Account Recovery: How can we do better? Without back doors?
Session Topic: Account Recovery
Convener: Jim Fenton
Notes-taker(s): John Elkaim
- Email recovery
- Telephone Agents
- Physical Recovery Tokens
- In person reset
Achieve higher LOA
- SMS recovery
- Physical mail
ATM card (Recovery...)
It is easier for user to recover without a password security questions (Password for another password)
CyberID cyber punk
Password Managers...synch (Keypass Iphone)
Password recovery is inherently vulnerability. You are exposed even if you don't want it.
Certain Apps don't use SSL to communicate the data or store passwords locally
Different level of recovery depending of data sensitivity, physical verification (Bank vs a New york Times)
Panic code...at ATM allow max withdraw and inform authority of theft (Barclay UK)
Which IDP to use for recovery? What is your identifier often it is already taken
Users can get SIM cards without credentials in Ireland while in Switzerland extensive verification is requested passport...
Not on the black list authorize link with device with anonymity