Self-service password reset

Self-service password reset

Self-service password reset is defined as any process or technology that allows users who have either forgotten their password or triggered an intruder lockout to authenticate with an alternate factor, and repair their own problem, without calling the help desk. It is a common feature in identity management software and often bundled in the same software package as a password synchronization capability.

Typically users who have forgotten their password launch a self-service application from an extension to their workstation login prompt, using their own or another user's web browser, or through a telephone call. Users establish their identity, without using their forgotten or disabled password, by answering a series of personal questions, using a hardware authentication token, responding to a password notification e-mail or, less often, by providing a biometric sample. Users can then either specify a new, unlocked password, or ask that a randomly generated one be provided.

Self-service password reset expedites problem resolution for users "after the fact," and thus reduces help desk call volume. It can also be used to ensure that password problems are only resolved after adequate user authentication, eliminating an important weakness of many help desks: social engineering attacks, where an intruder calls the help desk, pretends to be the intended victim user, claims that he has forgotten his password, and asks for a new password.

There are many software products available to allow employees to self-reset passwords.

Vulnerability

On the other hand, self-service password reset that relies solely on answers to personal questions can introduce newvulnerabilities [Cite web
last = Griffith
first = Virgil
title = Messin' with Texas, Deriving Mother's Maiden Names Using Public Records
url = http://www.rsa.com/rsalabs/cryptobytes/CryptoBytes-Winter07.pdf
] [Cite web
last = Rabkin
first = Ariel
title = Personal Knowledge Questions for Fallback Authentication: Security Questions in the Era of Facebook.
url = http://cups.cs.cmu.edu/soups/2008/proceedings/p13Rabkin.pdf
] , since the answers to such questions can often be obtained by social engineering, phishing techniques or simple research. While users are frequently reminded never to reveal their password, they are less likely to treat as sensitive the answers to many commonly used security questions, such as pet names, place of birth or favorite movie. Much of this information may be publicly available on some users' personal home pages. Other answers can be elicited by someone pretending to conduct an opinion survey or offering a free dating service. Since many organizations have standard ways of determining login names from real names, an attacker who knows the names of several employees at such an organization can choose one whose security answers are most readily obtained.

This vulnerability is not strictly due to self-service password reset -- it often exists in the help desk prior to deployment of automation.Self-service password reset technology is often used to reduce this type of vulnerability, by introducing stronger caller authenticationfactors than the human-operated help desk had been using prior to deployment of automation.

In September 2008, the Yahoo e-mail account of Governor of Alaska and Vice President of the United States nominee Sarah Palin was accessed without authorization by someone who was able to research answers to two of her security questions, her zip code and date of birth and was able to guess the third, where she met her husband. [http://news.yahoo.com/s/ap/20080918/ap_on_el_pr/palin_hacked]

Preference-based Authentication

Jakobsson, Stolterman, Wetzel, and Yang proposed to use preferences to authenticate users for password reset [Cite web
last = Jakobsson
first = Markus et al.
title = Love and Authentication
url = http://www.ravenwhite.com/files/chi08JSWY.pdf
] [Cite web
last = Jakobsson
first = Markus et al.
title = Quantifying the Security of preference-based Authentication
url = http://www.cs.stevens.edu/~lyang/lyangpage/dim20-yang.pdf
] . The underlying insights are that preferences are stable over a long period of time [Cite journal
last = Crawford
first = Duane et al.
title = The Stability of Leisure Preferences
volume = 18
date = 1986
journal = Journal of Leisure Research,
] , and are not publicly recorded. Their approach includes two phases---"setup" and "authentication". During the setup, a user is asked to select items that they either like or dislike from several categories of items which are dynamically selected from a big candidate set and are presented to the user in a random order. During the authentication phase, a user is asked to classify his preferences (like or dislike) for the selected items displayed to him in a random order. See [http://www.blue-moon-authentication.com] for a live system. They evaluated the security of their approach by user experiments, user emulations, and attacker simulations.

Accessibility

A major problem with self-service password reset inside corporations and similar organizations is enabling users to accessthe system if they forgot their primary password. Since SSPR systems are typically web-based, a user must launch a web browserto fix his problem -- but the user cannot log into his workstation until the problem is solved. There are various approachesto addressing this Catch-22, all of which are compromises (e.g., desktop software deployment, domain-wide password resetaccount, telephone access, visiting a neighbour, continuing to call the help desk, etc.).

External links

* [http://www.goodsecurityquestions.com Good Security Questions: Developer do's, don'ts, & examples]
* Ariel Rabkin. " [http://cups.cs.cmu.edu/soups/2008/proceedings/p13Rabkin.pdf Personal knowledge questions for fallback authentication: Security questions in the era of Facebook.] " SOUPS 2008.
* [http://p-synch.com/docs/password-management-project-roadmap.html Password Management Project Roadmap] , a vendor-neutral white paper describing a project where a self-service password resert system was successfully deployed

References


Wikimedia Foundation. 2010.

Игры ⚽ Нужно сделать НИР?

Look at other dictionaries:

  • Password cracking — is the process of recovering passwords from data that has been stored in or transmitted by a computer system. A common approach is to repeatedly try guesses for the password. The purpose of password cracking might be to help a user recover a… …   Wikipedia

  • Password — For other uses, see Password (disambiguation). A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource (example: an access code is a type of password). The password… …   Wikipedia

  • Password policy — A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly. A password policy is often part of an organization s official regulations and may be taught as part… …   Wikipedia

  • Password management — There are several forms of software used to help users or organizations better manage passwords:* Personal software, installed and used by individual users: ** Password manager software is used by individuals to organize and encrypt many personal …   Wikipedia

  • Identity management — In information systems, identity management is the management of the identity life cycle of entities (subjects or objects). An identity management system: # Establishes the identity ## Links a name (or number) with the subject or object; ## Re… …   Wikipedia

  • Proginet — Infobox Company company name = Proginet Corporation company company type = Public (otcbb|PRGF) foundation = flagicon|USA 1984 New York (as Teleprocessing Connections Inc.) location city = 220 Garden City Plaza, Garden City, New York revenue = US… …   Wikipedia

  • Phpadadmin — infobox website name = php AD admin url = http://www.phpadadmin.com/ commercial = No type = Open Source owner = [http://www.james lloyd.com |James Lloyd] author = [http://www.james lloyd.com |James Lloyd] launch date = May 5 2005php AD admin is… …   Wikipedia

  • Security question — A security question is used as an authenticator by banks, cable companies and wireless providers as an extra security layer. They are a form of shared secret.cite web url=http://www.slate.com/id/2183030/pagenum/all/ title=In What City Did You… …   Wikipedia

  • Encrypting File System — The Encrypting File System (EFS) on Microsoft Windows is a feature introduced in version 3.0 of NTFS[1] that provides filesystem level encryption. The technology enables files to be transparently encrypted to protect confidential data from… …   Wikipedia

  • Two-factor authentication — (TFA, T FA or 2FA) is an approach to authentication which requires the presentation of two different kinds of evidence that someone is who they say they are. It is a part of the broader family of multi factor authentication, which is a defense in …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”