Account recovery due to forgotten passwords or other lost credentials is one of the riskiest events in the identity and access management (IAM) user life cycle. The absence of appropriate controls can pave the way for account takeovers (ATOs) as malevolent actors exploit high-friction or low-assurance workflows, undermining even the most secure authentication mechanisms.

In all scenarios, self-service models backed by alternative methods of authentication, or an automated identity verification should be prioritized to remove potential targets for social engineering. While weaker methods like one-time passwords (OTPs) delivered via SMS or email continue to be used, they should be viewed as temporary solutions until more secure alternatives can be deployed. Security and risk management leaders can employ a risk-based strategy, leveraging alternative authentication and identity verification methods, to safeguard user accounts effectively.

Provide Alternative Authentication Modes

The most effective way to establish the requisite level of trust in an identity to permit modification of credentials is to use a combination of alternative authentication and compensating controls (e.g., risk and recognition signals).

Weak authentication modes such as SMS or email-delivered OTP are prolific. While these can be used to establish a limited level of trust, they have inherent weaknesses that make them unsuitable for establishing trust for the management of a higher-trust authentication token such as an x.509 certificate or a FIDO2 passkey. In those scenarios, an equally strong authenticator must be used, or compensating controls must be in place.

Biometric voice recognition is an attractive option for many organizations, where it can apply to both employee and customer use cases. Organizations can use a voice biometric process in an automated interactive voice response (IVR) system, or they can use it in a voice call with an agent.

Another signal for recognizing requests made via Interactive Voice Response (IVR) or help desk calls could be phone number verification, specifically spoofing detection. This technique can determine if a phone number is being spoofed and identify the type of phone and, sometimes, the owner’s name. This method is already extensively used in customer-facing situations and could be seamlessly integrated into workforce scenarios without significantly affecting the user experience.

If the risk signals are so significant that a single factor of authentication and recognition signals are insufficient to bring the level of doubt within the organization’s risk tolerance, then enterprises need to move to a verification process.

Turning to Identity Verification When Authentication Is Unavailable

Verifying a user’s identity is a good method because it doesn’t rely on any existing authentication factors. Automated identity verification, like using an ID, provides a high level of certainty about a person’s identity. The employee or customer is asked to use a mobile phone or a webcam to take an image or short video of their driver’s license, ID card or passport, and to take a selfie while being assessed for liveliness. The document is assessed for authenticity, and the selfie is biometrically compared with the photo in the document.

While use of identity verification for account recovery is not yet common, with cost and friction cited as concerns, the level of interest in this method has increased significantly in the last year due to the high level of assurance and not having to pre-enrol all users, especially in the face of ongoing threats around employee account takeover.

The author is Akif Khan, VP Analyst at Gartner.

Disclaimer: The views expressed are solely of the author and ETCISO does not necessarily subscribe to it. ETCISO shall not be responsible for any damage caused to any person/organization directly or indirectly.