Timed code passwordRecovery

Post here your suggestions for new possible features in SmartFoxServer 2X.

Moderators: Lapo, Bax

User avatar
moccha
Posts: 112
Joined: 13 Feb 2014, 16:09

Timed code passwordRecovery

Postby moccha » 25 May 2021, 15:54

Hello,

I'm close to wrapping up my login code using LoginAssistant and SignupAssistant and want to purchase a license, but there is a strong need for a more secure password recovery mechanism for me.

RecoveryMode.SEND_OLD is very insecure and should never be used. The client's email is never a safe place for a plaintext password to reside. RecoveryMode.GENERATE_NEW is better, but still shares the same problem as the first and also can be used to lock a player out of their own account.

I would like to see a server-side RecoveryMode.TEMPORARY_CODE. The system would send the user a timed verification code to their email. Preferably with a configurable expiration time (in minutes) and a variable code length. If that's too complicated, sending a 6-digit code that expires in one hour would be a good base. The user can only try to recover using the code a few times before the code is erased and they must resubmit a new code. It could be easy to implement since there is already code in place to send an activation code. Perhaps it could even reuse the database field?

As it stands, is there a way to run custom code when a user requests a password reset using the SignupAssistant ($SignUp.Recover)?
User avatar
Lapo
Site Admin
Posts: 23008
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: Timed code passwordRecovery

Postby Lapo » 26 May 2021, 08:32

Hi,
it's an interesting proposal, I think it would be feasible.

RecoveryMode.GENERATE_NEW is better, but still shares the same problem as the first and also can be used to lock a player out of their own account.


1) In the docs we suggest to use the GENERATE_NEW mode as a temp password, meaning that a new password is created and sent to the player for their next login. Then you can invite the user to specify a new final password for his/her account.

2) It seems unlikely that this mechanism can be used to lock someone out of their account. For starters you can choose how to identify the requester, e.g. via username, email address or any other field. Using the email address should be secure enough to avoid abuses. Also the confirmation email is sent back to the account's owner, so he/she can't be locked out.

As it stands, is there a way to run custom code when a user requests a password reset using the SignupAssistant ($SignUp.Recover)?

You mean on server side? No.

Cheers
Lapo
--
gotoAndPlay()
...addicted to flash games
User avatar
moccha
Posts: 112
Joined: 13 Feb 2014, 16:09

Re: Timed code passwordRecovery

Postby moccha » 26 May 2021, 13:48

While using email only could be a good solution, I would still like to provide a way to use email or username since some users may not recall which email they used. Most of the time these attacks are personal, so the abuser typically knows which email their target used. It's unlikely, but I have seen this abuse happen before in multiple different games.

Thank you for considering the request. I think others would appreciate this recovery method if you decide to implement it. It helps future-proof SmartFox even further.

Thanks for all yours efforts :)

Return to “2X Features Wish List”

Who is online

Users browsing this forum: No registered users and 6 guests