Poor password reset workflow @ee

Like pretty much everyone these days I have a mobile phone. My network provider is currently Orange Everything Everywhere (EE) in the UK.

As part of my drive to have just one password I wanted to change the password on my account. EE have a nice website and the process was quite straightforward. The outcome however was quite shocking. Let’s take a look at why.

The workflow EE adopt appears on the surface to make sense, and it’s broken into a series of steps.

Step 1: Who are you?

First EE captures your account name and adds a CAPTCHA to verify a human is requesting the password reset. For a mobile phone account (they also do broadband, etc) this is your mobile telephone number.

username capture

OK, this seems fine. They need to be able to find our account to reset our password. The CAPTCHA provides a little more security.

Step 2: Secure question

Next we’re asked for the answer to the secret question we answered when we first created the account.

security question capture

Again, this seems fine. It makes sense to provide some additional data both you and your provider know. To further ensure you are who you say you are.

Step 3: Reset password

Reset password? Eh? I was expecting to put my registered e-mail address in so they could send a secure reset link. Instead I’m greeted with this:

new password capture

Step 4: What the ???

And sure enough I can enter a new password and it’s saved against my account:

password change confirmation

So what’s the problem?

I’m sure you see where I’m going with this one, but just in case:

  • I login with my mobile telephone number - it’s not like everyone in my contacts list knows what this is … oh …
  • I’m also asked for a CAPTCHA which makes things more secure … oh …
  • Fortunately they also ask for a secret question - nobody is going to know the answer to that … except anyone on facebook … oh …

So what’s the solution?

The solution is quite simple:

  1. Take me through the existing steps, but send me a secure password reset link.
  2. Only allow the reset link to be used once.
  3. Expire it after 2 hours if it hasn’t been used.

Alternatively there’s this new thing called 2-step verification where your provider can SMS a unique code to your mobile phone. I wonder if EE has the facility to send SMS messages … oh.

Posted in : security, rants

Written by
Founder, Developer, tea maker