In most large companies the security policy requires users to change their passwords periodically. It is no secret that most users do not like to do that, and more, a significant number of them forgets to change the password on time.
For those companies which use Microsoft SharePoint as the main platform for collaboration work, our product, HarePoint Password Change, can solve most of the problems. That is, it alerts users of the impending need to change the password in different ways and also provides the ability to change it at a special page of the corporate website. Moreover, these opportunities may be available to both internal and external/remote users.
But what to do if a user for some reason did not have time to change the password on time? Most often, the problem is solved by the internal support for users but creates a significant additional burden on it. It is a logical desire to automate this process, but just then there is another issue related to security, but rather the emergence of new vulnerabilities in establishing the user’s identity.
Usually the user with an expired (forgotten) password should visit a special website with anonymous access, enter their login name and answer a series of personal questions. Then they will have the opportunity to specify or generate a new password and unlock the account. Vulnerabilities arising from this case are clear – the answers to security questions can be obtained by malefactors using social engineering, phishing and even simple Internet search.
Development of the approach to security question is the so-called “Preference-based authentication”, the basic idea of which is that the preferences are stable for a long time, and at the same time are not publicly registered anywhere. When setting up the preferences, the user is suggested to mark items of multiple categories that they either like or do not like, which, in turn, are randomly selected from a large set. In the process of identification, the user must indicate their preferences (like/dislike) for the originally selected items that are shown to them in a random order. With the series of experiments, scientists have found that this approach is working, i.e. users remember their preferences and much less vulnerable to attacks than in the classic approach to security questions. However, such an approach is vulnerable both for social engineering and phishing.
Confirmation of the user’s identity via e-mail just is not successful. First, when using corporate e-mail for confirmation, the user almost always has denied access to it, because of the expired password, and just cannot read it. Second, the use of external mail for such purposes is almost always contrary to the company’s internal security policy, as well as adds new vulnerabilities that can be exploited by malefactors.
At the moment, the most relevant approach for user authentication is two-factor authentication, which adds an additional level of security to the process of resetting a password. That is, first, the user is identified by classical security questions or a preference-based authentication, and then by one more, for example, one-time SMS password or time-based token (e.g. RSA SecurID).
Our company considers the possibility of creating a product to reset passwords, which would use two-factor authentication. At the moment, we are studying proposals on the global SMS gateway market. We welcome your suggestions and comments.
Learn more about HarePoint Password Change for SharePoint which allows end-users to change their own password in a SharePoint site and notifies users when their password is about to expire.