Self-service password reset

Last updated

Self-service password reset (SSPR) is defined as any process or technology that allows users who have either forgotten their password or triggered an intruder lockout to authenticate with an alternate factor, and repair their own problem, without calling the help desk. It is a common feature in identity management software and often bundled in the same software package as a password synchronization capability.

Contents

Typically users who have forgotten their password launch a self-service application from an extension to their workstation login prompt, using their own or another user's web browser, or through a telephone call. Users establish their identity, without using their forgotten or disabled password, by answering a series of personal questions, using a hardware authentication token, responding to a notification e-mail or, less often, by providing a biometric sample such as voice recognition. Users can then either specify a new, unlocked password, or ask that a randomly generated one be provided.

Self-service password reset expedites problem resolution for users "after the fact", and thus reduces help desk call volume. It can also be used to ensure that password problems are only resolved after adequate user authentication, eliminating an important weakness of many help desks: social engineering attacks, where an intruder calls the help desk, pretends to be the intended victim user, claims to have forgotten the account password, and asks for a new password.

Multi-factor authentication

Rather than merely asking users to answer security questions, modern password reset systems may also leverage a sequence of authentication steps:

Security of authenticating users purely by asking security questions

Despite the benefits, a self-service password reset that relies solely on answers to personal questions can introduce new vulnerabilities, [1] [2] since the answers to such questions can often be obtained by social engineering, phishing techniques or simple research. While users are frequently reminded never to reveal their password, they are less likely to treat as sensitive the answers to many commonly used security questions, such as pet names, place of birth or favorite movie. Much of this information may be publicly available on some users' personal home pages. Other answers can be elicited by someone pretending to conduct an opinion survey or offering a free dating service. Since many organizations have standard ways of determining login names from real names, an attacker who knows the names of several employees at such an organization can choose one whose security answers are most readily obtained.

This vulnerability is not strictly due to self-service password reset—it often exists in the help desk prior to deployment of automation. Self-service password reset technology is often used to reduce this type of vulnerability, by introducing stronger caller authentication factors than the human-operated help desk had been using prior to deployment of automation.

In September 2008, the Yahoo e-mail account of Governor of Alaska and Vice President of the United States nominee Sarah Palin was accessed without authorization by someone who was able to research answers to two of her security questions, her zip code and date of birth and was able to guess the third, where she met her husband. [3] This incident clearly highlighted that the choice of security questions is very important to prevent social engineering attacks on password systems.

Preference-based authentication

Jakobsson, Stolterman, Wetzel, and Yang proposed to use preferences to authenticate users for password reset. [4] [5] The underlying insights are that preferences are stable over a long period of time, [6] and are not publicly recorded. Their approach includes two phases---setup and authentication. During the setup, a user is asked to select items that they either like or dislike from several categories of items which are dynamically selected from a big candidate set and are presented to the user in a random order. During the authentication phase, users are asked to classify their preferences (like or dislike) for the selected items displayed to them in a random order. Jakobsson, Stolterman, Wetzel, and Yang evaluated the security of their approach by user experiments, user emulations, and attacker simulations.

Email or phone based resets

Many web based systems not using single sign on allow users to send a password reset link to their registered email address or phone number. However, many large social media platforms reveal a part of a user's email address and some of the phone number digits when using the 'forgotten password' function. Often the whole email address can be derived from this hint. [7]

Two-factor authentication

Two-factor authentication is a 'strong authentication' method, as it adds another layer of security to the password reset process. In most cases this consists of Preference Based Authentication plus a second form of physical authentication (using something the user possesses, i.e. Smartcards, USB tokens, etc.). One popular method is through SMS and email. Advanced SSPR software requires the user to provide a mobile phone number or personal e-mail address during setup. In the event of a password reset, a PIN code will be sent to the user's phone or email and they will need to enter this code during the password reset process. Modern technology also allows authentication via voice biometrics using voice recognition technology. [8]

Access to platform for reset

A major problem with self-service password reset inside corporations and similar organizations is enabling users to access the system if they forgot their primary password. Since SSPR systems are typically web-based, users need to launch a web browser to fix the problem, yet cannot log into the workstation until the problem is solved. There are various approaches to addressing this Catch-22, most of which are compromises (e.g., desktop software deployment, domain-wide password reset account, telephone access, visiting a neighbour, continuing to call the help desk, etc.). Some companies have created software which presents a restricted web browser at the login screen with the sole ability to access the password reset page without logging into the system; an example of this is Novell's Client Login Extension technology. Because these technologies effectively give the user access to computer resources, specifically a web browser, to reset passwords without authenticating to the computer, security is a high priority and capabilities are very limited so that the user cannot do more than is expected in this mode.

There are two additional problems related to the one of locked out users:

The vouching option

In conjunction with preference-based authentication, self-service password reset procedures could also rely on the network of existing human relations among users. In this scenario, the user who forgot the password asks a colleague for assistance. The "helper" colleague authenticates with the password reset application and vouches for user's identity. [9] [10]

In this scenario, the problem changes from one of authenticating the user who forgot the password to one of understanding which users should have the ability to vouch for which other users.

RBAC Authorization

Though it is important to provide multifactor authentication when SSPR software endpoint faces untrusted networks, there is another important aspect which modern SSPR needs to address. It is Role Base Access Control (RBAC) feature which is responsible for access level provisioning for the users. When doing critical self-service password resets for privileged accounts you may want to allow account unlocks and to restrict password change functionality. The support teams have a responsibility of changing passwords of these accounts. More information and videos on how such portals work in practice can be found under the external links section called SecureMFA SSPR Portal.

Related Research Articles

<span class="mw-page-title-main">Password</span> Text used for user authentication to prove identity

A password, sometimes called a passcode, is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of password-protected services that a typical individual accesses can make memorization of unique passwords for each service impractical. Using the terminology of the NIST Digital Identity Guidelines, the secret is held by a party called the claimant while the party verifying the identity of the claimant is called the verifier. When the claimant successfully demonstrates knowledge of the password to the verifier through an established authentication protocol, the verifier is able to infer the claimant's identity.

<span class="mw-page-title-main">Email client</span> Computer program used to access and manage a users email

An email client, email reader or, more formally, message user agent (MUA) or mail user agent is a computer program used to access and manage a user's email.

Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored. Data can then be retrieved by the person operating the logging program. A keystroke recorder or keylogger can be either software or hardware.

<span class="mw-page-title-main">Phishing</span> Form of social engineering

Phishing is a form of social engineering and a scam where attackers deceive people into revealing sensitive information or installing malware such as viruses, worms, adware, or ransomware. Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim navigates the site, and transverses any additional security boundaries with the victim. As of 2020, it is the most common type of cybercrime, with the FBI's Internet Crime Complaint Center reporting more incidents of phishing than any other type of computer crime.

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems.

<span class="mw-page-title-main">One-time password</span> Password that can only be used once

A one-time password (OTP), also known as a one-time PIN, one-time passcode, one-time authorization code (OTAC) or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid several shortcomings that are associated with traditional (static) password-based authentication; a number of implementations also incorporate two-factor authentication by ensuring that the one-time password requires access to something a person has as well as something a person knows.

There are several forms of software used to help users or organizations better manage passwords:

Password fatigue is the feeling experienced by many people who are required to remember an excessive number of passwords as part of their daily routine, such as to log in to a computer at work, undo a bicycle lock or conduct banking from an automated teller machine. The concept is also known as password chaos, or more broadly as identity chaos.

Call avoidance is a strategy businesses use to reduce inbound call volumes to contact centers in the customer service industry, particularly in the consumer market.

A security question is a form of shared secret used as an authenticator. It is commonly used by banks, cable companies and wireless providers as an extra security layer.

<span class="mw-page-title-main">Blacklist (computing)</span> Criteria to control computer access

In computing, a blacklist, disallowlist, blocklist, or denylist is a basic access control mechanism that allows through all elements, except those explicitly mentioned. Those items on the list are denied access. The opposite is a whitelist, allowlist, or passlist, in which only items on the list are let through whatever gate is being used. A greylist contains items that are temporarily blocked until an additional step is performed.

<span class="mw-page-title-main">Multi-factor authentication</span> Method of computer access control

Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. MFA protects personal data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password.

Apple Account, formerly known as Apple ID, is a user account by Apple for their devices and software. Apple Accounts contain the user's personal data and settings, and when an Apple Account is used to log in to an Apple device, the device will automatically use the data and settings associated with the Apple Account.

<span class="mw-page-title-main">Microsoft account</span> User account required for Microsoft-owned services

A Microsoft account or MSA is a single sign-on personal user account for Microsoft customers to log in to consumer Microsoft services, devices running on one of Microsoft's current operating systems, and Microsoft application software.

Identity-based security is a type of security that focuses on access to digital information or services based on the authenticated identity of an entity. It ensures that the users and services of these digital resources are entitled to what they receive. The most common form of identity-based security involves the login of an account with a username and password. However, recent technology has evolved into fingerprinting or facial recognition.

Intuitive Password is a proprietary freemium password manager and secure digital wallet that stores users' passwords and confidential data. It was launched in 2013 by the Australian company Intuitive Security Systems. Intuitive Password received mixed reviews. Neil J. Rubeking wrote in PC Magazine in 2013 that one significant downside of Intuitive Password's was their lack of automated password capture, like some of their competitors.

In cybersecurity, cyber self-defense refers to self-defense against cyberattack. While it generally emphasizes active cybersecurity measures by computer users themselves, cyber self-defense is sometimes used to refer to the self-defense of organizations as a whole, such as corporate entities or entire nations. Surveillance self-defense is a variant of cyber self-defense and largely overlaps with it. Active and passive cybersecurity measures provide defenders with higher levels of cybersecurity, intrusion detection, incident handling and remediation capabilities. Various sectors and organizations are legally obligated to adhere to cyber security standards.

Web Authentication (WebAuthn) is a web standard published by the World Wide Web Consortium (W3C). WebAuthn is a core component of the FIDO2 Project under the guidance of the FIDO Alliance. The goal of the project is to standardize an interface for authenticating users to web-based applications and services using public-key cryptography. WebAuthn credentials are sometimes referred to as passkeys.

<span class="mw-page-title-main">Bitwarden</span> Open-source password manager


Bitwarden is a freemium open-source password management service that is used to store sensitive information, such as website credentials, in an encrypted vault. The platform hosts multiple client applications, including a web interface, desktop applications, browser extensions, mobile apps, and a command-line interface. The platform offers a free US or European cloud-hosted service as well as the ability to self-host.

References

  1. Griffith, Virgil (2005). "Messin' with Texas Deriving Mother's Maiden Names Using Public Records". Applied Cryptography and Network Security (PDF). Lecture Notes in Computer Science. Vol. 3531. pp. 91–103. doi:10.1007/11496137_7. ISBN   978-3-540-26223-7.
  2. Rabkin, Ariel (2008). "Personal knowledge questions for fallback authentication: Security questions in the era of Facebook" (PDF). Proceedings of the 4th symposium on Usable privacy and security. pp. 13–23. doi:10.1145/1408664.1408667. ISBN   9781605582764. S2CID   6309745.
  3. "Hacker impersonated Palin, stole e-mail password". 18 September 2008. Archived from the original on 2 October 2008.
  4. Jakobsson, Markus; et al. (2008). "Love and Authentication" (PDF). Proceeding of the twenty-sixth annual CHI conference on Human factors in computing systems - CHI '08. pp. 197–200. CiteSeerX   10.1.1.145.6934 . doi:10.1145/1357054.1357087. ISBN   9781605580111. S2CID   2199454. Archived from the original (PDF) on 2017-04-25. Retrieved 2021-04-30.
  5. Jakobsson, Markus; et al. (2008). "Quantifying the Security of preference-based Authentication" (PDF). Proceedings of the 4th ACM workshop on Digital identity management - DIM '08. pp. 61–70. CiteSeerX   10.1.1.150.7577 . doi:10.1145/1456424.1456435. ISBN   9781605582948. S2CID   16199928.
  6. Crawford, Duane; et al. (1986). "The Stability of Leisure Preferences". Journal of Leisure Research. 18 (2): 96–115. doi:10.1080/00222216.1986.11969649.
  7. Cox, Joseph (15 April 2016). "Enable This Setting So People Can't Guess Your Email Address from Your Twitter" . Retrieved 17 January 2021.
  8. Inference Solutions (2015). "Self-service password reset: Pipe dream or reality? - Inference". Archived from the original on 2016-03-05. Retrieved 2015-05-20.
  9. Finetti, Mario (30 January 2022). "Self service password reset in large organisations".
  10. RSA Laboratories (2006). "Fourth-factor authentication: Somebody you know" (PDF). Proceedings of the 13th ACM conference on Computer and communications security. pp. 168–178. doi:10.1145/1180405.1180427. ISBN   978-1595935182. S2CID   1979527.