Are account recovery options secure?

Users that express concerns for their security online always wish to have their accounts secured with a bunch of security layers. If you have a memory of a goldfish, you might be constantly forgetting passwords for your different accounts: especially if you attempt to create different and complicated codes for each of them. People that have faced this issue of forgetting their credentials can turn to relatively old tricks that have been used to recover accounts. Mostly all online services offer options for account recovery, but are they really secure? Experts detect flaws in this process, emphasizing on the fact that methods for account recovery are in desperate need of improvement. Let’s discuss each option separately.

Security Questions

A couple of years ago, protecting accounts with security questions was a huge trend. People used names of their dogs, of old hometowns, of their family members, and other information that was allegedly only known by a specific number of individuals. Some facilities provided their already generated questions, concerning details about users’ lives, and others allowed the luxury of constructing original questions to secure accounts. Nevertheless, this option proved to be insecure, basic and elementary. Even though these questions were assumed to be complicated and difficult to answer correctly, people might have been unaware that such information is exchanged during interactions between human beings all the time.

When you start to become familiar with someone, you might mention about your first and adored pet, or open up about your dream job. Knowing the fact that many people meet online, it is possible that such information is being freely given to questionable parties. In other cases, some information might be available on your Facebook, Twitter or basically any other social networking site. At many cases, the posted material and personal information are set to be seen by the public: this means that anyone can see your full account. If you have no choice but to set security questions in order to secure your account, you should think of unique questions and even more original answers. Do not use information about yourself which is available online.

Security Code

If you are a loyal client of, let’s say, Gmail, you might have noticed that it is possible to set up a phone number to recover your account. In case you forget your password or lose access to your account, you are able to receive a verification code from Gmail to the provided phone number. From the first glance, this option looks quite secure. You lose your password, contact the facility and require for a new verification code. In addition to that, this detail about you can be exploited in other ways to protect your account.

For example, you might set to receive a message after every time someone logs into your account from a different device. In addition to that, you can opt to get a notification after your password is changed. Looks pretty decent, right? But actually, this option also has a couple of flaws. If you have ever attempted to assign your old number to a new SIM card, you can be aware of the fact that this procedure is not that difficult to implement. Surprisingly, sometimes it is enough to contact your phone company via a phone call or online. In order for them to believe that this is a legitimate person, company is probably going to require you to disclose some information. However, if hackers REALLY want to get into your account, they will find ways to dig it out.

Email address

Adding an email address as your recovery contact is quite similar to setting up a phone number. It will be used to help you to create a new password in case you forget your old one. In addition to that, the facility might opt to inform you about any odd activity that might have been implemented in your account. As you might have noticed, every account recovery option has its flaws. If you provide your other email address as your recovery contact, you have to make sure that it is not going to be hacked in. If hackers are aware of your email, know that you have set it as your backup, they can attempt to use this information against you.

Delegated Recovery

From the 31st of January, GitHub is going to start using a fresh delegated recovery option. This means that you will be able to use your Facebook account to provide additional authentication in GitHub. In order to exploit this innovative alternative, you will have to save a recovery token with your Facebook account beforehand. Token is going to be encrypted, and your personal information from both Facebook and GitHub is guaranteed to remain private. To make sure that this option is even more secure, it is going to be watched over by HTTPS encryption. What is the difference between the earlier mentioned methods for account recovery? Well, delegated recovery takes place when the recovery token is exchanged between the two parties. In order to urge other facilities to add this option, protocol for it is provided here.



About the author

 - Main Editor

I have started in 2007 after wanting to be more or less independent from single security program maker. Since then, we kept working on this site to make internet better and safer place to use.


Leave a Reply

Your email address will not be published. Required fields are marked *