The standalone password reset ( SSPR ) is defined as any process or technology that allows users who forget their password or trigger an intruder lockout to authenticate with alternate factors, and fix their problem yourself, without contacting the help desk. This is a common feature in identity management software and is often grouped in the same software package with password sync capability.
Usually users who forget their passwords launch self-service apps from extensions to their workstation login prompt, using their own web browser or other users, or via phone calls. Users assign their identities, without using forgotten or disabled passwords, by answering a series of personal questions, using hardware authentication tokens, responding to notification emails or, more rarely, by providing biometric samples such as speech recognition. The user can then specify a new password that is not locked, or ask the keyword to be randomly generated.
The self-service password reset accelerates the problem solving for the "after-fact" user, and thereby reduces the call volume of the help desk. It can also be used to ensure that password issues are only resolved after sufficient user authentication, eliminating the crucial weakness of many help desks: social engineering attacks, where an intruder calls a help desk, pretends to be the intended victim user, claims to have forgotten account password, and request a new password.
Video Self-service password reset
Otentikasi multi-faktor
Instead of just asking users to answer security questions, modern password reset systems can also take advantage of the sequence of authentication steps:
- Ask the user to complete the CAPTCHA, to show that they are human.
- Have users enter a PIN that is sent to their private e-mail address or mobile phone.
- Ask for use of other technologies, such as a one-time password-token.
- Take advantage of biometrics, such as voice printing.
- An autentator app, like Google Authenticator, or SMS code.
Maps Self-service password reset
Security authenticates pure users by asking security questions
Regardless of the benefits, self-service password resets that rely solely on answers to personal questions may introduce new vulnerabilities, as answers to such questions can often be obtained with social techniques, phishing techniques, or simple research. While users are often reminded never to reveal their passwords, they tend to treat sensitive answers to many commonly used security questions, such as a pet's name, birthplace or favorite movie. Much of this information may be publicly available on some pages of users' private homepages. Other answers can be obtained by someone who pretends to conduct an opinion survey or offer free dating services. Since many organizations have a standard way of determining the login name of the real name, the attacker who knows the names of some employees in the organization can choose the one whose security answer is easiest to obtain.
This vulnerability is not strictly due to a standalone password reset - often in the help desk before automation deployment. The self-service password reset technology is often used to reduce this type of vulnerability, by introducing a stronger caller authentication factor than the human-operated help desk has used before deployment automation.
In September 2008, Yahoo's e-mail account from Alaska Governor and Vice President of the United States nominee Sarah Palin was accessed without permission by someone who was able to examine the answers to her two security questions, postcode and date of birth and be able to guess the third, where she met with her husband. This incident clearly highlights that the choice of security questions is essential to prevent social engineering attacks on the password system.
Preference-based authentication
Jakobsson, Stolterman, Wetzel, and Yang propose to use preferences to authenticate users for password reset. The underlying insights are stable preferences over a long period of time, and are not publicly recorded. Their approach includes two phases --- setup and authentication . During the setup, users are asked to select the items they like or dislike from several categories of dynamically selected items from the set of great candidates and presented to users in random order. During the authentication phase, users are required to classify their preferences (like or disliked) for selected items displayed to them in random order. Jakobsson, Stolterman, Wetzel, and Yang evaluated the safety of their approach by user experimentation, user emulation, and attacker simulation.
Two-factor authentication
Two-factor authentication is a 'strong authentication' method, because it adds another layer of security to the password reset process. In most cases, it consists of Preference-Based Authentication plus a second form of physical authentication (using something the user has, ie Smartcards, USB tokens, etc.). One popular method is through SMS and email. Advanced SSPR software requires the user to provide a mobile phone number or personal e-mail address during the setup. If there is a password reset, the PIN code will be sent to the phone or the user's email and they must enter this code during the password reset process. Modern technology also enables authentication through sound biometrics using voice recognition technology.
Accessibility
The main problem with self-set password resets inside companies and similar organizations allows users to access the system if they forget their primary password. Since the SSPR system is usually web-based, users need to launch a web browser to fix the problem, but can not get into the workstation until the problem is over. There are various approaches to handle this Catch-22, which is largely a compromise (e.g., Deployment of desktop software, domain-wide password reset accounts, phone access, visiting neighbors, constantly calling for help, etc.). Some companies have created software that provides a limited web browser on the login screen with the only ability to access password reset pages without logging into the system; an example is Novell Client Login Extensions technology. Because this technology effectively grants users access to computer resources, especially web browsers, to reset passwords without authenticating to computers, security is a high priority and the capabilities are so limited that users can not do more than expected in this mode.
There are two additional issues associated with one of the users who are locked:
- Mobile users, physically away from the corporate network, forgot their PC's login password.
- Passwords are cached by the operating system or browser, which may continue to be offered to the server after a password change that starts on another computer (help desk, password management web server, etc.) and thus triggers an intruder lockout./li>
Vouching options
In conjunction with preference-based authentication, self service password reset procedures may also depend on the human relations network that exists between users. In this scenario, the user who forgot the password asks for help to his partner. The "helper" colleague authenticates with the password reset application and ensures the user's identity.
In this scenario, the problem changes from one user authentication that forgets the password to one of the understandings that the user must have the ability to guarantee that other users.
References
External links
- Evidian Self-Service Password Reset (SSPR) from web portals, workstations and even phones with QR Code
- Reset the self-service password in large organizations on password reset procedures based on vouching
- Reset self service password in Healthcare Health Management Technology 2012
- Forgot Password Cheat Sheet Open Web Application Security Application
- Self-service, Anywhere - Hitachi ID Systems technology to offer self service password resets for mobile users while away from the site, and for users faced with pre-boot password requests (e.g. full disk encryption ).
- Self-service passwords from any device, anywhere and anytime The next generation ESB-based word management technology from ILANTUS Technologies.
- Self-service passwords from any device, anywhere and anytime The next generation ESB-based word management technology from ILANTUS Technologies.
- Self Service Password Reset Active Directory Self Service Tool Reset Password for Microsoft Windows user credentials from RjR Innovations
Source of the article : Wikipedia
0 Comments