Self-service password reset

Last updated October 30, 2023

Self-service password reset (SSPR) is defined as any process or technology that allows users who have either forgotten their password or triggered an intruder lockout to authenticate with an alternate factor, and repair their own problem, without calling the help desk. It is a common feature in identity management software and often bundled in the same software package as a password synchronization capability.

Typically users who have forgotten their password launch a self-service application from an extension to their workstation login prompt, using their own or another user's web browser, or through a telephone call. Users establish their identity, without using their forgotten or disabled password, by answering a series of personal questions, using a hardware authentication token, responding to a notification e-mail or, less often, by providing a biometric sample such as voice recognition. Users can then either specify a new, unlocked password, or ask that a randomly generated one be provided.

Self-service password reset expedites problem resolution for users "after the fact", and thus reduces help desk call volume. It can also be used to ensure that password problems are only resolved after adequate user authentication, eliminating an important weakness of many help desks: social engineering attacks, where an intruder calls the help desk, pretends to be the intended victim user, claims to have forgotten the account password, and asks for a new password.

Multi-factor authentication

Rather than merely asking users to answer security questions, modern password reset systems may also leverage a sequence of authentication steps:

Ask users to complete a CAPTCHA, to demonstrate that they are human.
Ask users to enter a PIN which is sent to their personal e-mail address or mobile phone.
Require use of another technology, such as a one-time-password token.
Leverage biometrics, such as a voice print.
An authenticator, such as Google Authenticator or an SMS code.

Security of authenticating users purely by asking security questions

Despite the benefits, a self-service password reset that relies solely on answers to personal questions can introduce new vulnerabilities,^[1]^[2] since the answers to such questions can often be obtained by social engineering, phishing techniques or simple research. While users are frequently reminded never to reveal their password, they are less likely to treat as sensitive the answers to many commonly used security questions, such as pet names, place of birth or favorite movie. Much of this information may be publicly available on some users' personal home pages. Other answers can be elicited by someone pretending to conduct an opinion survey or offering a free dating service. Since many organizations have standard ways of determining login names from real names, an attacker who knows the names of several employees at such an organization can choose one whose security answers are most readily obtained.

This vulnerability is not strictly due to self-service password reset—it often exists in the help desk prior to deployment of automation. Self-service password reset technology is often used to reduce this type of vulnerability, by introducing stronger caller authentication factors than the human-operated help desk had been using prior to deployment of automation.

In September 2008, the Yahoo e-mail account of Governor of Alaska and Vice President of the United States nominee Sarah Palin was accessed without authorization by someone who was able to research answers to two of her security questions, her zip code and date of birth and was able to guess the third, where she met her husband.^[3] This incident clearly highlighted that the choice of security questions is very important to prevent social engineering attacks on password systems.

Preference-based authentication

Jakobsson, Stolterman, Wetzel, and Yang proposed to use preferences to authenticate users for password reset.^[4]^[5] The underlying insights are that preferences are stable over a long period of time,^[6] and are not publicly recorded. Their approach includes two phases---setup and authentication. During the setup, a user is asked to select items that they either like or dislike from several categories of items which are dynamically selected from a big candidate set and are presented to the user in a random order. During the authentication phase, users are asked to classify their preferences (like or dislike) for the selected items displayed to them in a random order. Jakobsson, Stolterman, Wetzel, and Yang evaluated the security of their approach by user experiments, user emulations, and attacker simulations.

Email or phone based resets

Many web based systems not using single sign on allow users to send a password reset link to their registered email address or phone number. However, many large social media platforms reveal a part of a user's email address and some of the phone number digits when using the 'forgotten password' function. Often the whole email address can be derived from this hint.^[7]

Two-factor authentication

Two-factor authentication is a 'strong authentication' method, as it adds another layer of security to the password reset process. In most cases this consists of Preference Based Authentication plus a second form of physical authentication (using something the user possesses, i.e. Smartcards, USB tokens, etc.). One popular method is through SMS and email. Advanced SSPR software requires the user to provide a mobile phone number or personal e-mail address during setup. In the event of a password reset, a PIN code will be sent to the user's phone or email and they will need to enter this code during the password reset process. Modern technology also allows authentication via voice biometrics using voice recognition technology.^[8]

Access to platform for reset

A major problem with self-service password reset inside corporations and similar organizations is enabling users to access the system if they forgot their primary password. Since SSPR systems are typically web-based, users need to launch a web browser to fix the problem, yet cannot log into the workstation until the problem is solved. There are various approaches to addressing this Catch-22, most of which are compromises (e.g., desktop software deployment, domain-wide password reset account, telephone access, visiting a neighbour, continuing to call the help desk, etc.). Some companies have created software which presents a restricted web browser at the login screen with the sole ability to access the password reset page without logging into the system; an example of this is Novell's Client Login Extension technology. Because these technologies effectively give the user access to computer resources, specifically a web browser, to reset passwords without authenticating to the computer, security is a high priority and capabilities are very limited so that the user cannot do more than is expected in this mode.

There are two additional problems related to the one of locked out users:

Mobile users, physically away from the corporate network, who forgot their PC's login password.
Passwords cached by the operating system or browser, which might continue to be offered to servers after a password change that was initiated on another computer (help desk, password management web server, etc.) and therefore trigger an intruder lockout.

The vouching option

In conjunction with preference-based authentication, self-service password reset procedures could also rely on the network of existing human relations among users. In this scenario, the user who forgot the password asks a colleague for assistance. The "helper" colleague authenticates with the password reset application and vouches for user's identity.^[9]^[10]

In this scenario, the problem changes from one of authenticating the user who forgot the password to one of understanding which users should have the ability to vouch for which other users.

RBAC Authorization

Though it is important to provide multifactor authentication when SSPR software endpoint faces untrusted networks, there is another important aspect which modern SSPR needs to address. It is Role Base Access Control (RBAC) feature which is responsible for access level provisioning for the users. When doing critical self-service password resets for privileged accounts you may want to allow account unlocks and to restrict password change functionality. The support teams have a responsibility of changing passwords of these accounts. More information and videos on how such portals work in practice can be found under the external links section called SecureMFA SSPR Portal.

Related Research Articles

A password, sometimes called a passcode, is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of password-protected services that a typical individual accesses can make memorization of unique passwords for each service impractical. Using the terminology of the NIST Digital Identity Guidelines, the secret is held by a party called the claimant while the party verifying the identity of the claimant is called the verifier. When the claimant successfully demonstrates knowledge of the password to the verifier through an established authentication protocol, the verifier is able to infer the claimant's identity.

An email client, email reader or, more formally, message user agent (MUA) or mail user agent is a computer program used to access and manage a user's email.

<span class="mw-page-title-main">Phishing</span> Form of social engineering

Phishing is a form of social engineering and scam where attackers deceive people into revealing sensitive information or installing malware such as ransomware. Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim is navigating the site, and transverse any additional security boundaries with the victim. As of 2020, it is the most common type of cybercrime, with the FBI's Internet Crime Complaint Center reporting more incidents of phishing than any other type of computer crime.

<span class="mw-page-title-main">Internet security</span> Branch of computer security

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems.

A one-time password (OTP), also known as a one-time PIN, one-time authorization code (OTAC) or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid several shortcomings that are associated with traditional (static) password-based authentication; a number of implementations also incorporate two-factor authentication by ensuring that the one-time password requires access to something a person has as well as something a person knows.

In computer science, session hijacking, sometimes also known as cookie hijacking, is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many websites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim's computer. After successfully stealing appropriate session cookies an adversary might use the Pass the Cookie technique to perform session hijacking. Cookie hijacking is commonly used against client authentication on the internet. Modern web browsers use cookie protection mechanisms to protect the web from being attacked.

There are several forms of software used to help users or organizations better manage passwords:

Password fatigue is the feeling experienced by many people who are required to remember an excessive number of passwords as part of their daily routine, such as to log in to a computer at work, undo a bicycle lock or conduct banking from an automated teller machine. The concept is also known as password chaos, or more broadly as identity chaos.

Call avoidance is a strategy businesses use to reduce inbound call volumes to contact centers in the customer service industry, particularly in the consumer market.

A security question is form of shared secret used as an authenticator. It is commonly used by banks, cable companies and wireless providers as an extra security layer.

<span class="mw-page-title-main">Multi-factor authentication</span> Method of computer access control

Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. MFA protects personal data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password.

Apple ID is a user account by Apple for their devices and software. Apple IDs contain the user's personal data and settings. When an Apple ID is used to log in to an Apple device, the device will automatically use the data and settings associated with the Apple ID.

A Microsoft account or MSA is a single sign-on personal user account for Microsoft customers to log in to consumer Microsoft services, devices running on one of Microsoft's current operating systems, and Microsoft application software.

SQRL or Secure, Quick, Reliable Login is a draft open standard for secure website login and authentication. The software typically uses a link of the scheme sqrl:// or optionally a QR code, where a user identifies via a pseudonymous zero-knowledge proof rather than providing a user ID and password. This method is thought to be impervious to a brute-force password attack or data breach. It shifts the burden of security away from the party requesting the authentication and closer to the operating-system implementation of what is possible on the hardware, as well as to the user. SQRL was proposed by Steve Gibson of Gibson Research Corporation in October 2013 as a way to simplify the process of authentication without the risk of revelation of information about the transaction to a third party.

Identity-based security is a type of security that focuses on access to digital information or services based on the authenticated identity of an entity. It ensures that the users and services of these digital resources are entitled to what they receive. The most common form of identity-based security involves the login of an account with a username and password. However, recent technology has evolved into fingerprinting or facial recognition.

Proton Mail is a Swiss end-to-end encrypted email service founded in 2013 headquartered in Plan-les-Ouates, Switzerland. It uses client-side encryption to protect email content and user data before they are sent to Proton Mail servers, unlike other common email providers such as Gmail and Outlook.com. The service can be accessed through a webmail client, the Tor network, or dedicated iOS and Android apps.

Intuitive Password is a proprietary freemium password manager and secure digital wallet that stores users' passwords and confidential data. It was launched in 2013 by the Australian company Intuitive Security Systems. Intuitive Password received mixed reviews. Neil J. Rubeking wrote in PC Magazine in 2013 that Intuitive Password's not having automated password capture like some of its competitors was a significant downside.

In cybersecurity, cyber self-defense refers to self-defense against cyberattack. While it generally emphasizes active cybersecurity measures by computer users themselves, cyber self-defense is sometimes used to refer to the self-defense of organizations as a whole, such as corporate entities or entire nations. Surveillance self-defense is a variant of cyber self-defense and largely overlaps with it. Active and passive cybersecurity measures provide defenders with higher levels of cybersecurity, intrusion detection, incident handling and remediation capabilities. Various sectors and organizations are legally obligated to adhere to cyber security standards.

Bitwarden is a freemium open-source password management service that stores sensitive information such as website credentials in an encrypted vault. The platform offers a variety of client applications including a web interface, desktop applications, browser extensions, mobile apps, and a command-line interface. Bitwarden offers a free US or European cloud-hosted service as well as the ability to self-host.

References

↑ Griffith, Virgil (2005). "Messin' with Texas Deriving Mother's Maiden Names Using Public Records". Applied Cryptography and Network Security (PDF). Lecture Notes in Computer Science. Vol. 3531. pp. 91–103. doi:10.1007/11496137_7. ISBN 978-3-540-26223-7.
↑ Rabkin, Ariel (2008). "Personal knowledge questions for fallback authentication: Security questions in the era of Facebook" (PDF). Proceedings of the 4th symposium on Usable privacy and security. pp. 13–23. doi:10.1145/1408664.1408667. ISBN 9781605582764. S2CID 6309745.
↑ "Hacker impersonated Palin, stole e-mail password". 18 September 2008. Archived from the original on 2 October 2008.
↑ Jakobsson, Markus; et al. (2008). "Love and Authentication" (PDF). Proceeding of the twenty-sixth annual CHI conference on Human factors in computing systems - CHI '08. pp. 197–200. CiteSeerX 10.1.1.145.6934 . doi:10.1145/1357054.1357087. ISBN 9781605580111. S2CID 2199454. Archived from the original (PDF) on 2017-04-25. Retrieved 2021-04-30.
↑ Jakobsson, Markus; et al. (2008). "Quantifying the Security of preference-based Authentication" (PDF). Proceedings of the 4th ACM workshop on Digital identity management - DIM '08. pp. 61–70. CiteSeerX 10.1.1.150.7577 . doi:10.1145/1456424.1456435. ISBN 9781605582948. S2CID 16199928.
↑ Crawford, Duane; et al. (1986). "The Stability of Leisure Preferences". Journal of Leisure Research. 18 (2): 96–115. doi:10.1080/00222216.1986.11969649.
↑ Cox, Joseph (15 April 2016). "Enable This Setting So People Can't Guess Your Email Address from Your Twitter" . Retrieved 17 January 2021.
↑ Inference Solutions (2015). "Self-service password reset: Pipe dream or reality? - Inference". Archived from the original on 2016-03-05. Retrieved 2015-05-20.
↑ Finetti, Mario (30 January 2022). "Self service password reset in large organisations".
↑ RSA Laboratories (2006). "Fourth-factor authentication: Somebody you know" (PDF). Proceedings of the 13th ACM conference on Computer and communications security. pp. 168–178. doi:10.1145/1180405.1180427. ISBN 978-1595935182. S2CID 1979527.

External links

Self service password reset in Healthcare Health Management Technology 2012 (retrieved on 2019-06-19)
Forgot Password Cheat Sheet Open Web Application Security Project (retrieved on 2019-06-19)
Password self-service from any device, anywhere and anytime Next generation ESB-based password management technology from ILANTUS Technologies (retrieved on 2019-06-19)
SucureMFA SSPR Portal Self-service password reset portal with RBAC functionality explained using video content (retrieved on 2021-01-17)

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Griffith, Virgil (2005). "Messin' with Texas Deriving Mother's Maiden Names Using Public Records". Applied Cryptography and Network Security (PDF). Lecture Notes in Computer Science. Vol. 3531. pp. 91–103. doi:10.1007/11496137_7. ISBN 978-3-540-26223-7.

[2] Rabkin, Ariel (2008). "Personal knowledge questions for fallback authentication: Security questions in the era of Facebook" (PDF). Proceedings of the 4th symposium on Usable privacy and security. pp. 13–23. doi:10.1145/1408664.1408667. ISBN 9781605582764. S2CID 6309745.

[3] "Hacker impersonated Palin, stole e-mail password". 18 September 2008. Archived from the original on 2 October 2008.

[4] Jakobsson, Markus; et al. (2008). "Love and Authentication" (PDF). Proceeding of the twenty-sixth annual CHI conference on Human factors in computing systems - CHI '08. pp. 197–200. CiteSeerX 10.1.1.145.6934 . doi:10.1145/1357054.1357087. ISBN 9781605580111. S2CID 2199454. Archived from the original (PDF) on 2017-04-25. Retrieved 2021-04-30.

[5] Jakobsson, Markus; et al. (2008). "Quantifying the Security of preference-based Authentication" (PDF). Proceedings of the 4th ACM workshop on Digital identity management - DIM '08. pp. 61–70. CiteSeerX 10.1.1.150.7577 . doi:10.1145/1456424.1456435. ISBN 9781605582948. S2CID 16199928.

[6] Crawford, Duane; et al. (1986). "The Stability of Leisure Preferences". Journal of Leisure Research. 18 (2): 96–115. doi:10.1080/00222216.1986.11969649.

[7] Cox, Joseph (15 April 2016). "Enable This Setting So People Can't Guess Your Email Address from Your Twitter" . Retrieved 17 January 2021.

[8] Inference Solutions (2015). "Self-service password reset: Pipe dream or reality? - Inference". Archived from the original on 2016-03-05. Retrieved 2015-05-20.

[9] Finetti, Mario (30 January 2022). "Self service password reset in large organisations".

[10] RSA Laboratories (2006). "Fourth-factor authentication: Somebody you know" (PDF). Proceedings of the 13th ACM conference on Computer and communications security. pp. 168–178. doi:10.1145/1180405.1180427. ISBN 978-1595935182. S2CID 1979527.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]