jvdongen

In relation to the recent hack of Mat Honan's accounts I was thinking about how the password reset procedures involved could be improved without adding too much complexity. Mind you this was no social engineering attack - as far as I can tell the service reps involved (both Amazon and Apple) sticked to company procedures. If the process had been automated (i.e. no humans involved), the end result would have been the same.

I was thinking alone the following lines:

* Upon account registration you submit one or (preferably) more e-mail address of close friends/relatives to the service provider you're registering with

* if you've lost your password, you click the password reset button. Then two things happen: a) a password recovery link is sent to you and b) a n-digit pin code is sent to your friend(s) e-mail addresses.

* the names and/or e-mail addresses of said friend(s) are never shown, so it will not be entirely clear to an attacker who to target next (based on social network data he may take a guess though).

* You click the password recovery link and get a form that asks you to enter the n-digit pin.

* You call one of your friends to retrieve the pin code and enter it (optionally different pins could be sent to different friends to aid forensics in case something goes wrong after all).

This scenario basically shifts the burden of verifying that you are actually you from some random service rep to one of your close friends. There's still a chance that (s)he gets social engineered, but quite probably (s)he has a far higher chance of getting it right than some service rep - besides plain voice recognition it's very hard to convincingly fake the minute details that make up a multi-year real life relationship of any kind. And because a close friend or relative cares for you (I hope ;-) they have a bit of incentive to get it right as well.