- Collect identity information or security questions.
On the first page of implementing a secure password forgetfulness you ask the user to enter at least the information he has already registered. At the very least, you should have collected data that will allow you to send password recovery information to the user via SMS, email, and so on.
- Check security questions.
After the first step, you should check whether the data sent in the first form is valid or not. If any data was incorrect or a username was not found, an example page with the title of the submitted data is invalidShow to the user. But if all the fields submitted from the first form are correct, you must show at least two security questions that you received from the user during registration. It is better to use an HTML form to send the requested information. Do not use the menu to show the answers to the questions. Do not send a username or user ID to this page as a parameter (hidden or whatever). The username should be in the server side session and retrieved if necessary. Because users' questions and answers are usually public, what is your favorite sport? In what city were you born? What is your Favourite Colour? Make sure you limit the number of user guesses and lock the user account for a while if the number of attempts is more than (3 to 5 times).
- Send a token through one of the communication channels
Lock the user account immediately after the second step. Then send a code with 8 digits or more to the user via email or SMS. This creates an external connection and increases account security. If the hacker can go through steps one and two, it is unlikely that he will be able to pass this stage. Also specify an expiration time for your submitted code, for example, if the code expires in more than 10 minutes. This way, if the user is not around the hacker or the user's email is compromised later, the sent code will expire after 10 minutes and will not be valid for password recovery. Of course, after recovering the password, the submitted code should not be valid.
- Let the user change their password
This step requires the code sent in step 3. Then show the user an HTML page containing a field for the submitted code, a new password, and a new password. Check that the submitted code is correct and make sure that the password contains all the complexities and policies of your site. When sending the form, like before sending the username, read it from the server side session. Finally, it is very important to check that the user does not have access to this step without going through steps 1 and 2. Make sure the user has changed their password and does not go to other pages of the website. Password recovery must be done by the user before anything else.
It is very important to keep a record of password change requests. Includes answers to security questions or not, when the code was sent to the user and when the user entered the code. The number of incorrect answers to security questions and the use of expired codes are very important. Data such as time, IP address and browser information can be useful to find the hacker.
- Other active keys must be disabled when the password recovery operation was successful. Note that the current session is pre-approved and does not need to be logged in again.
- The difficulty of the questions asked depends on the user. Admin questions should be harder.
- In an ideal implementation, you should rotate the questions asked. For example, display one of the questions at a time