Page 1 of 1

Timed code passwordRecovery

Posted: 25 May 2021, 15:54
by moccha
Hello,

I'm close to wrapping up my login code using LoginAssistant and SignupAssistant and want to purchase a license, but there is a strong need for a more secure password recovery mechanism for me.

RecoveryMode.SEND_OLD is very insecure and should never be used. The client's email is never a safe place for a plaintext password to reside. RecoveryMode.GENERATE_NEW is better, but still shares the same problem as the first and also can be used to lock a player out of their own account.

I would like to see a server-side RecoveryMode.TEMPORARY_CODE. The system would send the user a timed verification code to their email. Preferably with a configurable expiration time (in minutes) and a variable code length. If that's too complicated, sending a 6-digit code that expires in one hour would be a good base. The user can only try to recover using the code a few times before the code is erased and they must resubmit a new code. It could be easy to implement since there is already code in place to send an activation code. Perhaps it could even reuse the database field?

As it stands, is there a way to run custom code when a user requests a password reset using the SignupAssistant ($SignUp.Recover)?

Re: Timed code passwordRecovery

Posted: 26 May 2021, 08:32
by Lapo
Hi,
it's an interesting proposal, I think it would be feasible.

RecoveryMode.GENERATE_NEW is better, but still shares the same problem as the first and also can be used to lock a player out of their own account.


1) In the docs we suggest to use the GENERATE_NEW mode as a temp password, meaning that a new password is created and sent to the player for their next login. Then you can invite the user to specify a new final password for his/her account.

2) It seems unlikely that this mechanism can be used to lock someone out of their account. For starters you can choose how to identify the requester, e.g. via username, email address or any other field. Using the email address should be secure enough to avoid abuses. Also the confirmation email is sent back to the account's owner, so he/she can't be locked out.

As it stands, is there a way to run custom code when a user requests a password reset using the SignupAssistant ($SignUp.Recover)?

You mean on server side? No.

Cheers

Re: Timed code passwordRecovery

Posted: 26 May 2021, 13:48
by moccha
While using email only could be a good solution, I would still like to provide a way to use email or username since some users may not recall which email they used. Most of the time these attacks are personal, so the abuser typically knows which email their target used. It's unlikely, but I have seen this abuse happen before in multiple different games.

Thank you for considering the request. I think others would appreciate this recovery method if you decide to implement it. It helps future-proof SmartFox even further.

Thanks for all yours efforts :)