I am developing an ASP.NET Core web application with user management functionalities. My question is about the email address changing algorithm. Almost every web app I saw before have the following flow:
User authorized
User requested an email address change
User received a message on the new mailbox with the confirmation link
User clicks the link and the email address updates
But I think, this algorithm might be a bit insecure and that is what I want to discuss here.
How about this flow:
User authorized
User requested an email address change
User received a message on the old mailbox with the confirmation link
User received a message on the new mailbox with the second confirmation link
User clicks the link and the email address updates
With this additional step in the middle of the algorithm, things may be much better from the security perspective, but would it be too complex or not? How do you think what algorithm I should implement? And what would you prefer if you will be in my shoes?
The second options might sound great, and it's not too much headache to implement too. But I'll stick with the first approach due to some reason:
Common work flow pattern.
As the backend side can be wrote by many language, by various developers, so common pattern would make things more standard when we need some kind of migration, and even maintaining by new developer. If the project doesn't require ultra-secure authentication flow, the simplicity of first approach was enough.
From user convinient pespertive
Let's just imagine when changing an email address, what case the user likely want to change email address ? I was register my facebook account long ago using yahoo mail, that's no-longer active, and i need to switch to a gmail one. What's the point of sending the email back to the old one ? Cumbersome... and i can do nothing in this case except get some help from the staff.
I totally aggree with the second approach on security angle. But that's not suitable for most of the case, only implement if the project have some requirement. And even in that case, I suggest don't even do that too, build some thing like sub-admin account role and grant permission to someone have responsible. Like Google enterprise email organize some account called admin if anything wrong happen to user account. As long as it has this kind of security level requirement, it's not gonna serve massively user.
The intension of all the flow
The User got authorized first, right, that's mean we Identified what the user are, and what she capable to do. Imagine when we hide a hotel room then request to change to another due to some reason. What's the point of proving that's I booked my own room, since we all know that's the fact ? Kinda weird... right ?
To conclusion, I think we shouldn't mess with something that's become common pattern that widely acknowledged, except we have some special requirements and the project have something uniquely to satisfy, and we consider ourself, as developer that's reasonable.
The main problem with this approach is: what happens if the user no longer has access to their original email account? Perhaps it was a work/school/uni account that they no longer have, or perhaps they've just forgotten their password or otherwise lost access to it.
With your second approach, they are not going to be able to update to the new account, because they'll never receive the first confirmation link.
How about the following approach instead:
User requests an email change.
Require the user to re-authenticate with their current password (just like when they change their password).
Send a confirmation link to their new email.
Send a notification to their old email, with the details of the change, and instructions of what to do if they didn't initiate the change.
User clicks the link to update or contacts your support to say their account has been compromised.
This way you still provide them with an alert that someone is trying to change their email (and potentially a means to stop it), but a user who has lost access to their old account will still be able to update their email.
Related
I am trying to make a login and registration page using Laravel, but I came across two concepts in the official Laravel Documentation - Authentication and Authorization. I am unsure as to which one to use to check login details with the ones in the database, since they sound very similar. If I use one of them to login users, then what is the use of the other one. Please explain with some examples and codes.
Authentication is a process of making sure your user is authenticated/logged in to do stuffs in your app.
Authorization is a process of making sure your authenticated user have access to any stuffs in your app.
I will try to explain it as a short story so you can understand better and easier. It going to be a bit longer but you will get the idea.
Imagine those are the guards of a military base, you want to get in to the base. "Mr. Authentication" stops you in front of the gate and said "Hey, who are you? Only registered users are allowed to get in the base. Please fill this form to verify that you have already registered. Otherwise, please register yourself as new user and show me the form you've filled".
You do register yourself and are allowed to get in. Now you are authenticated. Inside the base, you found a room with hazard symbol near the barracks. You are curious and decided to get in but then you met "Mr. Authorization".
He said.. "Good morning sir, I've never seen you yet before. This is our laboratory, only Professor have rights to get in here. Otherwise, I will need to get you out of here. Can I see your authentication pass, please?."
You shows your pass, he looks at it and realize you are a new member of that base and your role were limited to Temporary Member.
He holds your hand and drags you outside the room, and he said "Apologize sir, you have no rights to access this room, please explore the base wherever you like but not this place. If you are keep going back, I might drags you out like this again".
Back to topic
Laravel has built in authentication stuffs you can get by using php artisan:make auth command and you're probably no need to make it your own at some cases. This will do an Authentication stuffs like Logging in the user or Register a new one for you out of the box.
So, if you want to check login details with the ones in the database, this is exactly what you need. After the user can login, you might want to limit their access at some pages. Here is when the Authorization comes for the job.
I have a bot command that needs users to sign in first in order to get the answer. For example, if user types in list my saved movies, the bot will send a sign in card with a sign in button. After the user signs in, the bot should give user the answer for the original command, but currently I don't know how yet. Do you have any idea how can I achieve this?
The Bot Framework includes the ability to save different kinds of state, most particularly "user" state, which is tied to the user themself, and conversation state which is tied to just a particular conversation. One of these, in particular conversation state, could be useful - you could save the command into conversation state, do the signin, and then check from there what command triggered the signin and therefore what to do next. I haven't done a lot of work with signin, but I think that should work. More info on this is available at save user and conversation data.
Just to confirm, I see you've tagged the question with MSTeams, so I assume the command you're offering the user requires access to, say, the Microsoft Graph or similar? I'm asking because you don't necessarily need to authenticate the user per se, if they're just accessing data in your own database, as an example - they're authenticated via the Teams client already - you'd want signin, I guess, in order to get a token so that you can call something else on behalf of the user (e.g. OneDrive)?
Hope that helps
An Customer ask me to implement it at his Webpage, because he don't have the technical Skills to do so.
I wonder, what's the right way to do this.
On other Google-Services (like Google Search Console) the User can sign into his account and grant me permissions as Guest (he invite me as guest to his account and gave me permissions).
This is a clean way to do, because If I stop working for this customer, he can easily remove the permissions of my login and all is fine.
But how does it work at Google ReCaptcha?
Looking forward to hear, how you solve this.
it better to use the user's credentials for this purpose, just take client's primary or secondary email (or create a email for the project) and make it base for everything that's needed for your project like recatcha, search-console etc. you can use it as long as you are working, and client can simply change n give the credentials to next developer and he can continue.
i am web developer and i face this situation many times, this is best solution in my opinion.
Hello Guys I have been using ReCaptcha in my apps register forms. I have seen a lot of examples of captcha in signup forms. My question is if I implement a custom Captcha such as when a user Registers I send a confirmation email and a auto generated code/passphrase/ turing test that is converted into an image with some sort of effects to distort it. Since we are sending a confirmation email anyway why not use it for a turing test and get rid of captcha in the form?
I understand that the advantages/disadvantages can be
1) If the user has entered an incorrect email then he wont get access to turing test but that is the whole point of a confirmation email.
2) Distorted image may not be readable and/or refresh-able but since we are just distorting sth that is an autogenerated by code we can make it a little bit more readable than scanned images that captcha images.
I can only think of the above two situations. Please point out any thing else that you think should be taken into consideration.
Having a CAPTCHA that covers the registration process is important to protect you from bots whose sole purpose is to generate as many users as possible with the intent of using those users to post/add content on your site with links back to a site that they are trying to improve SEO on. This is only one way in which malicious users can utilize multiple accounts on a site for their own purposes.
The registration email protects your users as much as you by creating a way a means of resetting lost passwords, proving ownership, etc.
Both parts should be included when validating users. I also recommend running ip counting on new user attempts. Typically, locking after the 2nd user created is fairly safe as long as you provide a link that states why they have been prevented and a means of creating additional accounts on that ip.
None of these procedures is failsafe but together they provide a medium level of anti-spam protection. Of course, these days people defer user maintenance to social media sites like Google and Facebook.
So, in the case of applications where security is of great importance - how would implement the challenge question idea. That is...you would:
Detect if the computer IP has changed and hence ask for the challenge question.
Detect if the cookie is missing.
Detect if the computer name is different.
Some combinations of the methods above?
I am currently working on a forex platform...in asp.net/c# and thinking on how to implement thi feature for best results. I think the best and only way will be to check for a cookie change - since if i base on the ip - the ip might be dinamic by the isp of the client - also if i count on computer name then it's not that bright since the computer might be used by more than the user in question...of course if i count on the cookie then the browser might be used by more than a single person...but this is why this is an additional security measure and not the very password/username authentification.
Other than that getting the computer name (if possible??) + cookie change seems to be the best method. I am tagging this as c#/java since the 2 are very common these days when it comes to authentification and security.
10x!
One thing facebook did that I thought was good... You can enable an option to have them put a cookie in your browser... Unique for each computer you use... Then if someone without a cookie in the browser logs in to your account, they send an email to you letting you know... I think they geolocate the source ip of the unknown computer and put it in the email as well... So if you live in the US, you wouldnt expect a login from Russia. Not everyone accepts cookies, but for those who do, this optional feature is great and financial firms should do it too...
My bank (and many others) rely on some form of constant two factor auth Could be as simple as your best friend's name, or if they're like my online broker, high value accounts over a certain balance threshold get a time based password token. You must login first with your password, and then with the token number.
Most financial sites used a hosted picture from their site that you choose to have displayed for your password logins... This helps reduce the risk of phishing losses.