Assurance

["Cantor, Scott" <>]

On 6/4/12 11:05 AM, "Tom Scavo" 
<>
 wrote:

>In section 4.2.4.3 ("Credential Renewal or Re-issuance") of the Silver
>IAP, it suggests "A short-lived single use Secret sent to the Address of
>Record that the Subject must submit in order to establish a new
>Authentication Secret," which could be interpreted as using email to
>deliver a short-lived secret for the purposes of password reset. However,
>email-based password reset is vulnerable to a lost or stolen mobile phone
>(since mobile phones invariably have access to all the user's e-mail
>accounts) so I'm wondering how people plan to handle password reset for
>Silver compliance?

I can't imagine that's the most significant security risk to using email
for this, so if you think email's secure enough (I don't), I wouldn't
think a lost phone would be a concern.

Also interested to hear the opinions of others. I expect this could be
another "I don't think it's Silver-quality, but Silver does, so I'll shut
up now" things.

-- Scott