I am sending activation link throught email id which inturn is calling after creating user.These are the steps that I am doing: 1. Create User Without Credentials. 2.Activating user with send email set as false. 3.Through my own code I am sending activation link to the user. 4. After he clicks on activation link it comes to my custom page . 5. After he enters password when he clicks on submit SET Password of OKTA API is fired and the user becomes activated.
The problem with this approach is this to not able to avoid MITM attack, as if someone gets access to user email he will be able to set his credential.What is the best way to avoid this.
There are a few things you can do to mitigate MITM attacks of emails. Some options are easier to implement than others.
The best method would be to implement end-to-end encryption of the email message using a Public/Private key method (e.g. PGP). Your application would then encrypt the email using a key that only the user can open. However, this heavily relies on your end-users having the chosen encryption method setup on their email client - something which most are unlikely to have.
If you control the environment and the email servers are all trusted, you could ensure that all links (i.e. Your app --> Mail Server --> User's Desktop Client) are encrypted. There are down sides of this. For example, it will likely be unencrypted at some point on the mail server (i.e. in memory or filesystem). Also, if you are sending between organisations/external mail servers, you cannot guarantee their security.
Some organisations have systems designed for sending sensitive information. If one is available for you, this *may* be a potential solution.