Account recovery protocol when email is breached, or inaccessible?
I am creating a web application for individual accounts. The email address is also used as the user name. 2FA is setup for the user to optionally use. I've been trying to wrap my head around preparing for account recovery in these couple of scenarios:
A user hasn't logged in the website in a while and no longer has access to their email account, and they also forgot their password.
A user's email is breached, and the hacker/bad actor comes across some emails related to the website. Worst case scenario, they go to the website and reset the password using the forgot password feature, and then change the email address.
For the first scenario, if a user no longer has access to the email or maybe doesn't even know the email they used, how can I properly authenticate that they are who they say they are? I'm currently tracking a history of email changes, and the last three password hashes used.
For the second scenario, here is the approach I am considering, but not sure of:
- Anytime a password or email is changed for the first time in the last 24hrs (using 24hrs as an example), store the original Email(Username) and password hash with a timestamp in a database table.
- If the email or password is changed again and the 24hrs isn't up yet, the original stored email and password will remain.
- Send an email anytime the password is changed, reminding user if they don't recognize this change to immediately use the password reset feature and reset their password.
- When an email is changed successfully, send an alert to the original email notifying of the change. Also, allow the user to recover their account using their last know login credentials within 24hrs if they do not recognize this change. This is where the stored email and pw hash will be used as long as the user attempts recovery within 24hrs. So even if the hacker managed to change the email and password, the original user could still recover their account (within 24hrs) and gain control back.
I would like to add, the site is still in development and has no users, so I am trying to sort this out early on. I also don't have much of a budget currently, so using SMS verification isn't something I can use unfortunately to start out with.
