Ludachris
Well-known member
We're using an add-on from Xon called Password Tools. If a member has a password that is determined to be too weak, the system automatically enables 2FA for their account. When the user tries logging in next, they are told: "An email has been sent to {email} with a single-use code. Please enter that code to continue" (the XF phrase displays their account email address). Half the time, the members have an email address on file that they no longer use or even have access to, so I'll get an email from them saying that they can't get into their account.
My question is this, what is preventing a hacker who has been able to get into that user's account through the weak password from acting as that member and contacting the admin to have the email address on file updated, and completely taking over that member's account?
To prevent this, I was thinking that maybe instead of displaying the email address on file in the phrase, we could display only a partial email address, so that the member has to contact the admin and confirm the full email address. Or maybe the user can be taken to a change email form where they can confirm the old email address on file before they can enter a new one, then they can have the single-use code resent.
Would any of those solutions be possible?
My question is this, what is preventing a hacker who has been able to get into that user's account through the weak password from acting as that member and contacting the admin to have the email address on file updated, and completely taking over that member's account?
To prevent this, I was thinking that maybe instead of displaying the email address on file in the phrase, we could display only a partial email address, so that the member has to contact the admin and confirm the full email address. Or maybe the user can be taken to a change email form where they can confirm the old email address on file before they can enter a new one, then they can have the single-use code resent.
Would any of those solutions be possible?
