You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
For forgot and passwordless login - add 2FA via SMS/google authenticator to augment the email link.
Much of the SMS framework is available from the 2FA work that was added.
For change password - require fresh login.
Also - NIST doesn't recommend email for things like this:
5.1.3.1 Out-of-Band Authenticators
For forgot and passwordless login - add 2FA via SMS/google authenticator to augment the email link.
Much of the SMS framework is available from the 2FA work that was added.
For change password - require fresh login.
Also - NIST doesn't recommend email for things like this:
5.1.3.1 Out-of-Band Authenticators
Also - read: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x11-V2-Authentication.md
2.5.6 and V2.7
Other info:
Box - doesn't require any 2FA for either change password or forgot password. (uses email for forgot password).
The text was updated successfully, but these errors were encountered: