Self service password reset
Encyclopedia
Self-service password reset is defined as any process or technology that allows users who have either forgotten their password
or triggered an intruder lockout to authenticate with an alternate factor, and repair their own problem, without calling the help desk
. It is a common feature in identity management
software and often bundled in the same software package as a password synchronization
capability.
Typically users who have forgotten their password launch a self-service application from an extension to their workstation login prompt, using their own or another user's web browser, or through a telephone call. Users establish their identity
, without using their forgotten or disabled password, by answering a series of personal questions, using a hardware authentication token
, responding to a password notification e-mail
or, less often, by providing a biometric sample. Users can then either specify a new, unlocked password, or ask that a randomly generated one be provided.
Self-service password reset expedites problem resolution for users "after the fact," and thus reduces help desk call volume. It can also be used to ensure that password problems are only resolved after adequate user authentication, eliminating an important weakness of many help desks: social engineering attacks, where an intruder calls the help desk, pretends to be the intended victim user, claims that he has forgotten his password, and asks for a new password.
There are many software products available to allow employees to self-reset passwords.
vulnerabilities, since the answers to such questions can often be obtained by social engineering, phishing
techniques or simple research. While users are frequently reminded never to reveal their password, they are less likely to treat as sensitive the answers to many commonly used security questions, such as pet names, place of birth or favorite movie. Much of this information may be publicly available on some users' personal home pages. Other answers can be elicited by someone pretending to conduct an opinion survey or offering a free dating service. Since many organizations have standard ways of determining login
names from real names, an attacker who knows the names of several employees at such an organization can choose one whose security answers are most readily obtained.
This vulnerability is not strictly due to self-service password reset—it often exists in the help desk prior to deployment of automation. Self-service password reset technology is often used to reduce this type of vulnerability, by introducing stronger caller authentication factors than the human-operated help desk had been using prior to deployment of automation.
In September 2008, the Yahoo e-mail account of Governor of Alaska and Vice President of the United States
nominee Sarah Palin
was accessed without authorization by someone who was able to research answers to two of her security questions, her zip code and date of birth and was able to guess the third, where she met her husband.http://news.yahoo.com/s/ap/20080918/ap_on_el_pr/palin_hacked This incident clearly highlighted that the choice of security questions is very important to prevent social engineering
attacks on password systems.
password reset. The underlying insights are that preferences are stable over a long period of time, and are not publicly recorded. Their approach includes two phases---setup and authentication. During the setup, a user is asked to select items that they either like or dislike from several categories of items which are dynamically selected from a big candidate set and are presented to the user in a random order. During the authentication phase, a user is asked to classify his preferences (like or dislike) for the selected items displayed to him in a random order. See http://www.blue-moon-authentication.com for a live system. They evaluated the security of their approach by user experiments, user emulations, and attacker simulations.
There are two additional problems related to the one of locked out users:
In this scenario, the problem changes from one of authenticating the user who forgot his password to one of understanding which users should have the ability to vouch for which other users.
Password
A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password should be kept secret from those not allowed access....
or triggered an intruder lockout to authenticate with an alternate factor, and repair their own problem, without calling the help desk
Help desk
A help desk is an information and assistance resource that troubleshoots problems with computers or similar products. Corporations often provide help desk support to their customers via a toll-free number, website and e-mail. There are also in-house help desks geared toward providing the same kind...
. It is a common feature in identity management
Identity management
Identity management is a broad administrative area that deals with identifying individuals in a system and controlling access to the resources in that system by placing restrictions on the established identities of the individuals.Identity management is multidisciplinary and covers many...
software and often bundled in the same software package as a password synchronization
Password synchronization
Password synchronization is a process, usually supported by software, through which a user maintains a single password across multiple IT systems. Provided all the systems enforce similar password standards Password synchronization is a process, usually supported by software, through which a user...
capability.
Typically users who have forgotten their password launch a self-service application from an extension to their workstation login prompt, using their own or another user's web browser, or through a telephone call. Users establish their identity
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
, without using their forgotten or disabled password, by answering a series of personal questions, using a hardware authentication token
Security token
A security token may be a physical device that an authorized user of computer services is given to ease authentication...
, responding to a password notification e-mail
Password notification e-mail
Password notification email is a common password recovery technique used by websites. If a user forgets their password then a password notification email is sent containing enough information for the user to access their account again...
or, less often, by providing a biometric sample. Users can then either specify a new, unlocked password, or ask that a randomly generated one be provided.
Self-service password reset expedites problem resolution for users "after the fact," and thus reduces help desk call volume. It can also be used to ensure that password problems are only resolved after adequate user authentication, eliminating an important weakness of many help desks: social engineering attacks, where an intruder calls the help desk, pretends to be the intended victim user, claims that he has forgotten his password, and asks for a new password.
There are many software products available to allow employees to self-reset passwords.
Vulnerability
Despite the benefits, a self-service password reset that relies solely on answers to personal questions can introduce newvulnerabilities, since the answers to such questions can often be obtained by social engineering, phishing
Phishing
Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT...
techniques or simple research. While users are frequently reminded never to reveal their password, they are less likely to treat as sensitive the answers to many commonly used security questions, such as pet names, place of birth or favorite movie. Much of this information may be publicly available on some users' personal home pages. Other answers can be elicited by someone pretending to conduct an opinion survey or offering a free dating service. Since many organizations have standard ways of determining login
Logging (computer security)
In computer security, a login or logon is the process by which individual access to a computer system is controlled by identifying and authentifying the user referring to credentials presented by the user.A user can log in to a system to obtain access and can then log out or log off In computer...
names from real names, an attacker who knows the names of several employees at such an organization can choose one whose security answers are most readily obtained.
This vulnerability is not strictly due to self-service password reset—it often exists in the help desk prior to deployment of automation. Self-service password reset technology is often used to reduce this type of vulnerability, by introducing stronger caller authentication factors than the human-operated help desk had been using prior to deployment of automation.
In September 2008, the Yahoo e-mail account of Governor of Alaska and Vice President of the United States
Vice President of the United States
The Vice President of the United States is the holder of a public office created by the United States Constitution. The Vice President, together with the President of the United States, is indirectly elected by the people, through the Electoral College, to a four-year term...
nominee Sarah Palin
Sarah Palin
Sarah Louise Palin is an American politician, commentator and author. As the Republican Party nominee for Vice President in the 2008 presidential election, she was the first Alaskan on the national ticket of a major party and first Republican woman nominated for the vice-presidency.She was...
was accessed without authorization by someone who was able to research answers to two of her security questions, her zip code and date of birth and was able to guess the third, where she met her husband.http://news.yahoo.com/s/ap/20080918/ap_on_el_pr/palin_hacked This incident clearly highlighted that the choice of security questions is very important to prevent social engineering
Social engineering (security)
Social engineering is commonly understood to mean the art of manipulating people into performing actions or divulging confidential information...
attacks on password systems.
Preference-based Authentication
Jakobsson, Stolterman, Wetzel, and Yang proposed to use preferences to authenticate users forpassword reset. The underlying insights are that preferences are stable over a long period of time, and are not publicly recorded. Their approach includes two phases---setup and authentication. During the setup, a user is asked to select items that they either like or dislike from several categories of items which are dynamically selected from a big candidate set and are presented to the user in a random order. During the authentication phase, a user is asked to classify his preferences (like or dislike) for the selected items displayed to him in a random order. See http://www.blue-moon-authentication.com for a live system. They evaluated the security of their approach by user experiments, user emulations, and attacker simulations.
Two Factor Authentication
Two factor authentication is a 'strong authentication' method as it adds another layer of security to the password reset process. In most cases this consists of Preference Based Authentication plus a second form of physical authentication (using something the user possesses -i.e Smartcards, USB tokens, etc). One popular method is through SMS and email. Advanced SSRP software requires the user to provide a mobile phone number or personal e-mail address during set -up. In the event of a password reset a PIN code will be sent to the user's phone or email and they will need to enter this code during the password reset process.Accessibility
A major problem with self-service password reset inside corporations and similar organizations is enabling users to access the system if they forgot their primary password. Since SSPR systems are typically web-based, a user must launch a web browser to fix his problem—but the user cannot log into his workstation until the problem is solved. There are various approaches to addressing this Catch-22, all of which are compromises (e.g., desktop software deployment, domain-wide password reset account, telephone access, visiting a neighbour, continuing to call the help desk, etc.).There are two additional problems related to the one of locked out users:
- Mobile users, physically away from the corporate network, who forgot their PC's login password.
- Passwords cached by the operating system or browser, which might continue to be offered to servers after a password change that was initiated on another computer (help desk, password management web server, etc.) and therefore trigger an intruder lockout.
The vouching option
In conjunction with preference-based authentication, self-service password reset procedures could also rely on the network of existing human relations among users. In this scenario, the user who forgot his password asks a colleague for assistance. The "helper" colleague authenticates with the password reset application and vouches for user's identity.In this scenario, the problem changes from one of authenticating the user who forgot his password to one of understanding which users should have the ability to vouch for which other users.
External links
- Ariel Rabkin. "Personal knowledge questions for fallback authentication: Security questions in the era of Facebook." SOUPS 2008.
- Self service password reset in large organisations on password reset procedures based on vouching