Self-service password reset

Self-service password reset (SSPR) is defined as any process or technology that allows users who have either forgotten their password or triggered an intruder lockout to authenticate with an alternate factor, and repair their own problem, without calling the help desk. It is a common feature in identity management software and often bundled in the same software package as a password synchronization capability.

Typically users who have forgotten their password launch a self-service application from an extension to their workstation login prompt, using their own or another user's web browser, or through a telephone call. Users establish their identity, without using their forgotten or disabled password, by answering a series of personal questions, using a hardware authentication token, responding to a notification e-mail or, less often, by providing a biometric sample such as voice recognition. Users can then either specify a new, unlocked password, or ask that a randomly generated one be provided.

Self-service password reset expedites problem resolution for users "after the fact", and thus reduces help desk call volume. It can also be used to ensure that password problems are only resolved after adequate user authentication, eliminating an important weakness of many help desks: social engineering attacks, where an intruder calls the help desk, pretends to be the intended victim user, claims to have forgotten the account password, and asks for a new password.

Multi-factor authentication
Rather than merely asking users to answer security questions, modern password reset systems may also leverage a sequence of authentication steps:
 * Ask users to complete a CAPTCHA, to demonstrate that they are human.
 * Ask users to enter a PIN which is sent to their personal e-mail address or mobile phone.
 * Require use of another technology, such as a one-time-password token.
 * Leverage biometrics, such as a voice print.
 * An authenticator, such as Google Authenticator or an SMS code.

Security of authenticating users purely by asking security questions
Despite the benefits, a self-service password reset that relies solely on answers to personal questions can introduce new vulnerabilities, since the answers to such questions can often be obtained by social engineering, phishing techniques or simple research. While users are frequently reminded never to reveal their password, they are less likely to treat as sensitive the answers to many commonly used security questions, such as pet names, place of birth or favorite movie. Much of this information may be publicly available on some users' personal home pages. Other answers can be elicited by someone pretending to conduct an opinion survey or offering a free dating service. Since many organizations have standard ways of determining login names from real names, an attacker who knows the names of several employees at such an organization can choose one whose security answers are most readily obtained.

This vulnerability is not strictly due to self-service password reset—it often exists in the help desk prior to deployment of automation. Self-service password reset technology is often used to reduce this type of vulnerability, by introducing stronger caller authentication factors than the human-operated help desk had been using prior to deployment of automation.

In September 2008, the Yahoo e-mail account of Governor of Alaska and Vice President of the United States nominee Sarah Palin was accessed without authorization by someone who was able to research answers to two of her security questions, her zip code and date of birth and was able to guess the third, where she met her husband. This incident clearly highlighted that the choice of security questions is very important to prevent social engineering attacks on password systems.

Preference-based authentication
Jakobsson, Stolterman, Wetzel, and Yang proposed to use preferences to authenticate users for password reset. The underlying insights are that preferences are stable over a long period of time, and are not publicly recorded. Their approach includes two phases---setup and authentication. During the setup, a user is asked to select items that they either like or dislike from several categories of items which are dynamically selected from a big candidate set and are presented to the user in a random order. During the authentication phase, users are asked to classify their preferences (like or dislike) for the selected items displayed to them in a random order. Jakobsson, Stolterman, Wetzel, and Yang evaluated the security of their approach by user experiments, user emulations, and attacker simulations.

Email or phone based resets
Many web based systems not using single sign on allow users to send a password reset link to their registered email address or phone number. However, many large social media platforms reveal a part of a user's email address and some of the phone number digits when using the 'forgotten password' function. Often the whole email address can be derived from this hint.

Two-factor authentication
Two-factor authentication is a 'strong authentication' method, as it adds another layer of security to the password reset process. In most cases this consists of Preference Based Authentication plus a second form of physical authentication (using something the user possesses, i.e. Smartcards, USB tokens, etc.). One popular method is through SMS and email. Advanced SSPR software requires the user to provide a mobile phone number or personal e-mail address during setup. In the event of a password reset, a PIN code will be sent to the user's phone or email and they will need to enter this code during the password reset process. Modern technology also allows authentication via voice biometrics using voice recognition technology.

Access to platform for reset
A major problem with self-service password reset inside corporations and similar organizations is enabling users to access the system if they forgot their primary password. Since SSPR systems are typically web-based, users need to launch a web browser to fix the problem, yet cannot log into the workstation until the problem is solved. There are various approaches to addressing this Catch-22, most of which are compromises (e.g., desktop software deployment, domain-wide password reset account, telephone access, visiting a neighbour, continuing to call the help desk, etc.). Some companies have created software which presents a restricted web browser at the login screen with the sole ability to access the password reset page without logging into the system; an example of this is Novell's Client Login Extension technology. Because these technologies effectively give the user access to computer resources, specifically a web browser, to reset passwords without authenticating to the computer, security is a high priority and capabilities are very limited so that the user cannot do more than is expected in this mode.

There are two additional problems related to the one of locked out users:
 * Mobile users, physically away from the corporate network, who forgot their PC's login password.
 * Passwords cached by the operating system or browser, which might continue to be offered to servers after a password change that was initiated on another computer (help desk, password management web server, etc.) and therefore trigger an intruder lockout.

The vouching option
In conjunction with preference-based authentication, self-service password reset procedures could also rely on the network of existing human relations among users. In this scenario, the user who forgot the password asks a colleague for assistance. The "helper" colleague authenticates with the password reset application and vouches for user's identity.

In this scenario, the problem changes from one of authenticating the user who forgot the password to one of understanding which users should have the ability to vouch for which other users.

RBAC Authorization
Though it is important to provide multifactor authentication when SSPR software endpoint faces untrusted networks, there is another important aspect which modern SSPR needs to address. It is Role Base Access Control (RBAC) feature which is responsible for access level provisioning for the users. When doing critical self-service password resets for privileged accounts you may want to allow account unlocks and to restrict password change functionality. The support teams have a responsibility of changing passwords of these accounts. More information and videos on how such portals work in practice can be found under the external links section called SecureMFA SSPR Portal.