0

I am sending activation link throught email id which inturn is calling after creating user.These are the steps that I am doing:

  1. Create User Without Credentials.(OKTA API)
  2. Activating user with send email set as false.(OKTA API)
  3. Through my own code I am sending activation link to the user.
  4. After he clicks on activation link it comes to my custom page .
  5. After he enters password when he clicks on submit SET Password of OKTA API is fired and the user becomes activated.

The problem with this approach is this to not able to avoid MITM attack, as if someone gets access to user email he will be able to set his credentials. What is the best way to avoid this?

cweiske
  • 30,033
  • 14
  • 133
  • 194
Bharat Bhaskar
  • 1
  • 2
  • 1
    You can only mitigate this with two factor authentication, in this case they would have to verify using their phone before providing a password or something similar. – Joe Aug 11 '17 at 08:46
  • If the user is under a MITM attack... (even if your strategy is good) the attacker will know the final password. But if you want to avoid malicious use of an email yes you can go with two factor authentication as @Joe said – Gremi64 Aug 11 '17 at 08:58

0 Answers0