Azure B2C reset password user flow spam security issue

Adrian Crisan 0 Reputation points
2023-03-24T07:54:41.86+00:00

We are using the Azure B2C user flow "Password reset" to allow users to reset their password. This user flow validates the owner of the provided email by sending an email with a code. All is fine in this logic, except I can't find a way to limit/prevent spamming of a particular email with a high number of unsolicited emails.

This could happen if someone just enters any email and hits the send code button. If that email is an email that belongs to someonelse, that person will receive a lot of unsolicited emails.

From my tests I could achieve this by just clicking "Resend code" over and over again. This is a bad security risk if there is no check if an account exists for that email before actually sending an email and also if no mechanism is in place to limit the number of emails sent (like a recaptcha)

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,987 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Shweta Mathur 30,196 Reputation points Microsoft Employee
    2023-03-28T10:36:36.5533333+00:00

    Hi @Adrian Crisan ,

    Thanks for reaching out.

    I understand your concern here.

    However, there is no real security risk here but there is reputation risk involved for a company that implements Azure AD B2C and financial risk for those implemented third party email service and opt for SMS MFA.

    Currently, there is no way to fix this, however one way to mitigate this risk is to implement Web Application Firewall (WAF, e.g. Tutorial to configure Azure Active Directory B2C with Azure Web Application Firewall - Azure AD B2C | Microsoft Learn) which is also only possible in combination with custom domain. The core idea of the approach is that Web Application firewall will have various rules kicking out malicious actors.

    I would suggest you post this idea at the Azure Feedback Portal, which is monitored by the product team for feature enhancements.

    Thank you for your time and patience throughout this issue.

    Thanks,

    Shweta

    Please remember to "Accept Answer" if answer helped you.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.