Account Recovery is a disaster

or: Every time security closes a door, a UX designer opens a window

July 22, 2020

Your IT staff is constantly hounding you about your passwords. Applications give insane requirements about capital letters, special characters, then tell you that you can't use THOSE special characters, with no rhyme or reason as to why. (Here's a fun list of that insanity)

Applications care so much about passwords, because they're the primary method we have to know who you actually are. With your password an attacker can take your place in the application, so when you use "password" as your actual password it makes it really hard for us to keep your account secure. Because maybe, just maybe, an attacker might think to try that one out.

Here we're going to talk about another challenge in authenticating you as a user. Account recovery. What happens when the normal methods we have to verify you as a user don't work.

Open Sesame

A properly used password is like a unicorn, beautiful, majestic, and just as rare. All the sins of passwords are too numerous to go into here, so we’ll assume for now that you’ve done everything right. Your password is long, complex, and never used anywhere else. Information security staff build shrines to your magnificence and hackers shudder at the thought of trying to brute-force that perfect password.

But now you’ve forgotten it.

Of course you’re using a password manager (Bitwarden, LastPass, etc.), so this would never happen, but lets pretend there was a glitch and that shining paragon of security is gone, evaporated just like all that bitcoin sent to the twitter hacker.

So now you’re in the mess that is account recovery. There are lots of ways to do this. But lets talk about the two most common. Verification questions and fallback accounts.

Verification Questions

Verification Questions are those not-at-all ambiguous questions that are supposed to be based in factual components of your life. Things like,

What city were you born in? Or What’s your favorite color?

There are a number of problems with this approach. The biggest is that many of these questions are matters of public record or are often easy to discover or guess. If you really think about it, this is basically just another password into your account. One that is often much simpler to guess than your actual password. The questions have a much smaller range of answers ("Favorite make of car") or are just flat out public knowledge. So it’s no wonder that this has been a very common method to hijack accounts.

Fallback accounts

Fallback accounts have become a widespread method for recovery. This is where you will supply something like an email account or your phone number and when trying to recover your account the system will send a link to your email or phone that takes you directly into a reset flow.

Which is great, unless your email account gets hacked or someone hijacks your SIM. Another fun aspect of email account recovery is that if I, as a mean-spirited attacker, gained control of someone’s email. One of the first things I’d do would be to scan for every account activation email sent there, then use the hijacked email to reset all those passwords.

Again, really thinking about this, the text-messaging gets you into the “Something you have” space, but far from perfect. While the email is kind of just another possible password to get into the original target system. After all, if I know your email password I can get into the target account through the reset.

The recent Twitter hack shows another problem. At this time (and this could change as more details come out), it seems like the attacker got access to internal control-panels and changed user's account recovery email addresses then used that to take over the accounts and then run one of the least ambitious cash-grabs in recorded history.

The problem with all of this...

The easier it is to recover your account, the easier it is to break into it.

The twitter attack was unusual, but not unique, in that they went right to the source and got internal access to the systems themselves. The implications of that are significant. A rogue or compromised employee or system can do whatever they want including posing as you in messages to grab more data and further damage your company’s reputation. Even the more common scenarios of a breach with a stolen database can be a disaster if it's sensitive client data instead of a bunch of Twitter arguments.

Some industries are better than others about this, mainly because regulations force them to be. But ultimately, any system that can recover your account from completely lost credentials inherently has full access to your account. You are relying on the good intentions and security of everyone running that system for you.

For the Twitter of ten years ago this would have been embarrassing, but ultimately not that big of a deal. Now, though, Twitter has become a platform for a lot of information that seems to have outpaced their security model.

With great responsibility comes ... responsibility

Pritact's goal is to have as little access to your data as possible. We can't read what's being said or track which clients you're messaging. If we reset your password we would be unable to read your messages or even see your list of clients. This would be the same for an attacker if they somehow managed to get access to our underlying data or systems.

This data is between you and your clients. Their personal information should be put in as little risk as possible and that means exposing it to as few people. That's where the tradeoff always sits. Security vs. convenience. It's convenient to have a nice, simple account recovery method. But, it's not secure. We offer methods that enable you to recover your account, but they all require you to manage them. It's your data and your responsibility. We give you the tools to control it.