Account Recovery

From MgmtWiki
Jump to: navigation, search

Full Title or Meme

Perhaps the most difficult step to perform security is Account Recovery when the user has lost control of access to their accounts.

Context

  • The original Account Recovery challenge was when the registered user forgot their password.
  • With the advent of Self-issued Identifiers

The Challenge of Account Recovery at Authenticate 2021.

A key challenge for user accounts is the issue of secure recovery. No matter how secure the authentication is to access an account, if there is a weak recovery system in place, an attacker will be able to bypass security. “Account recovery is really just another form of authentication,” Dean Saxe, Sr. Security Engineer at Amazon Web Services stated. In a session, Saxe detailed what he referred to as the Iron Triangle of Account Recovery, which includes the concerns of access continuity, security and privacy. Saxe noted that the account recovery mechanism itself should be reasonably secure, preferably as secure as the primary authentication. “What we don’t want to create is a gate that you can walk around, or walk through because we haven’t secured the gate with a fence all the way around the thing that we’re trying to protect,” Saxe. “So the recommendation is to register multiple authenticators, so you have a backup.”

Problems

  • The major issue with any Account Recovery function is the direct attack on the process to gain fraudulent control of the user's accounts.

Solutions

Dean H. Saxe, CIDPRO’s

After covering interoperability and digital legacy, it’s time to talk about the real-world edge case that’s often an under-invested feature of identity systems: account recovery.

𝗧𝗵𝗲 𝗥𝗲𝗰𝗼𝘃𝗲𝗿𝘆 𝗦𝗲𝘀𝘀𝗶𝗼𝗻 📅 Thursday, June 5 | 11:30 AM – 12:20 PM | Mandalay Bay K https://lnkd.in/gvpvti-P

Recovery is no longer just a helpdesk ticket—it’s a top-tier identity challenge.

Join us as we discuss:

  • What good and back account recovery processes look like
  • Why high quality authentication credentials require high quality account recovery mechanisms
  • Deepfakes, device compromise, and social engineering demand
  • How a secure account recovery process can lower risk and friction for users

I’ll be joined by a global group of experts:

  • Ove Morten Stalheim (BankID)
  • Justin Soong (Authsignal)
  • Bertrand Carlier, CIDPRO Carlier (Wavestone)
  • Robert Brown (Inverid)

We need to stop treating recovery as a bolt-on solution and start treating it as a core security mechanism of your authentication and credentialing systems.

References

Retrieved from "http://tcwiki.azurewebsites.net/index.php?title=Account_Recovery&oldid=24142"