• Created by Unknown User (urn:collab:person:surfnet.nl:eefje), last modified on Thu 06 Aug 2015

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Do not use SMS for password reset

Some institutions use SMS as a communication channel to the user to perform password reset.

For example, an IdP which knows a user’s mobile phone number can send that user an SMS text message with a new password when the user (through some self-service portal) indicates that he or she forgot the original password. This would degrade the security of the whole to just single factor authentication.

Please note that a second authentication factor like SMS should never be used for password reset in situations where it is also used for additional identity assurance in the context of SURFconext Strong Authentication.

  • No labels