Jump to content

2FA recovery allowed via email - not a good idea


Recommended Posts

I logged in to the Nebula console recently and saw the announcement about sending 2FA recovery codes via email: Request two-factor authentication recovery code in Nebula – Malwarebytes Business Support

This seems like a bad idea to me. I understand 2FA resets are a pain, but isn't that by design? The point of 2FA (and MFA in general) is that your account is still protected even if someone has your username and password. Allowing a 2FA reset via email creates a huge hole in that assumption. One of the more common ways that someone can get your passwords is by first compromising your email account; if an attacker has access to your email account, they can begin initiating password resets to your other accounts (like the Malwarebytes Nebula console). 2FA would normally protect against this. However, if 2FA can also be reset via email, you are no longer protected from this attack.

Brainstorming alternatives for how a user could get 2FA reset after being locked out:

  • If someone else at my company has access to the Nebula console, they could log in and reset 2FA for my account (similar to initiating a password reset for another account).
  • I could call in to Malwarebytes support and a representative follows a standardized procedure to verify my identity, then reset my 2FA credential. I realize this doesn't scale well but it is what other companies are doing.
  • Encourage people to save their 2FA recovery code(s) in a safe place when setting up 2FA for this first time. This would prevent lock out in the first place.
  • Encourage the use of Authy, which (if set up correctly) can restore 2FA credentials in a secure manner even if you lose or destroy your phone. This would also prevent lock out.
  • Encourage the use of SSO, so the responsibility of implementing and resetting 2FA credentials lies with the identity provider (e.g. AzureAD) instead of Malwarebytes. You'd still need to implement one of the other alternatives for the non-federated accounts, but this would reduce the amount of 2FA reset requests Malwarebytes would have to deal with since they would mostly be handled through an external identity provider.

There is also a discussion on Reddit about this issue: Malwarebytes Nebula now allows 2FA recovery via email. Thoughts? : sysadmin (reddit.com)


Edited by AdvancedSetup
Corrected font issue
  • Like 1
Link to post
Share on other sites

  • 4 weeks later...
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.