Best Practices for Password Reset, Username Recovery & MFA Code Recovery

In a digital world increasingly reliant on secure access, users often face hurdles like forgotten passwords, misplaced usernames, or lost multi-factor authentication (MFA) codes. These are common pain points — but with the right practices, they can be managed securely and efficiently. Here’s a breakdown of best practices to strengthen the account recovery process while keeping user experience in mind.

1. Password Reset Best Practices

• Use Registered MFA Methods: During account setup, require users to register at least one MFA method (such as an authenticator app, phone number, or email) to enable password reset securely.
• Avoid Email-Only Resets: Wherever possible, avoid relying solely on email for password resets. Use layered verification to prevent unauthorized access.
• Strong Password Enforcement: Even with MFA, enforce strong, unique password requirements. Reuse of passwords across services increases risk in the event of a breach.

2. Username Recovery

• Masked Hints with Verification: Display partial usernames (e.g., a****z@example.com) only after validating a recovery method to avoid exposing account data.
• Unified Recovery Portal: Provide a simple, centralized interface where users can recover either username or password without redundant steps.

3. MFA Code & Device Recovery

Multi-factor authentication is essential — but losing access to an MFA method can lock users out. Here’s how to balance security with usability:

• Register Multiple MFA Methods: Require users to set up more than one MFA option during onboarding — such as both a mobile authenticator and backup email.
• Use Backup Codes: Offer downloadable one-time-use backup codes users can save securely for emergencies.
• Allow MFA Recovery or Reset: Enable secure workflows where users can reset their MFA method after verifying alternative credentials or identity (e.g., via email or ID verification).
• Security Questions (Use with Caution): While sometimes used, security questions should be unique, hard to guess, and ideally, customizable by the user.
• Security Questions Reset – If you allow security questions to be re-configured, ensure that the user answers at least ONE of the previously set questions correctly.

4. Security Considerations

• MFA Recovery Flexibility: Choose systems that give users the ability to manage and recover their MFA settings if their device is lost or replaced.
• Secure Backup Methods: Treat all backup methods as entry points — make sure they are protected by strong security policies (e.g., rate limiting, CAPTCHA, notification alerts).
• Audit and Monitor: Always log and monitor recovery attempts to detect and flag suspicious behavior.

Final Thought

User account recovery is a vital — and often overlooked — part of your security and user experience design. Done carelessly, it becomes a vulnerability. Done well, it becomes a competitive advantage. Implementing secure, user-friendly recovery methods protects both your users and your brand.

The post Best Practices for Username Recovery and Password Reset appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

It needs to be set to “Access-Control-Allow-Credentials: true

The post CORS origin False Positives appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

HTTP 2.0 addresses these shortcomings

1. Connection Multiplexing – Single connection for multiple requests.
2. Error Handling – There was no way to handle errors in HTTP 1.0
3. Server Based asset Push (Server Pushes for short)  – If a request requests more than one asset, the server can push them automatically. This too, was an enhancement over http 1.0

These are just some of the advancements offered by HTTP 2.0. These also make it possible to implement technologies like AJAX (sending data using javascript, asynchronously).

Recall that there are a total of 4 ways to send data over HTTP – HTTP Links (Gets), HTTP FOrms (Posts), HTTP Cookies (sent through headers automatically) and Javascript over HTTP. HTTP2 leverages all of these, but the javascript method more significantly.

The post HTTP2 advantages appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

Ensure that your server is at least dual homed.

Use a separate Network Interface for the Web Server (and associated SSL certificate).

Use a separate network interface for your enterprise domain (any other network)

The post Web Server Considerations for Hosting SSL Certificates appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

Basically, .net core is not the same as aspnetcore. They are different runtimes and thus, different downloads.

To get the approprirate aspnetcore.app 3.1.X version, try this microsoft download

If you still get the error, you may also need the corresponding .net core runtime

The post The framework microsoft.aspnetcore.app version 3.1.0 was not found appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

Basically, go into the advanced tab on the ‘clear browsing content’ – and pick ‘Site Settings’

The post From Chrome, clear a specific site’s cached content appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

Since SSL lives in layer 6 (or 5) – but not 7, how does it even understand layer 7 (app specific) traffic?

The answer is that it doesn’t  – it uses lower layer capabilities to try and decipher the application to block / allow.

The post SSL or TLS – on Firewalls and Load Balancers – layer 5 or layer 6 appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

CTRL F5 reloads the page afresh, without checking the cache. Nifty shortcut.

The post Browser Reload without retrieving cached pages appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

Not completely. To  perform a websocket handshake , one needs HTTP. Once the handshake is successful, you can switch to websockets entirely. If your app runs in a browser, you may also need to serve a HTML/JavaScript file(s) for the landing page, which will require HTTP.

What are the advantages and disadvantages of this solution?

Advantages

• Full Duplex, stateful communication (unlike HTTP).
• Real server push (you can easily notify clients) .
• Add a layer on top of WebSockets (e.g. json rpc), and you can outperform HTTP.

Disadvantages

• Bare bones TCP, so your  app may require another protocol on top of that. Which could affect performance and reliability. Especially if you want to mix textual content (e.g. json) with binary content (e.g. images). You may end up reinventing the HTTP protocol over websockets.
• Not as many tools as for HTTP

What about Socket.io?

1. Socket.io was designed to handle some shortcomings of websockets.
2. Addresses Connection dropping issues with WebSockets.
3. Old Browser Fallback capability.

The post WebSockets–versus HTTP appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

VPN Base Use Case

• Some of the business’s employees may travel and frequently need to access these resources from the road. However, the business doesn’t want to expose their important resources to the public Internet.
• Instead, the business can set up a VPN server and employees on the road can connect to the company’s VPN. Once an employee is connected, their computer appears to be part of the business’s private network – they can access file shares and other network resources as if they were actually on the physical network.

SSH Base Use Case

• No different from the VPN use case

VPN Basics

• Hides the origin – To the websites the employee accesses through the VPN, the web browsing traffic would appear to be coming from the VPN server.
• OS Level – A VPN works more at the operating system level than the application level. In other words, when you’ve set up a VPN connection, your operating system can route all network traffic through it from all applications (although this can vary from VPN to VPN, depending on how the VPN is configured). You don’t have to configure each individual application.

SSH Basics

• Same, strong encryption as VPN
• Not at OS Level, Each App has to be configured to work separately with the SSH client.

The post SSH versus VPN appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.