Security Tip: Password Resets and MFA?
[Tip #120] How should we safely handle resetting forgotten passwords without compromising the protection that MFA provides?
So far in our series on MFA, we've covered Setting up 2FA, using 2FA for more than just logins, and Account Recovery for forgotten MFA, but there is one rather large piece that I forgot to cover left until now... Resetting Forgotten Passwords when MFA is enabled!
The scenario is a simple one: The user has MFA enabled on their account, and still has access to their TOTP app, but they've forgotten their password!
There are two ways you could go about solving this:
- Let the user reset their password through the standard email verification flow. Once they change their password, do not log them in automatically, instead require them to complete a full login, and verify their MFA. (Don't forget to revoke all remember tokens too!)
- The worst case here is that an attacker can hijack the user's email account and change their password, but they cannot breach the account as they don't have the MFA token.
- Require MFA verification during the password reset workflow, in addition to email verification. Only allow the password change when the user has been fully authenticated.
Either option works, so pick the one that works best for you.
Important Note: When the user has multiple authentication factors, do not allow a single factor to disable or bypass the user's other authentication factors.
I.e. Don't allow OTPs to reset passwords without also verifying their email address too, and conversely don't reset OTPs with just an email verification bounce.
Oh, and don't bother with Security Questions. They are either easily guessable/phish-able (i.e. first pet, mothers maiden name, etc), or something you need to remember - like Recovery Codes - that you'll forget in a week.
If you found this security tip useful? ๐
Subscribe now to get weekly Security Tips straight to your inbox, filled with practical, actionable advice to help you build safer apps.
Want to learn more? ๐ค
Upgrade to a Premium Subscription for exclusive monthly In Depth articles, or support my work with a one-off tip or recurring Sponsorship! Your support directly funds my security work in the Laravel community. ๐ฅฐ
Need a second set of eyes on your code?
Book in a Laravel Security Audit and Penetration Test today! I also offer budget-friendly Security Reviews too.
Finally, connect with me on Bluesky, or other socials, and check out Practical Laravel Security, my interactive course designed to boost your Laravel security skills.
