Password reset function should have a link to cancel the request

RESOLVED WONTFIX

Status

--
major
RESOLVED WONTFIX
9 years ago
7 years ago

People

(Reporter: clyon, Unassigned)

Tracking

unspecified
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [infrasec:auth][ws:low])

Attachments

(2 attachments)

(Reporter)

Description

9 years ago
If a user has not requested a password reset, it would be nice if the user was given the option to cancel that request. This would also be a good logging point too.
From a UX standpoint, can you point to an implementation of this in the wild? How would you authenticate the cancellation?
We should have a captcha fronting this, obviously (or you could prevent someone from resetting a password pretty easily). I suppose we could require proof that they'd remembered their password!

It probably requires a DELETE API call. Easy enough to code up, but is this really useful? We already have a pretty tight expiry on this, and there'd be a fair bit of code (we'd need to maintain a page to allow users to interface with this) to make a really corner function happen.

Comment 3

8 years ago
Isn't the standard practice to ask users to ignore the email if they didn't request it? I don't know why we would do this.
A lot of systems will include a link within the email notification to the user. For example:

If you did not request this password change and would like to cancel this transaction then please click the following link.


The link would contain a random nonce so this action couldn't be spoofed.
What does this buy us that a simple "If you didn't request this, someone probably typed the wrong email address, and it'll expire in a few hours" doesn't accomplish? I guess I'm unclear on the concern.

It's not hard to do, but it involves a lot of moving parts (it hits reg-secure) that will have to be maintained going forwards.
That's a very uncommon feature. When you get a password reset e-mail, you usually ignore it and a timeout occur. If the request was made by someone else, you also ignore it. Receiving an email with two links --one for the reset, and one for canceling the request-- can be quite confusing imo.

Comment 7

8 years ago
some comments over from bug 592161

this message seen on labs feedback channel

> I received an email from Mozilla telling my that I had asked for
> resetting Weave password. The email also said if I did not ask, I
> should not worry. Well, I did not ask but I am worried! Is my password
> for sure safe and there is no way to reset but by clicking on the link
> in that email? Can that person who requested resetting my password
> find some other way to reset it?

sounds like the e-mail received by this user could have been one of several things.

1) a phishing attack. 

should we be tracking and trying to trace phishing attacks?

2) another kind of malicious attempt at password reset and compromise

  Maybe we could beef up the message to provide the confidence this
person is looking for.   

"Its possible a third party has attempted to compromise your account.  There is
no way to reset the password except by but by clicking on the link in this
email"    maybe it would also be a good opportunity to link to a page that
provides instruction about good password management.

for options 1 and 2 should we provided an e-mail contact to report possible abuse going on?

3) just a mistaken attempt at resetting the password on another account.

this is the part that we should be telling users not to worry about, but its only 1/3 or the possible options in this situation.

while the time out is in play a user is at risk of the clear text e-mail reviling their password.   12 hours seems too long, and espcially combined with no option to cancel the request.   If a user requests a password change an hour or so seems long enough to take actionto make the change, or request another reset.

Updated

8 years ago
Duplicate of this bug: 592161

Updated

8 years ago
Assignee: telliott → nobody
Component: Server: Sync → Server: Registration
QA Contact: sync-server → reg-server
Created attachment 477554 [details] [diff] [review]
Reg-server patch to expose clear_reset api call
Attachment #477554 - Flags: review?(tarek)
Created attachment 477555 [details] [diff] [review]
reg-server-secure patch to clear reset password
Attachment #477555 - Flags: review?(tarek)

Updated

8 years ago
Attachment #477554 - Flags: review?(tarek) → review+

Updated

8 years ago
Attachment #477555 - Flags: review?(tarek) → review+
in http://hg.mozilla.org/services/reg-server/rev/9b43ca5ffad4
and http://hg.mozilla.org/services/reg-server-secure/rev/f8f858439439

This just exposes an api, not any actual approach to it. We'll need to put one in the client or something, since it requires your password

Comment 12

8 years ago
itunes apple_id reset timeout is 3 hours.

they also include this text that also has the "don't worry" message, but also follow up with "your accounts is still secure and no one has been given access to it"
 
> Questions? There are lots of answers on our Apple ID support page 
> If you weren't trying to reset your password, don't worry — your account is 
> still secure and no one has been given access to it. Most likely, someone 
> just mistyped their email address while trying to reset their own password.
> Thanks,
> Apple Customer Support

this seems closer to something that directly addresses the questions from the concerned user in comment 7

> Well, I did not ask but I am worried!
> Is my password for sure safe and there is no way to reset but by 
>  clicking on the link in that email? 
> Can that person who requested resetting my password
>  find some other way to reset it? 

A link in the e-mail to an FAQ page also seems to make a lot of sense.  as we learn about users questions and concerns we can just update that page.

Updated

8 years ago
Target Milestone: --- → 1.6
(Reporter)

Updated

8 years ago
Whiteboard: [infrasec:auth][ws:low]
This'll all come out of browserid now.
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.