### Rating (1--4): + 2: Weak Reject -- This paper has good ideas, but would need additional work to be a top-tier paper ### What did this paper do well? + Good ethic guideline, declared early in the first section + PRMitM is a clever attack (exploits actually happen on the server side) ### Where did this paper fall short? + The paper assumes users will be using the same emails they used for other services (Facebook, snapchat, etc.) XSS to get email/usernames can be a hit or miss (and was not discussed in more details) + 536 participants is not a strong number (admitted by the paper). The number is actually much lower in sub-experiments. + Won't work in the case where reset links got sent to emails. The argument that email service can't send reset links to email is invalid because users are required to have backup email address when registering for an email service + SMS text evasion is not persuasive. Most providers include their brand in the text. For example: "Your password reset code for [brand name] is: xxxxxx". The argument that some users can't understand the text in different language is also not valid since they can recognize the Brand. For example, one may not understand English but s/he can recognize "Google" or "Facebook". ### What did you learn from reading this paper? + PRMitM ### What questions do you have about the paper or the area? + How does this work with 2nd factor password reset? (combination of 2 or more password reset methods. For example, sending reset link + phone text?) + How does this work when users forgot and typed wrong answers to challenging questions? (obviously, on attacking site, you can't ask users the same questions again)
