With any application that requires authentication you will inevitably run into a password expiration and/or lockout issues that requires a user to reset their password. I have seen organizations address this with a wide range of solutions from home grown programs all the way to multi-million dollar identity management frameworks. While both solutions will help a user change their password it baffles me how many people forget to address this very basic paradigm:
how do I verify the user’s authenticity?
Most organizations I work with store their employee identity in either Microsoft Active Directory or in a 3rd party LDAP directory. These directories typically limit authentication methods to either Kerberos or LDAP binding. The advantage to using Kerberos is you can authenticate the user with an expired password to verify authenticity before changing their password. This is how F5 Access Policy Manager changes expired Active Directory passwords when the feature is enabled. With LDAP the binding process only works with valid username/password combinations and therefor leaves the authenticity challenge to the identity management program/framework. So how can you verify the user’s authenticity before changing their password?
Most users are familiar with the concept of using email to verify a password reset. This process was very common with social media and e-commerce sites up until recently with the increased data loss issues we’ve seen in the news due to poor security or social engineering. In this model the user is sent an email with a link that contains a unique token allowing the identity management framework to verify the user’s authenticity. While this model is elegant in design it fails to address the issue that the password being reset it typically also the password used to access corporate email. So for most organizations this solution is not viable.
One-time passwords, typically referred to as OTP, are a form of multi-factor authentication that use a randomly generated token to verify the user’s identity. These tokens are only valid for a short amount of time and are delivered via email or SMS to a mobile device. One-time passwords are my preferred method to addressing this issue with F5’s Access Policy Manager. In the event that a password needs to be reset F5’s APM can handle verifying the user’s authenticity using OTP before allowing access to the identity management program/framework.
Knowledge Based Authentication
Knowledge based authentication is a process where the user is presented with common questions they know the answer to. These questions, and the corresponding answers, are typically chosen by the user during a registration process but can also be based on employee/customer data. This form of verifying user authenticity has become very popular with social media and e-commerce sites over the last few years as it puts the burden of protecting one’s identity on the user by choosing a secure combination of questions and answers others would not easily guess.
Ultimately, which solution you choose will depend primarily on what your identity management program/framework supports. If your product does not have these capabilities then now is a good time to add them or find a identity management solution.
2 thoughts on “Password Resets and User Authenticity”
Has anyone published a way for the user to reset his/her password without login first, only with mobile phone verification using f5 APM ?
You can do this via APM OTP but the best way is to combine OTP plus knowledge based questions. Nothing on DevCentral about this yet but a good idea for a blog post.