topic: Account Recovery

Thursday 3H

Convener: Jim Fenton

Notes-taker(s): John Elkaim

Sub Topics

-"Security Questions"

- Email recovery

- Telephone Agents

- Physical Recovery Tokens

- In person reset


Achieve higher LOA

- SMS recovery

- Physical mail


Main domain

Domain registrar

DNS service

Password reset

ATM card (Recovery...)

It is easier for user to recover without a password security questions (Password for another password)

CyberID cyber punk

Password Managers...synch (Keypass Iphone)

Password recovery is inherently vulnerability. You are exposed even if you don't want it.

Certain Apps don't use SSL to communicate the data or store passwords locally

Different level of recovery depending of data sensitivity, physical verification (Bank vs a New york Times)

Panic code...at ATM allow max withdraw and inform authority of theft (Barclay UK)

Which IDP to use for recovery? What is your identifier often it is already taken

Users can get SIM cards without credentials in Ireland while in Switzerland extensive verification is requested passport...

Not on the black list authorize link with device with anonymity