In a series of posts, I’ll talk about the experiences I’ve had in designing identity access management for mass adoption. Unlike more old-school enterprise IAM systems, the consumer or customer IAM platform (CIAM) has some special needs that need addressing. In this first post, I’ll look at credential recovery challenges of CIAM.
Credential recovery for me, myself and I
When you set out to create an identity system that has to cope with millions of users, across a wide demographic, you have to think very carefully about how to manage the credentials of those users. After all, the system is generally the guardian of the user’s identity, so you have to think about a very big picture involving:
- Security
- Usability
- Scalability
- Cost
- Customer satisfaction
- Customer expectation
Customer IAM systems are a complex matrix of needs, wants, and must haves; Credentials are the beating heart of CIAM and credential recovery impinges across the matrix of all of these. Without credentials, you have no access, no control, and no customers. Login credentials are the touchpoint between your customer and your service, and you have to make them easy to use and secure, as they are the pivot upon which you do business. When a customer isn’t using them to log in, they have to be able to manage them through:
- Recovery
- Updating
How you allow your customers to do this can either be through self-service, a manned Help Desk, or a mix of both.
Help desk vs. self-service for credential recovery
Credential recovery is a powerful part of an IAM system. Help Desks that perform credential recovery functions need to have security features baked-in. A Help Desk used for credential recovery is a weak link in your security arsenal. It has potential vector status via both the Help Desk operator and the caller. Surveys, such as a report sponsored by RSA into the security and privacy issues of the Help Desk show it is a focus for social engineering attacks as well as a risk for personal data exposure.
Self-service attacks are also open to similar risks. Social engineering, in particular, is a focus for attacks against self-service credential recovery systems. The crypto-currency platform Coinbase, had a recent run-in with a social engineer/hacker who used some pretty sophisticated techniques to attempt to use the password reset system to breach accounts - a full rendition of this can be found here. When building a CIAM system, the mechanism behind the password reset needs to be highly robust, not only to ensure that legitimate users are able to change the password securely and as easily as possible, but so that legitimate users cannot hijack the mechanism or related sub-mechanisms.
And then there was second factor
We should now all be aware that offering a second factor in a CIAM system is important for security. But if you do offer a second factor credential, this adds complexity to a credential recovery/management system.
One way to manage second factor recovery is by offering it via a Help Desk, e.g., add a new mobile phone number. To do this you must have a multi-step mechanism to securely identify the caller, then to ensure the change is cross-checked, audited, and the user is notified through a verified channel. It is, in other words, a process that has many moving parts to ensure security. It is long winded for the customer to go through and it requires a real person on the end of a phone to go through the process with the customer. It costs a lot of money - figures vary, but analysts Forrester have set a price of, on average, $6-$12, and other reports set the figure higher at around $20 per call.
The alternative is to have an alternative second factor in place for an individual user. If the user needs to change their mobile number suddenly, at least they can use their alternative second factor to log in, or access an account manager to update their mobile device. What that alternative second factor is, becomes your next challenge. In the past, the use of knowledge-based questions (KBA) backed the recovery system, but NIST in their latest Digital Identity Guidelines has sensibly set out that KBA is not a secure mechanism in an age where social accounts are a resource for cybercriminals.
Self-service or bust?
The impact of a poorly thought through credential recovery system can cost you and your customers. If you haven’t implemented a strong credential recovery system with audit and cross-checks included, you could end up as an unwitting victim of blackmail. This was evidenced in a recent threat from a hacker group known as the ‘Turkish Crime Family’ who told Motherboard that they had stolen countless millions of iCloud credentials and would reset users accounts, wiping all data. It looks like this was an empty threat, but only because Apple was able to double check the claims using audit events. Credential recovery is your Achilles heel.
In a survey by the Service Desk Institute, they found that self-service use has increased by 81%. The thing is, customers, love self-service. It’s “handy” and fast, and you don’t have to talk to a stranger at the end of a phone line. It is also, of course, much cheaper to run for the service than a manned help desk. Self-service credential recovery puts the consumer in control. You have customer buy-in, but getting the security and usability side of it is the challenge. First factor credentials, like password, have well-worn, tried and tested pathways of recovery. Second factor can be more of a challenge. Which your organization chooses to use is likely to come down to cost in the end – but when performing an ROI for a solution, always factor in the cost of managing a second factor recovery system.