Reset passcode algorithm

Question

I would like to implement some kind of passcode reset feature for those users that have forgotten their passcode (essentially a 4-digit pin code) for the iPhone app I am writing, but I do not want to make it possible for any user to simply disable it. I am thinking of putting some kind of verification in place and want to know what the best practice is for this kind of thing.

I'm planning something like this:

1. User contacts me to say they have forgotten their passcode
2. I send them via email a code or sequence of codes to enter into the passcode screen
3. The App generates a number based on some secret algorithm and the user sends that to me
4. I send them another code (generated by a matching algorithm) that they enter to remove the passcode

I'm thinking this will enable me to only allow users to reset the passcode only if they have been in contact with me and I have verified who they are. This should also prevent the user from using this code to unlock another phone with the same app on it.

Does this seem like a good idea? Are there any suitable hashing algorithms/libraries to generate this kind of two step verification code (Objective C preferably)? Are there any better approaches to this kind of thing?

Any help or advice would be greatly appreciated.

Answer 1

You should be able to use a combination of hashing and RSA to solve this.

Assume you have a private key (K1) at your end, and public key (K2) is distributed with the app.

Step 2: Send a random code C and the encryption of C with private key K1. The app decrypts the encryption and checks if it matches the user entered code C

Step 3: The app creates a random 4 digit code (new password P), encrypts it with the public key and sends it to you (or probably gives it to the user who sends it to you)

Step 4: You decrypt the the new password with your private key and send it to the user