DEV Community

loading...

Discussion on: The Password Struggle

piannaf profile image
Justin Mancinelli

Even more pricey to change your biometrics if they are compromised

They are great options for extra steps, though.

Security Keys are great because they are hardware and need to be nearby. If you don't have a supported Android phone there are physical keys you can even hide in jewelry

Thread Thread
tootomthumb profile image
tootomthumb

This trail skirts an interesting topic. The use of emails for enrolment and also enrolment flows in general.

Whatever your authentication system, username/password, 2 step systems like SMS texts, Authenticator Apps, SQRL and even MIRACL Trust all have to rely on some onboarding or enrolment to to the authentication framework.

That's tightly coupled to the process where the service provider either 1) recognises you have the rights to some account/service or 2) you register for the first time for those rights.

My first point is that the process itself is highly dependent on which of those two cases you address. Many services will be happy to use email enrolment to start with, then the user will go through a KYC process or the user will build value in the account. Once the account is established you have to look at using email as the sole proof VERY carefully.

Even a perfect authentication system (such as MIRACL 😃) can only guarantee that the person who enrolled is the same person who subsequently authenticates. Obviously if the service allows the wrong person to enrol in the first place, then all bets are off. MIRACL's standard SaaS service uses a 2 step email enrolment process, exactly the same user flow as a normal email validation. In the case of a re-enrolment to an existing account I would suggest that before allowing them to re-enrol you have another step, such as an SMS text or a question that only the account holder would know.

The second point is that not all services are equal and one enrolment flow does not fit all circumstances. As an example we have banks who require a physical visit to a branch with identity documents, so an officer of that bank can issue a One Time Password which is then used during the re-enrolment process (re-enrolment because this is almost always against an existing account). Emails are not part of the process. We also have websites with very low value services which allow registration/enrolment with no requirements and re-enrolment with a simple email.

One size does not fit all and emails can play a part under some circumstances. So you need to assess the service and situation, then make sure the technology can support the requirements.