Keith Brown states that password “security questions are considered dangerous” in the context of web applications, in particular as it relates to the new Membership Provider functionality in ASP.NET 2.0, because “there’s nothing stopping the user from asking a question that is easily answered by a 6 year old.”
This is an excellent point and raises some important questions, especially as companies seek ways to reduce help desk and administrative IT support costs. Is it enough to leave the security of your web applications or network resources in the hands of your users with a simple question/answer password reset challenge model?
Self-service password reset solutions sound very appealing for a number of reasons, especially so in the enterprise space. One reason, certainly, is the focus on reducing IT support costs and loss of employee productivity. Gartner says that companies can save anywhere from $51 to $147 per call by providing a self-service password reset solution[1]. If that sounds like a lot of money each time a user picks up the phone to call the help desk, you’re right, because it ties up both the help desk operator and the employee. Multiply this by the number of systems where the user has identity information (on average 16!), and this cost can be significant. Consider also that in most larger companies it is estimated that up to a third of help desk call volume is dedicated to password reset tasks.
Some might recommend that we do away with password resets altogether as they risk the pose is too great to be worth the cost savings that are promised. Alun Jones suggests that we might be better off doing away with self-service resets and instead take a walk down to the security office and show physical ID before a password is reset, or use any other method than self-service, such as requesting a reset and having your new password mailed to your manager.
Is there an acceptable middle ground to be found? Given the significant costs savings that might be had by implementing a self-service password reset solution, what would it take to do it right?
Perhaps it may take multi-factor evidence to assure non-repudiation of your identity. Maybe in addition to your password challenge question you would also have to swipe your smart card or answer several questions of varying difficulty depending on your organizational role, for example.
The take away to this discussion is that self-service password resets are more complicated than they look, and that you should be careful in choosing to implement this functionality without fully considering the potential risks involved. Microsoft has done a great job of providing us with a solid provider model to implement with ASP.NET 2.0, but let’s remember to take a pause and carefully evaluate the risks and benefits involved.
[1] Gartner Group, 2002, “Password Reset: Self-Service that you will love”
Technorati Tags: identity management, idm, password reset, self-service, membership provider, miis