Identity Verification: A More Secure Approach to Enterprise Account Recovery
November 20, 2019
Society’s transition from analog to digital spurred an increase in the number of passwords consumers regularly use to access various online accounts, and with that increase comes a need for businesses to follow suit to protect their users, especially to prevent account takeovers with recovery processes like password resets.
There are several reasons why one might need to reset a password:
- The first and most obvious is simply a forgotten password, which is highly common in both B2B and B2C applications.
- Password resets are also necessary after an account lockout, in which an individual is locked out of their account after a specific number of failed login attempts.
- Password rotation policies are also quite common in enterprise use cases, and require users to reset their passwords on a regular basis.
Every organization differs in the way they define and execute account recovery processes like password resets, and while there isn’t a one-size-fits-all approach, most cybersecurity experts believe that some form of identity verification should be included because, without it, there’s simply no way to know if the request came from the actual account owner or from a fraudster.
The Problem with Password Rotations
Password rotations, which require users to change their password regularly over a given period of time (e.g. every 90 days, every 6 months, etc.), are very common enterprise security techniques, but there are a few problems with this approach:
- Account holders might not log into the platform with enough frequency to remember how they rotated their password the last time they were prompted to do so.
- Requiring users to update their passwords with greater frequency (e.g. every six weeks) can create more anxiety in the workplace, as it both painful to go through IT to initiate the recovery process, and results in time and productivity loss.
Research has proven that the old password rotation policies are no longer good practice and should not be used today, yet they still exist in many enterprises.
The Problem with KBV
The U.S. Government Accountability Office (GAO) released a report this year that found several prominent government agencies still rely on the three major credit agencies (Equifax, Experian and TransUnion) to verify a person’s identity with knowledge-based verification (KBV) before they can access their services online.
The KBV method will remain wholly insufficient as long as credit agencies continue to experience major data breaches in which peoples’ sensitive PII (which is typically used for their knowledge-based answers) are made available online, or can be cheaply obtained by cybercriminals via the Dark Web. Additionally, KBV answers are even easier to find through social media, and can also be easily guessed based on context clues from social media findings.
The Problem with MFA
Most enterprise account recovery systems use multi-factor authentication (MFA) to recover employees’ accounts. A basic example of this is when a password is combined with an SMS or email code to authorize a login or transaction.
There are a few problems with this method, chief of which are the insecurities of mobile devices and email platforms. Cybercriminals can easily initiate a password reset request, and then spoof an enterprise employee’s mobile device and/or email address to hack into their account or potentially compromise an entire system.
New mobile device vulnerabilities are exposing the dangers of using SMS or email corroboration for MFA account recovery. A few recent examples include:
- SIM Swaps: Even with access to one other personal piece of information (e.g. social security number, date of birth, first name, etc.), hackers can call a carrier and move a user’s phone number to a new SIM card that they own.
- Text Interceptions: Well-equipped criminals with access to an SS7 portal can grab text messages with account recovery codes and use them to log in before the account owner has even seen them.
Identity Verification for Issuing & Resetting Credentials
Identity verification not only helps prevent account takeovers and threats from bad actors, spam attacks, identity fraud, and social engineering –– it also automates processes, decreases the turnaround time on requests, and reduces help desk costs and unnecessary manual work for internal resources.
Identity verification also has a positive impact on user experience by enabling self-service for simpler password resets, while simultaneously adding an appropriate amount of friction for optionality or step-up verifications that are triggered by unusual behavior.
Ultimately, the reason why there isn’t a one-size-fits-all approach for account recovery processes is because not every use case will necessitate step-up verification, 2FA, or MFA. When thinking about how to combine verification with authentication, enterprises should consider the amount of friction that MFA and step-up verification will add to the password reset user experience, and weigh its effects on the help desk against the level of assurance needed for their specific use case.
Instances of account takeovers, spam attacks, and identity fraud have escalated considerably due to massive data breaches that occur on a regular basis. Eventually, remote identity verification won’t just be an option when it comes to password resets and other account recovery processes, it’ll be a necessity.
Beyond account recovery and password reset processes, identity verification is foundational to enterprise trust and safety, regulatory compliance, and digital accessibility.
How Evident Helps
Evident offers both custom and turnkey integrations, depending on the size of the enterprise, for account recovery. Our solutions enables companies to verify their users’ identities through a quick ID document scan and minimal data entry. Being able to verify that the individual requesting the account change is the actual account owner is critical for enterprise security, and we’re here to help!