0

We want to set up a flow something like this:

  1. We create account for a high-value user from our admin section
  2. They get an automated email containing login details for our site in some form
  3. They follow the link, confirming their account, and see a form that prominently asks them to reset their password
  4. This seems to be the tricky bit: if they navigate away before setting their password and come back later (having potentially logged out/come from another machine etc) we want them to still be able to access their account without having to request a password reset

As far as I can see there's no secure way of doing this, since it would require at least a repeat-use login token to go to them via email.

So my questions are:

1) Have I missed some way of doing this securely? (with apologies to theI3I, who answered a similar question I posted without the fourth requirement here)

2) One approach we've discussed is sending them a reusable login token with an expiry date, so that a) at least it's not going to get broken by a rainbow attack, and b) we minimise the window of vulnerability. I know this isn't ideal, but (if there's a meaningful way to answer this question) how big a risk is this? Does it matter much how long the use period is? And is there any way to minimise the risk other than just reducing use period (or also-imperfect-but-better way to achieve the same desired effect)?

If relevant, we're using a Rails/Devise backend.

Thanks in advance.

Community
  • 1
Arepo
  • 133
  • 3
  • Personally, I'd suggest preventing them from navigating away until they've set a password - otherwise, you'll always have a potential hole in the form of the email link. Not much you can do if they go to another site or close the browser, but you can certainly prevent them getting to anything else in your site. There may be business reasons why you can't do this though. – Matthew Feb 07 '17 at 22:12

1 Answers1

1

You could send a newly generated link when the user navigates away from the page, automatically (they'll soon learn to stop doing that when they have 30 emails!) you could rate limit this to send, say once a day.

Or you could just keep the token open until the password is set, which could leave the token out there indefinitely. Which as you say, is far from ideal.

Or you could take the second approach but add a time expiration rather that the moment the visitor uses the link, so it is valid until the password is set or, say, 3 days have passed. You could then send a new link, or require manual activation/password reset. Personally I'd prefer this one, as if the email is never received for whatever reason (full inbox/server problems) the activation link isn't gone forever. This could then time out after further arbitrary time units to give up and block the account, rather than keep the account pending indefinitely.

Ultimately its down to your risk appetite, and what you see as the threat model. Either way it won't be perfect from a security perspective as the email is very possibly sent in clear text at any point of it's journey.

I don't see a perfect solution to your issue, no :(

user2867314
  • 610
  • 3
  • 12
  • Thanks for the confirmation, anyway. I would upvote, but I don't have enough reputation to :\ – Arepo Feb 08 '17 at 11:00