Mitigate Risks with Modern Password Recovery Systems

The ability to reset your password is an essential system requirement.

With so many online services available, it’s common to have multiple user accounts for the various apps and services you interact with every day. Security doctrine dictates that you need a different password for each account, and that you update each one regularly. With so many accounts and passwords to remember, it’s inevitable that (at some point) you will fail to recall a certain password and be forced to reset it.

Users who have forgotten or lost their password face a frustrating experience if there is no automated password reset system in place. Help desk calls, which are an IT cost, need to be logged to have accounts unlocked—leading to inefficiency and irritation. To provide users, partners, and the extended organisation with an enhanced user password reset experience and to alleviate the burden on support teams, organizations often implement web-based self-service password reset functionality into their systems. Not only do these solutions save costs and increase efficiencies, implementing them correctly is essential for the security of a modern enterprise. Both manual and automated self-service password resets can put systems at risk, since they are highly vulnerable to social engineering attacks.

Are Password Recovery Systems Secure?

Password reset functionality usually involves the user clicking on a link, which takes them to a password reset page. Password recovery flows are frequently triggered by knowledge-based checks, such as "What is your primary email address?". The problem with this approach is that this information is in the public domain. Email addresses, mother’s maiden names, and similar personal information is often available on third-party data aggregation services or social media platforms, meaning hackers can easily break through if that’s their intent. And, if this information is not readily available, the attacker could always socially engineer the information out of a victim.

One could argue that email addresses are secure, as an attacker would need to compromise the email service to gain access to the password reset notice. However, email accounts can be compromised by standard password attacks such as phishing, password spraying, credential stuffing, and other automated brute-force assaults. In fact, as email accounts are the primary password reset solution for most self-service systems, compromising this service is a prime objective for any attacker seeking to gain unauthorized access to any system.

Password recovery solutions are generally web pages, which means they can be spoofed. Using this vulnerability, an attacker could force a password reset by locking a victim’s account through a brute force login attack on the legitimate service. The victim can then be lured to the fake password reset site, and if the user falls for the ruse, their account could be compromised.

Password Recovery, Like All Security, Needs Defense-In-Depth

A good password recovery flow needs a defense-in-depth approach. Before triggering a password recovery change, the user should authenticate themselves with a second possession factor like Okta Verify. This way, an attacker would need access to something the victim has, as well as something the victim knows, before they can compromise the victim's account.

Constraining password reset functionality to users logged onto the corporate network is another measure that can further strengthen the security of a password recovery flow. Ensuring that the device requesting the password reset has a valid internal corporate IP address introduces an additional security measure over and above the required knowledge-based password reset information.

Since users forgetting their passwords is a primary cause for password resets, one solution is to create an environment to help users remember their passwords—an environment where they only need to remember a single password to access multiple services and applications.

Single Sign-On (SSO) = One Password to Rule Them All

Okta’s Single Sign-On (SSO) solution provides a single, user-friendly way for end users to access all their applications. This service mitigates the risk created by password reset systems, as users only need to remember a single password to log in to multiple services and applications. Okta SSO also enhances operational efficiency by helping organizations reduce login-related helpdesk calls by 50%, while providing an improved login experience for their users.

Okta SSO’s true power, however, lies in the integrations it has built into its platform, which currently supports over 5,000 pre-integrated apps. This makes deploying an Okta SSO solution into any organization simple and straightforward, as the integration has already been taken care of. In addition, this service provides a flexible and secure user store, integration to AD/LDAP across multiple domains and self-service AD/LDAP password reset.

SSO + AMFA = Complete Security

To strengthen the solution and mitigate the risk of a compromised password, Okta SSO provides secure access for all users via a variety of two-factor authentication options ranging from text-based One Time Pins (OTP) to the Okta Verify app, which is included for all customers.

This layered authentication approach can be strengthened even further by adding Okta’s Adaptive Multi-Factor Authentication (Adaptive MFA) solution to the Okta SSO service. AMFA dynamically adapts security and authentication policies based on user and device context by taking factors such as location, device, and client into account when an access request is made. Okta AMFA manages the authentication process by rating the contextual risk of the request and then reacting accordingly by either granting access, denying access, or prompting the user to submit an additional authentication factor.

Okta SSO also provides real-time security reporting, which provides sophisticated search functionality interrogating real-time system log data. In addition, geolocation tracking, pre-built application access reports, and integration with SIEMs create a holistic solution which provides deep visibility on every authentication event.

Should a user ever forget and need to reset their password on Okta’s SSO service, Okta resets this via an email workflow. However, unlike other password reset systems, the flow is fully managed and scrutinized with additional security checks and balances, including strong possession factor checks before starting the recovery flow. In addition, the fact that access is controlled by a multi-factor authentication service ensures that even if the password is compromised in some way, system access is still protected by the implementation of this defense-in-depth approach.

Passwords are inherently flawed—and asking users to remember too many of them is a losing game. Mitigating risks with modern password recovery systems can help reduce the likelihood of a breach, and create a customer environment that is seamless and secure for all.

For a free obligation demo contact discover@everycloud.co.uk

source: https://www.okta.com/security-blog/2018/07/mitigate-risks-with-modern-password-recovery-systems/

Swaroop Sham
Senior Product Marketing Manager, Security