Password Verification #270

Saifbenhmida · 2023-03-19T11:25:07Z

Saifbenhmida
Mar 19, 2023

Hello ORY team,I am new to the ORY network and I'm working on a function to update a user's password. I would like to add a step where the user must provide their current password, along with the new password they wish to set. The server needs to check if the provided current password is correct, and if it is, update the password to the new one. I'm using the ory/client library and I'm not sure how to perform the password verification step. Can you please assist me with this issue?

Answered by kmherrmann

Mar 19, 2023

Assuming you log in users with their password, a good way to achieve the desired security level is to require a privileged session for a password change.

View full answer

kmherrmann · 2023-03-19T13:09:57Z

kmherrmann
Mar 19, 2023

Assuming you log in users with their password, a good way to achieve the desired security level is to require a privileged session for a password change.

3 replies

Saifbenhmida Mar 19, 2023
Author

Yes, I am implementing an authentication guard to ensure that the user is authenticated. However, who's to say that someone can't use your laptop and change your password while it's open? That's why I want to implement the updatePassword() function with two steps: first, verify the password, and second, update the password. But I couldn't find any function in Ory that performs password verification.

Benehiko Mar 20, 2023

Hi @Saifbenhmida

You can request that the user re-authenticate with the ?refresh=true query parameter when creating the login flow.
https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-advanced-integration#refreshing-user-session

The steps would look something like this:

User navigates on your UI to the update password page (or settings page)
You request through a server-side middleware that the login flow force a refresh (with the ?refresh=true query param)
The user is shown the login page first saying "Verify it is you"
On successful verification the user is shown the settings / update password page.

This can also be achieved client-side, but since the query parameter is optional, it can be circumvented in the UI. The privileged session should is designed for this use case and the lifespan should be short enough to prevent a case where someone with physical access to the device changes the password.

But then again, this scenario means that the attacker has physical access to the device which would be a far greater security risk than just updating the password 🙃. Such as access to their emails, other sites and passwords. Banking etc.

Saifbenhmida Mar 20, 2023
Author

Thank you so much, @Benehiko , for all your help! Your assistance has been greatly appreciated.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Password Verification #270

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 3 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Password Verification #270

Uh oh!

Saifbenhmida Mar 19, 2023

Replies: 1 comment · 3 replies

Uh oh!

kmherrmann Mar 19, 2023

Uh oh!

Saifbenhmida Mar 19, 2023 Author

Uh oh!

Benehiko Mar 20, 2023

Uh oh!

Saifbenhmida Mar 20, 2023 Author

Saifbenhmida
Mar 19, 2023

Replies: 1 comment 3 replies

kmherrmann
Mar 19, 2023

Saifbenhmida Mar 19, 2023
Author

Saifbenhmida Mar 20, 2023
Author