Update: Forgot Password #1538
Comments
gl4nce
added
ACK_WAITING
|
Backup Codes are listed and described as example of Offline Methods https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html#backup-codes. |
|
That works for me @mackowski - backup-codes and MFA are a legitimate part of forgot passwords flows and I want to get this right :) |
|
In this CS, MFA is mixed up with backup codes and all examples refer to MFA. If you want to talk about MFA recovering, that should be stated clear and not mixed up with best practice forgotten password methods without MFA. Do you have any real world example for an application with offline backup codes without MFA? |
|
Yea, I have used backup codes to reset MFA when I lost the MFA device or similar. |
|
Hehe yes, I know that method for sure. But this CS is NOT about MFA. I've never heard or seen any real world application using backup codes for just recovering the password (without MFA). MFA recovering with offline backup codes should be stated in the corresponding CS: https://cheatsheetseries.owasp.org/cheatsheets/Multifactor_Authentication_Cheat_Sheet.html |
|
I get your point. But since backup codes could be used for MFA recovery, they seem just as strong as MFA itself, if not stronger... For example you can use backup codes to sign in to your Google account if you've forgotten your password. |
|
100% agree. My intention for this issue is to make it clear that this section is related to MFA and has nothing to do with default password recovery methods without of MFA. Alternatively, the section can be removed completely because MFA is out of scope of that CS. That's all. |
|
@gl4nce can you make a PR for this change. I think that we should clarify that. We should remove that section and replace it with link to the Multifactor Authentication Cheat Sheet to the 'Resetting MFA' section. |
|
@mackowski PR for removing the Backup Codes subsection? If this is accepted, I can do that, of course. |
|
Yes, I think it would be best if we remove that section and replace it with link to the Multifactor Authentication Cheat Sheet to the 'Resetting MFA' section as this topics are loosely coupled and as you mentioned, in practice this is the only widespreaded and legitimate use case for an offline method. E.g. add something in lines: 'if account has MFA enabled (and we encourage you to allow that) and you are looking how to do MFA recovery here us link to advices how to design MFA recovery' |
|
PR created: #1553 |
mackowski
added
ACK_OBTAINED
What is missing or needs to be updated?
The section Offline Methods contains wrong information. The real-world examples are all leading to backup codes in connection with MFA, which is out of scope of this CS.
How should this be resolved?
The Section should be removed. AFAIK, there is no secure offline method for account recovery. Instead of removing it, this could be clearly stated there.
The text was updated successfully, but these errors were encountered: