Today at work, I've been facing an issue :
Client want a way to reset user's password for a web application. Classic.
For context, their is already a mechanism for every users to reset their password by receiving an unique link by mail.
However, he wants a way to choose the user's password when they ask to reset their password on support center (over phone)
Client argue that some of its clients, not tech people, have trouble using this mechanism or that email is not a reliable way to reset password (delay, possible loss of email when sending it, user unable to access their mailbox...). He also add that its clients have money and when something is wrong and they can't access their account, he want to provide them a way to allow an immediate login.
From my perspective, this involve some downsides :
- The probability that the user will change its password after getting one is close to 0. Or, as client said, if they are not tech people, they will always call support center asking for another password reset.
- This will overload support center and will make them less available for real requests.
- User password is no longer known by the user himself/herself. At least both admin/support center and user know it now. I'm attached to user's privacy, so this is a big one for me. I would not like to use a system where an admin can change my password as he'd like (of course, an admin can always change a password if he access database, run a custom script on server or whatever but this should not be a feature)
- If for any reason, a bug allow to run this unauthenticated, all users' account are compromised. This could not be possible if this feature was not asking to be implemented.
One alternative could be to generate a link for a one-time login and give them to the client, so they can log in and change their password (exactly the pattern of initial password reset, except we don't send it by mail) but as I said, support center is made over the phone, and asking an user to enter a 64 char random string to log in is not very convenient and will certainly lead to typo errors.
Also, as I said :
"He also add that its clients have money and when something is wrong and they can't access their account, he want to provide a way to allow an immediate connection."
From my perspective, this is because its user's have money that security should not be an option and we should reduce risk their private data from being accessible. Not the opposite.
Am I the only one wondering why this request ? What do you think about it ? Is there an alternative I could provide to my client ? Or at least others argument to convince him that this is not a good idea?
Or at the opposite, is this request perfectly fine and I am being too much paranoid ?
Thanks a lot for reading, I'm looking forward to read your answers ! Apologize my English, I'm not a native speaker.