177:. During the setup, a user is asked to select items that they either like or dislike from several categories of items which are dynamically selected from a big candidate set and are presented to the user in a random order. During the authentication phase, users are asked to classify their preferences (like or dislike) for the selected items displayed to them in a random order. Jakobsson, Stolterman, Wetzel, and Yang evaluated the security of their approach by user experiments, user emulations, and attacker simulations.
214:
workstation until the problem is solved. There are various approaches to addressing this Catch-22, most of which are compromises (e.g., desktop software deployment, domain-wide password reset account, telephone access, visiting a neighbour, continuing to call the help desk, etc.). Some companies have created software which presents a restricted web browser at the login screen with the sole ability to access the password reset page without logging into the system; an example of this is
251:
When doing critical self-service password resets for privileged accounts you may want to allow account unlocks and to restrict password change functionality. The support teams have a responsibility of changing passwords of these accounts. More information and videos on how such portals work in practice can be found under the external links section called SecureMFA SSPR Portal.
201:
method is through SMS and email. Advanced SSPR software requires the user to provide a mobile phone number or personal e-mail address during setup. In the event of a password reset, a PIN code will be sent to the user's phone or email and they will need to enter this code during the password reset process. Modern technology also allows authentication via voice biometrics using
218:'s Client Login Extension technology. Because these technologies effectively give the user access to computer resources, specifically a web browser, to reset passwords without authenticating to the computer, security is a high priority and capabilities are very limited so that the user cannot do more than is expected in this mode.
123:
techniques or simple research. While users are frequently reminded never to reveal their password, they are less likely to treat as sensitive the answers to many commonly used security questions, such as pet names, place of birth or favorite movie. Much of this information may be publicly available
200:
is a 'strong authentication' method, as it adds another layer of security to the password reset process. In most cases this consists of
Preference Based Authentication plus a second form of physical authentication (using something the user possesses, i.e. Smartcards, USB tokens, etc.). One popular
250:
Though it is important to provide multifactor authentication when SSPR software endpoint faces untrusted networks, there is another important aspect which modern SSPR needs to address. It is Role Base Access
Control (RBAC) feature which is responsible for access level provisioning for the users.
213:
A major problem with self-service password reset inside corporations and similar organizations is enabling users to access the system if they forgot their primary password. Since SSPR systems are typically web-based, users need to launch a web browser to fix the problem, yet cannot log into the
238:
In conjunction with preference-based authentication, self-service password reset procedures could also rely on the network of existing human relations among users. In this scenario, the user who forgot the password asks a colleague for assistance. The "helper" colleague authenticates with the
131:
This vulnerability is not strictly due to self-service password resetβit often exists in the help desk prior to deployment of automation. Self-service password reset technology is often used to reduce this type of vulnerability, by introducing stronger caller authentication factors than the
68:
Self-service password reset expedites problem resolution for users "after the fact", and thus reduces help desk call volume. It can also be used to ensure that password problems are only resolved after adequate user authentication, eliminating an important weakness of many help desks:
155:
by someone who was able to research answers to two of her security questions, her zip code and date of birth and was able to guess the third, where she met her husband. This incident clearly highlighted that the choice of security questions is very important to prevent
168:
Jakobsson, Stolterman, Wetzel, and Yang proposed to use preferences to authenticate users for password reset. The underlying insights are that preferences are stable over a long period of time, and are not publicly recorded. Their approach includes two
228:
Passwords cached by the operating system or browser, which might continue to be offered to servers after a password change that was initiated on another computer (help desk, password management web server, etc.) and therefore trigger an intruder
118:
Despite the benefits, a self-service password reset that relies solely on answers to personal questions can introduce new vulnerabilities, since the answers to such questions can often be obtained by social engineering,
48:
Typically users who have forgotten their password launch a self-service application from an extension to their workstation login prompt, using their own or another user's web browser, or through a telephone call. Users
124:
on some users' personal home pages. Other answers can be elicited by someone pretending to conduct an opinion survey or offering a free dating service. Since many organizations have standard ways of determining
242:
In this scenario, the problem changes from one of authenticating the user who forgot the password to one of understanding which users should have the ability to vouch for which other users.
189:
reveal a part of a user's email address and some of the phone number digits when using the 'forgotten password' function. Often the whole email address can be derived from this hint.
128:
names from real names, an attacker who knows the names of several employees at such an organization can choose one whose security answers are most readily obtained.
73:
attacks, where an intruder calls the help desk, pretends to be the intended victim user, claims to have forgotten the account password, and asks for a new password.
552:
37:
or triggered an intruder lockout to authenticate with an alternate factor, and repair their own problem, without calling the help desk. It is a common feature in
373:
185:
Many web based systems not using single sign on allow users to send a password reset link to their registered email address or phone number. However, many
186:
81:
Rather than merely asking users to answer security questions, modern password reset systems may also leverage a sequence of authentication steps:
65:
sample such as voice recognition. Users can then either specify a new, unlocked password, or ask that a randomly generated one be provided.
354:
643:
649:
578:
70:
290:
677:
655:
144:
616:
556:
478:
406:
330:
687:
664:
Self-service password reset portal with RBAC functionality explained using video content (retrieved on 2021-01-17)
420:
682:
157:
658:
Next generation ESB-based password management technology from ILANTUS Technologies (retrieved on 2019-06-19)
58:
53:, without using their forgotten or disabled password, by answering a series of personal questions, using a
125:
308:"Personal knowledge questions for fallback authentication: Security questions in the era of Facebook"
197:
461:
389:
381:
Proceeding of the twenty-sixth annual CHI conference on Human factors in computing systems - CHI '08
268:
Griffith, Virgil (2005). "Messin' with Texas
Deriving Mother's Maiden Names Using Public Records".
42:
593:
530:
358:
456:
384:
225:
Mobile users, physically away from the corporate network, who forgot their PC's login password.
152:
307:
33:) is defined as any process or technology that allows users who have either forgotten their
106:
8:
202:
38:
20:
92:
Ask users to enter a PIN which is sent to their personal e-mail address or mobile phone.
622:
484:
412:
336:
140:
113:
445:
269:
612:
474:
402:
326:
286:
488:
626:
604:
515:
511:
466:
416:
394:
340:
318:
278:
531:"Enable This Setting So People Can't Guess Your Email Address from Your Twitter"
54:
50:
601:
Proceedings of the 13th ACM conference on
Computer and communications security
671:
502:
Crawford, Duane; et al. (1986). "The
Stability of Leisure Preferences".
102:
661:
608:
470:
453:
Proceedings of the 4th ACM workshop on
Digital identity management - DIM '08
398:
322:
132:
human-operated help desk had been using prior to deployment of automation.
221:
There are two additional problems related to the one of locked out users:
148:
282:
277:. Lecture Notes in Computer Science. Vol. 3531. pp. 91β103.
95:
Require use of another technology, such as a one-time-password token.
62:
114:
Security of authenticating users purely by asking security questions
120:
34:
553:"Self-service password reset: Pipe dream or reality? - Inference"
86:
652:
Open Web
Application Security Project (retrieved on 2019-06-19)
315:
Proceedings of the 4th symposium on Usable privacy and security
215:
446:"Quantifying the Security of preference-based Authentication"
136:
41:
software and often bundled in the same software package as a
19:
For information about resetting your
Knowledge password, see
239:
password reset application and vouches for user's identity.
656:
Password self-service from any device, anywhere and anytime
646:
Health
Management Technology 2012 (retrieved on 2019-06-19)
579:"Self service password reset in large organisations"
355:"Hacker impersonated Palin, stole e-mail password"
163:
594:"Fourth-factor authentication: Somebody you know"
669:
591:
208:
180:
76:
192:
98:Leverage biometrics, such as a voice print.
644:Self service password reset in Healthcare
460:
443:
388:
371:
271:Applied Cryptography and Network Security
501:
267:
576:
444:Jakobsson, Markus; et al. (2008).
372:Jakobsson, Markus; et al. (2008).
670:
305:
233:
245:
89:, to demonstrate that they are human.
528:
357:. 18 September 2008. Archived from
145:Vice President of the United States
13:
577:Finetti, Mario (30 January 2022).
16:Web account authentication service
14:
699:
637:
585:
164:Preference-based authentication
61:or, less often, by providing a
570:
544:
522:
516:10.1080/00222216.1986.11969649
495:
437:
365:
347:
299:
261:
153:accessed without authorization
1:
529:Cox, Joseph (15 April 2016).
254:
160:attacks on password systems.
55:hardware authentication token
550:Inference Solutions (2015).
209:Access to platform for reset
187:large social media platforms
7:
678:Identity management systems
650:Forgot Password Cheat Sheet
504:Journal of Leisure Research
181:Email or phone based resets
77:Multi-factor authentication
27:Self-service password reset
10:
704:
18:
592:RSA Laboratories (2006).
374:"Love and Authentication"
198:Two-factor authentication
193:Two-factor authentication
85:Ask users to complete a
51:establish their identity
43:password synchronization
688:Password authentication
609:10.1145/1180405.1180427
471:10.1145/1456424.1456435
399:10.1145/1357054.1357087
323:10.1145/1408664.1408667
135:In September 2008, the
306:Rabkin, Ariel (2008).
683:Cryptographic attacks
662:SucureMFA SSPR Portal
603:. pp. 168β178.
383:. pp. 197β200.
107:Google Authenticator
234:The vouching option
59:notification e-mail
39:identity management
21:Help:Reset password
455:. pp. 61β70.
361:on 2 October 2008.
317:. pp. 13β23.
283:10.1007/11496137_7
246:RBAC Authorization
158:social engineering
141:Governor of Alaska
139:e-mail account of
71:social engineering
57:, responding to a
292:978-3-540-26223-7
203:voice recognition
695:
631:
630:
598:
589:
583:
582:
574:
568:
567:
565:
564:
555:. Archived from
548:
542:
541:
539:
537:
526:
520:
519:
499:
493:
492:
464:
450:
441:
435:
434:
432:
431:
425:
419:. Archived from
392:
378:
369:
363:
362:
351:
345:
344:
312:
303:
297:
296:
276:
265:
703:
702:
698:
697:
696:
694:
693:
692:
668:
667:
640:
635:
634:
619:
596:
590:
586:
575:
571:
562:
560:
551:
549:
545:
535:
533:
527:
523:
500:
496:
481:
462:10.1.1.150.7577
448:
442:
438:
429:
427:
423:
409:
390:10.1.1.145.6934
376:
370:
366:
353:
352:
348:
333:
310:
304:
300:
293:
274:
266:
262:
257:
248:
236:
211:
195:
183:
166:
116:
109:or an SMS code.
79:
24:
17:
12:
11:
5:
701:
691:
690:
685:
680:
666:
665:
659:
653:
647:
639:
638:External links
636:
633:
632:
618:978-1595935182
617:
584:
569:
543:
521:
494:
479:
436:
407:
364:
346:
331:
298:
291:
259:
258:
256:
253:
247:
244:
235:
232:
231:
230:
226:
210:
207:
194:
191:
182:
179:
175:authentication
165:
162:
115:
112:
111:
110:
99:
96:
93:
90:
78:
75:
15:
9:
6:
4:
3:
2:
700:
689:
686:
684:
681:
679:
676:
675:
673:
663:
660:
657:
654:
651:
648:
645:
642:
641:
628:
624:
620:
614:
610:
606:
602:
595:
588:
580:
573:
559:on 2016-03-05
558:
554:
547:
532:
525:
517:
513:
510:(2): 96β115.
509:
505:
498:
490:
486:
482:
480:9781605582948
476:
472:
468:
463:
458:
454:
447:
440:
426:on 2017-04-25
422:
418:
414:
410:
408:9781605580111
404:
400:
396:
391:
386:
382:
375:
368:
360:
356:
350:
342:
338:
334:
332:9781605582764
328:
324:
320:
316:
309:
302:
294:
288:
284:
280:
273:
272:
264:
260:
252:
243:
240:
227:
224:
223:
222:
219:
217:
206:
204:
199:
190:
188:
178:
176:
172:
161:
159:
154:
150:
146:
142:
138:
133:
129:
127:
122:
108:
104:
103:authenticator
100:
97:
94:
91:
88:
84:
83:
82:
74:
72:
66:
64:
60:
56:
52:
46:
44:
40:
36:
32:
28:
22:
600:
587:
572:
561:. Retrieved
557:the original
546:
534:. Retrieved
524:
507:
503:
497:
452:
439:
428:. Retrieved
421:the original
380:
367:
359:the original
349:
314:
301:
270:
263:
249:
241:
237:
220:
212:
205:technology.
196:
184:
174:
170:
167:
134:
130:
117:
80:
67:
47:
45:capability.
30:
26:
25:
149:Sarah Palin
672:Categories
563:2015-05-20
536:17 January
430:2021-04-30
255:References
105:, such as
457:CiteSeerX
385:CiteSeerX
169:phases---
63:biometric
489:16199928
229:lockout.
147:nominee
121:phishing
35:password
627:1979527
417:2199454
341:6309745
87:CAPTCHA
625:
615:
487:
477:
459:
415:
405:
387:
339:
329:
289:
216:Novell
623:S2CID
597:(PDF)
485:S2CID
449:(PDF)
424:(PDF)
413:S2CID
377:(PDF)
337:S2CID
311:(PDF)
275:(PDF)
171:setup
137:Yahoo
126:login
613:ISBN
538:2021
475:ISBN
403:ISBN
327:ISBN
287:ISBN
173:and
151:was
143:and
31:SSPR
605:doi
512:doi
467:doi
395:doi
319:doi
279:doi
101:An
674::
621:.
611:.
599:.
508:18
506:.
483:.
473:.
465:.
451:.
411:.
401:.
393:.
379:.
335:.
325:.
313:.
285:.
629:.
607::
581:.
566:.
540:.
518:.
514::
491:.
469::
433:.
397::
343:.
321::
295:.
281::
29:(
23:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.