Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security questions #25

Open
garbados opened this issue Apr 26, 2022 · 0 comments
Open

Security questions #25

garbados opened this issue Apr 26, 2022 · 0 comments
Labels
enhancement New feature or request

Comments

@garbados
Copy link
Owner

garbados commented Apr 26, 2022
edited
Loading

Say you lose your password. ComDB doesn't store your password and can only verify it, so we can't provide it if you lose it. Unless we do store it when asked to, in an encrypted way.

Consider a method such as .addSecurityQuestion(name, question, answer). Using a hash of the answer as a password, we then create a new Crypt instance to encrypt the user's password. This encrypted value and the Crypt instance's export string are then stored in the _local/comdb document like this:

{
  _id: '_local/comdb',
  _rev: '...',
  security_questions: {
    house: {
      question: 'In the house you grew up in, what is buried in the garden?',
      exportString: '...',
      payload: '...'
    }
  }
}

A matching db.removeSecurityQuestion(name) would remove the specified security question from _local/comdb.

Thus, a user can retrieve their password by answering exactly any one security question. The user must only ever opt-in to this type of password protection!
@garbados garbados added the enhancement New feature or request label Apr 26, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@garbados