Comment by rahkiin

Comment by rahkiin 4 days ago

8 replies

View on Hacker News

Any domain takeover allows email takeover which allows you to send password reset emails for former employees. Does not matter if it is with oauth or not

mtkd 4 days ago

And many vendors will send "restart your service today for $x" for months afterwards so data not deleted

Some SaaS ecommerce platforms and email marketing services will likely give a restarted domain entire customer databases ...

Reply View 2 replies
  • rahkiin 4 days ago

    There should be some service for permanently destroying a domain with a single prepaid cost. Somehow preventing bankruptcy laws from getting the domain.

    Pay X$ up front, then Y$ per month to keep active. Once you cannot pay, it gets blocked forever (paid for by the up front cost). Owned by your service provider so not part of your firesale

    Reply View 1 reply
    • ocdtrekkie 4 days ago

      What happens when your service provider that owns your domain collapses?

      Reply View 0 replies
anon84873628 4 days ago

Those password resets should have some sort of MFA step.

Reply View 4 replies
  • jpc0 4 days ago

    Sue lost hee phone, she used KeePass for everything and didn't back it up. She get some support from IT, what do they do to solve Sue's problem?

    They reset her password and 2FA and have her redo them. She probably gets a lecture about backups or she spurns a brand new company policy that "Everyone should now use LastPass and nothing else is supported".

    If they as administrators cannot do that, Sue has now lost significant business data, there will be a dexent amount of work stopped to get Sue onboarded again and this is a significant issue.

    An auditable log that X reset Sue's password ane 2FA codes at x time while at x location with biometric authentication is pretty secure. If X also ca nnot touch those logs the next strawman falls apart.

    Reply View 3 replies
    • anon84873628 4 days ago

      What does this have to do with the scenario above? Of course you can reset the corporate SSO account as many times as you want. The point is that federated apps with a password reset flow should have some sort of MFA.

      Reply View 2 replies
      • necovek 4 days ago

        It defeats the purpose of the first S in "SSO": it's not a Single Sign-On, and for Sue in GP's example, after losing access to her MFA, she can't access federated service data, nor can the domain operators restore her access.

        Reply View 1 reply
        • anon84873628 3 days ago

          Sue can access the federated app through SSO.

          The password reset flow, if offered by the SP at all, is only a fallback alternative to the SSO in case it becomes broken, and should only be used by organization administrators.

          The inability to complete the MFA is what prevents the federated user data from being accessed in the case of a domain takeover, which is what we're discussing here. So you really want that to be implemented by the SP.

          Reply View 0 replies