Passwords play a central role in securing identities in the commercial world and in the enterprise. However, with so many passwords out there – the average person has about 100 – it's not an uncommon experience to forget a password here or there. This can lead to a password reset. While password resets can be a lifesaver when you've forgotten your login credentials, they introduce their own set of security problems. In this blog post, we'll explore the security dilemmas associated with password resets and suggest a way to mitigate these vulnerabilities.
Email is the most common method used for password resets. When a request for a password reset is received, a link is sent to the user’s registered email, allowing them to create a new password.
However, if the email account has been compromised, it's relatively easy for attackers to initiate password resets for other accounts set-up with that email, essentially gaining complete control of the user’s digital life. Also, malicious actors can impersonate legitimate services by sending convincing password reset emails, asking for the user to reset their password on a fraudulent site. Users might unwittingly reveal their new passwords to these fraudsters.
Many password reset processes rely on security questions or KBAs for identity verification. The problem with this approach is that many answers can be easily guessed or researched, especially in the age of social media. Consider questions like "What's your mother's maiden name?" or "What's your first pet's name?" These answers are often public knowledge, making this method far from secure. In the cases where they are not common knowledge, they can be stolen in a hack or even purchased off the dark web.
Customer Support-based Resets
Sometimes, attackers employ social engineering techniques to trick customer support representatives into initiating password resets. This is what happened in the recent MGM ransomware attack: the fraudsters originally planned to break into the slots, but when that proved too difficult, fell back to tricking customer service. In these situations, fraudsters pretended to be the account holder and use personal information gathered from various sources, to trick the customer support rep to change the main email and reset the password.
One Time Passcode-based Reset Codes
Some services use one-time passcodes sent over SMS messages to reset passwords. However, this method is not foolproof. Attackers can engage in SIM swapping, a process where they convince the mobile carrier to transfer a target's phone number to a new SIM card under their control. This allows them to intercept the OTP and gain access to the account.
Password resets underscore the problems of passwords, and why we need to move beyond them.
Asignio provides a passwordless solution that uses dual biometrics for a unique combination of high security and ease of use that can virtually eliminate password reset risk.
Using handwriting and facial biometrics, Asignio registers users with a unique Sign (think of it as a mini signature) that is validated through speed, timing, position, and a variety of other attributes that allow for the variation that occurs as users present their credential on their touch-sensitive device. The selfie helps ensure that the right person is signing. Finally, additional analysis of both of these biometrics helps detect liveness and helps to ensure that the user is uniquely entering the information and it is not a replay attack. As a result, Asignio is uniquely phishing and hacking resistant… there is no static username or password-equivalent to steal. Because resets do not involve a password and take place via self service, there is no person to trick into changing an email or any other information prior to a reset.
The result is a highly secure authentication method, that is as simple to use as a password, without all the password failings.
Click here to see it in action.