Phone : +91 95 8290 7788 | Email : sales@itmonteur.net

Register & Request Quote | Submit Support Ticket

Home » Cyber Security News » Securing user credential management and account recovery – ET CISO

Securing user credential management and account recovery – ET CISO

Securing user credential management and account recovery – ET CISO

https://etimg.etb2bimg.com/thumb/msid-114875314,imgsize-156790,width-1200,height=765,overlay-etciso/ciso-strategies/securing-user-credential-management-and-account-recovery.jpg

<p><strong><em><a href=
Akif Khan, VP Analyst at Gartner

Account recovery due to forgotten passwords or other lost credentials is one of the riskiest events in the identity and access management (IAM) user life cycle. The absence of appropriate controls can pave the way for account takeovers (ATOs) as malevolent actors exploit high-friction or low-assurance workflows, undermining even the most secure authentication mechanisms.

In all scenarios, self-service models backed by alternative methods of authentication, or an automated identity verification should be prioritized to remove potential targets for social engineering. While weaker methods like one-time passwords (OTPs) delivered via SMS or email continue to be used, they should be viewed as temporary solutions until more secure alternatives can be deployed. Security and risk management leaders can employ a risk-based strategy, leveraging alternative authentication and identity verification methods, to safeguard user accounts effectively.

Provide Alternative Authentication Modes

The most effective way to establish the requisite level of trust in an identity to permit modification of credentials is to use a combination of alternative authentication and compensating controls (e.g., risk and recognition signals).

Weak authentication modes such as SMS or email-delivered OTP are prolific. While these can be used to establish a limited level of trust, they have inherent weaknesses that make them unsuitable for establishing trust for the management of a higher-trust authentication token such as an x.509 certificate or a FIDO2 passkey. In those scenarios, an equally strong authenticator must be used, or compensating controls must be in place.

Biometric voice recognition is an attractive option for many organizations, where it can apply to both employee and customer use cases. Organizations can use a voice biometric process in an automated interactive voice response (IVR) system, or they can use it in a voice call with an agent.

Another signal for recognizing requests made via Interactive Voice Response (IVR) or help desk calls could be phone number verification, specifically spoofing detection. This technique can determine if a phone number is being spoofed and identify the type of phone and, sometimes, the owner’s name. This method is already extensively used in customer-facing situations and could be seamlessly integrated into workforce scenarios without significantly affecting the user experience.

If the risk signals are so significant that a single factor of authentication and recognition signals are insufficient to bring the level of doubt within the organization’s risk tolerance, then enterprises need to move to a verification process.

Turning to Identity Verification When Authentication Is Unavailable

Verifying a user’s identity is a good method because it doesn’t rely on any existing authentication factors. Automated identity verification, like using an ID, provides a high level of certainty about a person’s identity. The employee or customer is asked to use a mobile phone or a webcam to take an image or short video of their driver’s license, ID card or passport, and to take a selfie while being assessed for liveliness. The document is assessed for authenticity, and the selfie is biometrically compared with the photo in the document.

While use of identity verification for account recovery is not yet common, with cost and friction cited as concerns, the level of interest in this method has increased significantly in the last year due to the high level of assurance and not having to pre-enrol all users, especially in the face of ongoing threats around employee account takeover.


The author is Akif Khan, VP Analyst at Gartner.

Disclaimer: The views expressed are solely of the author and ETCISO does not necessarily subscribe to it. ETCISO shall not be responsible for any damage caused to any person/organization directly or indirectly.

  • Published On Nov 2, 2024 at 12:27 PM IST

Join the community of 2M+ industry professionals

Subscribe to our newsletter to get latest insights & analysis.

Download ETCISO App

  • Get Realtime updates
  • Save your favourite articles


Scan to download App

Information Security - InfoSec - Cyber Security - Firewall Providers Company in India

 

 

 

 

 

 

 

 

 

 

 

 

What is Firewall? A Firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies. At its most basic, a firewall is essentially the barrier that sits between a private internal network and the public Internet.

 

Secure your network at the gateway against threats such as intrusions, Viruses, Spyware, Worms, Trojans, Adware, Keyloggers, Malicious Mobile Code (MMC), and other dangerous applications for total protection in a convenient, affordable subscription-based service. Modern threats like web-based malware attacks, targeted attacks, application-layer attacks, and more have had a significantly negative effect on the threat landscape. In fact, more than 80% of all new malware and intrusion attempts are exploiting weaknesses in applications, as opposed to weaknesses in networking components and services. Stateful firewalls with simple packet filtering capabilities were efficient blocking unwanted applications as most applications met the port-protocol expectations. Administrators could promptly prevent an unsafe application from being accessed by users by blocking the associated ports and protocols.

 

Firewall Firm is an IT Monteur Firewall Company provides Managed Firewall Support, Firewall providers , Firewall Security Service Provider, Network Security Services, Firewall Solutions India , New Delhi - India's capital territory , Mumbai - Bombay , Kolkata - Calcutta , Chennai - Madras , Bangaluru - Bangalore , Bhubaneswar, Ahmedabad, Hyderabad, Pune, Surat, Jaipur, Firewall Service Providers in India

Sales Number : +91 95 8290 7788 | Support Number : +91 94 8585 7788
Sales Email : sales@itmonteur.net | Support Email : support@itmonteur.net

Register & Request Quote | Submit Support Ticket