Password policies and Customer Identity & Access Management
Security and usability doesn’t necessarily go hand-in-hand always. Specially in the enterprise identity management (EIDM) usability can be easily sacrificed for the importance of the security. This is indeed a privilege enjoyed by the enterprise identity management, because EIDM manges the identities of the employees and partners on whom various policies can be enforced as they ‘work-for’ the company. However, in customer identity and access management (CIAM) tables are turned. Company ‘work-for’ the customer, not the other way around. Customers like compromise neither on security nor on usability. Trying to compromise either will result in a damage to the company brand name. Remember, “signing up & login” make the first impression on the customer.
Password Policies
Without an argument password policies are a good tool to fight password cracking. By adding complexities into the password and rotating them over a period makes the life of a password cracker a nightmare. A password policy in general have at least following components:
Password lifetime enforces an expiry time to the passwords. This mainly helps in two ways: It reduces the time window an attacker can guess the password and in the other hand the stolen/cracked passwords will have a limited lifetime.
Password history prevents accidental use of already stolen/cracked passwords in the system.
Password complexity increases the entropy of the password. That means it reduces the chance to predict a password. Password management tools such as Keychain, EnPass, KeePass etc can generate highly random long passwords with numbers and special characters in them. Cracking such passwords online is not a viable option for an attacker.
User experience
Password policies are good, but they come with a price tag which has to be paid with the user experience. Imaging the following practical scenario.
A customer who has bought an item from the online shop four months ago now wants to buy a spare part for that. Customer now tries to login to the online shop. Since it has been a while, system’s password policy has marked the customer’s password as expired. Therefore the customer is no longer able to login with his password. Confused customer then follows the “forgot password” link to reset his password. Now for his convenience he wants to use the same password again as the new password. However, now the password history policy kicks-in. System doesn’t allow the customer to set his prefered password anymore and now he is forced to use a new password. While trying to set a memorizable new password the customer is confronted with the password complexity policy. Annoyed and angry customer now call the customer support. It could have also been the case that instead of calling customer support, customer try a different online shop where he can easily buy the spare part just in one click
But the threat is real
Password cracking is a real threat. For example, Mark Zuckerberg’s social media accounts were hacked because of easy to crack passwords used. There is no doubt it could be the same case for most of the users. Look at the worst passwords used in 2017.
There are many ways an attacker can get hold of a user’s password:
Password stealing is a very effective way attackers use to get hold of the user password. Attacker might utilize social engineering to reveal victim’s password or to install keyloggers on the victim’s computer to steal the password. Attackers could utilize other means such as phishing and shoulder surfing as well. Attackers then uses the “stolen password” to login to the victim’s account.
Offline password cracking doesn’t involve live (online) interaction with the system, instead the attacker is trying to recover a password locally from a stolen password hash. The Rainbow attack is a good example for this. After successfully recovering the plain text password, attacker uses the “cracked password” to login to the victim’s account.
Online password cracking involves direct interaction with the system in order to guess the password. This can be done either in brute-force-mode (try all possible combinations) or in dictionary mode (a compiled list of popular and possible passwords) or a mix of both.
The point
The point is that password policies are deployed to make password cracking difficult. But what if we can detect?
If we can detect online cracking of passwords and detect usage of stolen/cracked passwords, then we no longer have to solely rely on strength of the password.
The Approach
The alternative defence against password cracking/stealing contains four components:
Guidance for stronger passwords
Guide users to create strong passwords. Provide a password strength indicator (ex: weak, strong, very strong) for their passwords during the sign-up, reset password or change password process. However do not force them to do so.
Account lockdown
Lockdown the account after few number of failed login attempts.
Notification
Upon account lockdown, immediately send a notification message to the account owner informing the details of the event (login location, browser type etc), providing required guidance to unlock the account and also to strengthen the security of the account further.
Not only failed login attempts, but also successful new logins, change in account credentials, change in account status etc should be notified immediately to the account owners with the required information so that users themself can actively involved in securing their accounts.
Adaptive multi-factor authentication
This is the all-out counter attack on the cracked/stolen passwords. Even if the provided password is correct, the event should be analyzed further and challenged for a second factor authentication. For example, if this is not the browser user normally login with, if this is not the usual geological region user login from, then this is a risky login. In such case multi-factor-authentication (ex: Google authenticator, Microsoft authenticator etc) should kick in. In case of the second factor authentication failure, the account should be lockdown.
If two factor authentication was successful, then notify the account owner of the successful new login. If two factor authentication failed, then immediately notify the account owner about the possible leakage of their password. Guide the user to change the password and enhance security.
Result
Let’s replay the scenario discussed above with the new situation in different combinations.
Case 1: A customer who has bought an item from the online shop four months ago now wants to buy a spare part for that. Customer now tries to login to the online shop. He uses his favorite browser in his computer to visit the online shop. He enters his username and password and login. Since its the usual browser, no two factor authentication is promoted. User simply landed in the online shop and continue his shopping.
Case 2: A customer who has bought an item from the online shop four months ago now wants to buy a spare part for that. Customer now tries to login to the online shop. He uses his wife’s computer this time visit the online shop. He enters his username and password and click login. Upon clicking login, system prompts for two-factor authentication, user provides the code from the authenticator and continue to the online shop.
Case 3: An attacker has successfully uncovered the customers password through other means. Then the attacker tries to access the online shop with the stolen password. System detects the login is from a different browser & location than usual, therefore it prompts for two factor authentication. Since the attacker doesn’t have physical access to the customer’s device the login attempt fails. Then the system immediately locks the account and notifies the customer about incident and instruct the customer to change password and recover the account.
Conclusion
Regardless the type of security implementation in a CIAM solution, the security risk associated with simple passwords cannot be root out. End users must be educated and encouraged to use complex passwords. However, enforcing enterprise like password policies do not help customer facing solutions. An adaptive multi-factor enabled solution can provide enhanced account security without compromising the user experience.
