Your digital security is as strong as your weakest recovery email

Update (Aug 11, 2020): This post has been the #1 post on /r/netsec for the last 15 hours or so. Follow the discussion in /r/netsec here and in /r/cybersecurity here.

A couple weeks ago, I read Martin Casado’s blog post about a16z funding a new startup called Material Security.

Reading his post led me to reflect on how direly personal digital security needs improvement.

Popular vs real mental model

You see, most people have a mental model of their digital security like this:

  • I have many separate digital accounts

But here’s reality:

  • I have many separate digital accounts

What does this mean?

This means your level of digital security is only as high as the level of your primary email account’s security.

Think about that. You’ve bought a password manager, you religiously generate 15+ digit passwords, you’ve enabled 2FA wherever you can, maybe you’ve even bought a hardware security key.

But it doesn’t matter. Not if your email is hacked.

Second order password resets

Now, you may be thinking: “I have many accounts where I don’t provide my email address. I log in with a third party identity provider, like Facebook or GitHub.”

That’s fair. Unfortunately, if an attacker hacks your email, they can reset your Facebook password. Then they can log into any apps you log in using Facebook.

Weakest recovery email

Any system is only as secure as its most vulnerable path. In the case of email, you may think that “I have 2FA enabled on my email account, so I am secure.”

But keep in mind that your email account’s password, too, can be reset — if the attacker hacks your recovery email.

  • Do you have 2FA enabled on your recovery email?

Your level of digital security is only as strong as the level of your weakest recovery email account’s security.

And how secure is your weakest recovery email, really?

  • Do you know that it exists?

What can be done?

The core problem is that online services need to let users reset their passwords self-serve.

But do you verify a user’s identity if they don’t have the thing you were using to verify them with (their password)?

So, online services assume that only you can access your email account, and send a reset code or URL to your email account.

Two ways we can tackle this:

  • Online services stop relying on your email account for verification

Online services stop relying on your email account

Online services could give you a setting to disable password resets.

Or what if we supplemented email with another layer of verification? What if online services had a setting where the user must authenticate with a TOTP code, a MFA push, a hardware security key, or a special password before requesting a password reset?

Or what if we didn’t use email at all as a verification method? Could we design a long set of hard-to-guess security questions to fill this role? What if we let users present a electronic notary seal to an online service as proof of identity?

Prevent an attacker from accessing password reset emails

“Password Resets” Gmail tab

Just as Gmail divides your email into Social, Promotions, Updates, and Forums, it could add another tab for “Password Resets”.

To access this tab, the user must authenticate with a TOTP code, a MFA push, a hardware security key, or a special password.

If you’re really paranoid, you’d set this up so your two factors for authentication and your one factor for accessing your password reset emails are all unique.

For example, you might do password (what you know) and phone (what you have) for authentication and a special password — which you write down on paper and store in a safe — for accessing your password reset emails (also what you have).

Replacing password reset emails in inbox

Just based on reading their website, Material Security seems to take the approach of automatically identifying password reset emails in your inbox and forcing you to accept a MFA push before viewing a password reset email.

I’d be interested in learning how they replace emails in your inbox, and whether they mask password reset emails’ subject lines. After all, many sites (including Facebook) include your recovery code in the subject line.

Crowdsourced thoughts

After I published this post, a few people offered their thoughts on me on this problem, which I thought I’d share.

  • have a dedicated recovery email, with a hard-to-guess username, that you don’t use anywhere else. set this to be the recovery email for all your email accounts (Dino Dai Zovi)

Written by

software engineer at OpsRamp, ex-incident response consultant at Mandiant

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store