Timed code passwordRecovery
Posted: 25 May 2021, 15:54
Hello,
I'm close to wrapping up my login code using LoginAssistant and SignupAssistant and want to purchase a license, but there is a strong need for a more secure password recovery mechanism for me.
RecoveryMode.SEND_OLD is very insecure and should never be used. The client's email is never a safe place for a plaintext password to reside. RecoveryMode.GENERATE_NEW is better, but still shares the same problem as the first and also can be used to lock a player out of their own account.
I would like to see a server-side RecoveryMode.TEMPORARY_CODE. The system would send the user a timed verification code to their email. Preferably with a configurable expiration time (in minutes) and a variable code length. If that's too complicated, sending a 6-digit code that expires in one hour would be a good base. The user can only try to recover using the code a few times before the code is erased and they must resubmit a new code. It could be easy to implement since there is already code in place to send an activation code. Perhaps it could even reuse the database field?
As it stands, is there a way to run custom code when a user requests a password reset using the SignupAssistant ($SignUp.Recover)?
I'm close to wrapping up my login code using LoginAssistant and SignupAssistant and want to purchase a license, but there is a strong need for a more secure password recovery mechanism for me.
RecoveryMode.SEND_OLD is very insecure and should never be used. The client's email is never a safe place for a plaintext password to reside. RecoveryMode.GENERATE_NEW is better, but still shares the same problem as the first and also can be used to lock a player out of their own account.
I would like to see a server-side RecoveryMode.TEMPORARY_CODE. The system would send the user a timed verification code to their email. Preferably with a configurable expiration time (in minutes) and a variable code length. If that's too complicated, sending a 6-digit code that expires in one hour would be a good base. The user can only try to recover using the code a few times before the code is erased and they must resubmit a new code. It could be easy to implement since there is already code in place to send an activation code. Perhaps it could even reuse the database field?
As it stands, is there a way to run custom code when a user requests a password reset using the SignupAssistant ($SignUp.Recover)?