Tuesday, September 15, 2009

Reclaiming your account: Password Reset/Forgot Password

This is probably one of the oldest functionality that is part of any password based system and by now I was hoping that people will have figured out most of the ways of doing it. But while reading answers on stackoverflow on this topic, I was impressed by new ways being developed and implemented by developers in wild. While reading the discussion I felt that there is lack of a structure to look and study this functionality and this post is an attempt to define a structure.
Before I go there, I wanted to capture my understanding of the password reset functionality.
  • Why - Well if we are not noting down all the accounts we have created in life (either electronically or manually), it is possible that we are going to forget passwords for some accounts as we age. Even if you follow some techniques like having standard passwords across all your accounts, due to site limitations, change in word preferences, etc, you may not remember the applicable password for a site and so the lifesaver
  • Why Not create a new account -
    • a lot may be associated with that account in-terms of your reputation, information, etc
    • site limitations of being able to associate a personal identifiers (may be email address or bank account number) with only one account
    • the account id may be generated and can not be changed during your association with the site (SSN, biometric?).
  • What - Password reset/forgot password is a functionality (a bit different from change password - where you remember/know your password) by which user or someone else on behalf of user is able to change the password without presenting their existing password. Again even though the discussion would focus on password, it would probably apply to any shared secret between user and identity provider
  • How - As discussed earlier, the  password reset can be done by user or somebody on their behalf. This process typically involves
    • Verifying the requester's identity
    • Ensuring that requester is authorized to request password reset (incase requester is same as owner of account, this check may be moot)
    • choose a new password (either generated or accepted from requester subject to fulfillment of password policy)
    • provision the password into the authentication system
    • notification that new password can be used, if out of band password change happens (and possible security notification to account owner that password has been changed)
This post explores the first part of the process i.e. verifying requester's identity

Classification Approach

Based on the basics of authentication process, we know that we can verify user based on something they know, have or are. Now in order for the authentication to work we need to ensure same information is available to user and Identity Provider at the time of verification. This implies that prior to verification there has to be an acquisition process which can be classified based on when (at registration, during usage of account or out-of-idp/user account relationship) and from whom (user, Identity/service provider, third-party like credit rating agency, public data) the acquisition has been made.
The verification process itself can be classified based on the type of shared secret/credential along with other criteria like verification channel.

Example


Based on this we can try to classify an approach for user verification which has been done for some of the most commonly used approaches. Please note that this is not an exhaustive list of various approaches in wild and just tries to show how the classification can work for some of the approaches being used in wild

Verification Approach
Acquisition
Verification
When
From Whom
Type
Channel
Registration
Account Usage
Out-of-band
User
Service Provider
Third Party
Know
Have
Are
Single
Multi
What is your pet's name
Y


Y


Y


Y

When was your last withdrawal from account XXX?

Y


Y

Y


Y

Did you live at ZZZ on DD/MM/YYY?


Y


Y
Y


Y

Please provide your date of opening the credit card account


Y

Y

Y


Y

Send a nounce+ to Email Address *
Y


Y



Y

Y

Send a nounce to Cellphone *
Y


Y



Y


Y
One time Password cards for specific duration


Y

Y
Y ^

Y

Y


* The classification may change depending upon the implementation but you get the idea.
^ If IdP is different from Service Provider
+ I do not want to use "temporary password" as it can be confusing

At present not all the permutation/combinations may be utilized but we may find other ways to combine these factors to create new methods. In addition to that, I have a feeling, we would figure out lot more ways of classification of the password reset process.

Why

Even though this was just a thought exercise, I think we may be able to use it to study and compare various verification techniques.  Given that people are already treating some combination of authentication/verification techniques as multi-factor (even though theoretically they may be single factor), it may make sense to develop more detailed classification technique so that we can compare various "multi-factor" techniques and ensure that we are not using pseudo-"multi-factor" techniques. Based on my limited knowledge, I have not run into any such framework but would really appreciate pointer in such direction.

Thoughts?



3 comments:

Avery Wilson said...

I've been doing some research on identity management and found this information very useful. I'll have to show my husband. Thanks for the tips!

santhoshi m said...

Is there any option to change or recover password for identity access management software? And the tips shared here are really useful.

William Davis said...

Is it possible that future will change from password to identity and access management system completely.