As part of my drive to have just one password I wanted to change the password on my account. EE have a nice website and the process was quite straightforward. The outcome however was quite shocking. Let’s take a look at why.
The workflow EE adopt appears on the surface to make sense, and it’s broken into a series of steps.
Step 1: Who are you?
First EE captures your account name and adds a CAPTCHA to verify a human is requesting the password reset. For a mobile phone account (they also do broadband, etc) this is your mobile telephone number.
OK, this seems fine. They need to be able to find our account to reset our password. The CAPTCHA provides a little more security.
Step 2: Secure question
Next we’re asked for the answer to the secret question we answered when we first created the account.
Again, this seems fine. It makes sense to provide some additional data both you and your provider know. To further ensure you are who you say you are.
Step 3: Reset password
Reset password? Eh? I was expecting to put my registered e-mail address in so they could send a secure reset link. Instead I’m greeted with this:
Step 4: What the ???
And sure enough I can enter a new password and it’s saved against my account:
So what’s the problem?
I’m sure you see where I’m going with this one, but just in case:
- I login with my mobile telephone number - it’s not like everyone in my contacts list knows what this is … oh …
- I’m also asked for a CAPTCHA which makes things more secure … oh …
- Fortunately they also ask for a secret question - nobody is going to know the answer to that … except anyone on facebook … oh …
So what’s the solution?
The solution is quite simple:
- Take me through the existing steps, but send me a secure password reset link.
- Only allow the reset link to be used once.
- Expire it after 2 hours if it hasn’t been used.