|
| 1 | +When building a custom self-service password recovery portal using the WSO2 Identity Server Account Recovery APIs, you must implement strong security controls. |
| 2 | +Secure the flow initiation to prevent unauthorized recovery attempts. Handle one-time passwords (OTP) with strict validation and expiration rules. Protect all Account Recovery portal APIs with rate-limiting mechanisms. |
| 3 | +This guide outlines recommended best practices for designing and deploying such a solution. |
| 4 | + |
| 5 | +1. Add reCAPTCHA to the flow initiation step |
| 6 | + |
| 7 | + - Before sending an OTP or recovery code, require reCAPTCHA verification to block bots and brute-force attempts. |
| 8 | + - Apply reCAPTCHA to: |
| 9 | + - Forgot Password initiation |
| 10 | + - Resend recovery code endpoints |
| 11 | + - reCAPTCHA protects against automated SMS/email flooding and username enumeration. |
| 12 | + |
| 13 | +2. Prevent username enumeration |
| 14 | + |
| 15 | + - Ensure API responses didn't reveal whether an account exists. |
| 16 | + - Use a generic message such as: "If the provided username is valid, an OTP will be sent to the registered email address or phone number." |
| 17 | + - Return the same response for valid and invalid usernames to avoid revealing account existence. |
| 18 | + |
| 19 | +3. Enforce a short OTP or recovery link lifespan |
| 20 | + |
| 21 | + - Set a short validity period for OTP or recovery link (recommended: 1 minute) to reduce risk from interception. |
| 22 | + - A short expiration window significantly reduces exposure. |
| 23 | + |
| 24 | +4. Increase OTP complexity |
| 25 | + |
| 26 | + - Use stronger OTP to resist brute-force and guessing attacks: |
| 27 | + - Use 6–8 digit numeric OTP or alphanumeric OTP. |
| 28 | + - Stronger OTPs increase the difficulty of automated attacks. |
| 29 | + |
| 30 | +5. Implement rate limiting for OTP submission |
| 31 | + |
| 32 | + - Rate limit OTP verification endpoints by IP address. |
| 33 | + - Consider progressive delays or temporary lockouts after repeated failures. |
| 34 | + |
| 35 | +6. Notify users of password recovery attempts |
| 36 | + |
| 37 | + - Notify users when a password recovery flow completes successfully. |
| 38 | + - Include in the notification: |
| 39 | + - A warning if the user didn't initiate the request |
| 40 | + - Recommended steps to secure their account |
| 41 | + - Notifications help users detect unauthorized activity early. |
0 commit comments