April 20th, 2013

New Self-Service Password Reset System

Since its inception in 1999, LuxSci Support has manually handled all password reset requests that were not handled by the account administrators.  

Why? Security reasons, of course. We are aware of:

  • Poor Security Questions: very often users have poorly chosen answers to security questions,
  • Hackers: that people often try to use password reset systems to gain unauthorized access to users’ accounts
  • Lack of Information: users often do not have enough solid information in their profiles to reliably verify their identities

By manually processing these requests, we can effectively block password resets in the face of poor identity verification information and subjectively identify “fishy” requests.

However, we have come to determine that this manual process, while it provides the best security, is not actually in the best interests of our customers because:

  1. Time: Manual identity verification takes time and delays in password resets can be detrimental to our customer’s ability to get work done.
  2. Better Questions: We have improved our user security questions in the last few years so that the questions and answers are generally of much better quality than they used to be.
  3. Mobile Phones: Most people have mobile phones capable of receiving text messages now and these can be used for identity verification.
  4. Simulating our Manual Process: We find that we can provide an automated self-service password reset process that simulates our manual review and verification process to a very large degree without a significant loss in security.

How the New Process Works

Customers can now use the “Password Reset” button on the LuxSci WebMail login pages to begin the process of resetting their passwords.
  1. Enter your login username
  2. Enter a image code (Captcha) to ensure an actual person is filling out the form
  3. Based on the information available in the your LuxSci Profile, you will be presented with options for verifying your identity
  4. Once you identity is verified, you are taken to a password reset page
  5. Your password is reset
  6. A notice is sent to all of your configured email and SMS (text message) addresses informing you of the password reset.

Identity Verification

LuxSci currently supports 3 ways of verifying a user’s identity:

  1. Security Question: Provide the answer to your configured security question
  2. Alternate Email: An email can be sent to one of your configured alternate email addresses
  3. SMS / Text Message: A verification code can be sent to your cell phone

Two Factor Verification

By default, any password reset for any user of a LuxSci account requires verification of at least 2 pieces of information, e.g.
  1. Answer your Security Question and then Send you an Email
  2. Answer your Security Question and then Send you a Text message
  3. Send you a Text message and then send you an Email

Based on the information available in your Profile, LuxSci allows you to choose all available pairs of options.  E.g. if you have an alternate email address, an SMS address, and a security question, you could choose any of the above 3 options, based on what is available to you.

Use of two separate factors ensures that just because someone could discover the answer to your security question, that doesn’t mean that they can gain access to your account.

Furthermore, when using an alternate email address or text message phone number, you are required to explicitly enter the address or phone number to be used and that must match the one saved in your profile.  You are given some hints (e.g. the phone number with all but the last 4 digits obscured), but this gives a little more protection and does not give out your alternate email addressees or phone numbers unless the person requesting the password already knows them.

Single Factor Verification

For customers that are not in high security accounts and who wish to allow password resets using only a single piece of information, their account administrators can enable “single factor” identity verification.  This can be done in the “Advanced Administration > Security > Passwords & Login” page.

With single factor verification, the end user can reset his/her password after verifying only one of the above pieces of information.  However, if the user does have enough information for use of two factors, two factor will be required anyway.  Also, all administrative users must use two factor instead of single factor verification.

Prohibiting Self Service Password Resets

For customers who do not want to allow their users to reset their own passwords, they can disable self-service password requests and provide instructions for what their users should do if they have lost their passwords.
This can be done:
  1. For all users in the account: on the “Advanced Administration > Security > Passwords & Login” page
  2. For all users in a domain: in the “Security > Passwords & Login” page of the domain management area
  3. For a specific user in the user’s configuration page.

Further Protections

In addition to the identity verification processes described above, LuxSci offers:

  1. Notifications: LuxSci sends an email notice to all contact email and text message addresses belonging to a user when the user’s password is reset in this way.   LuxSci also sends notices to customers when any attempt is made to reset the user’s passwords … even if that attempt is aborted or failed.  This is done via our automated our login failure notification system.  Via these mechanisms, customers can be aware of any password reset attempt and can take timely actions to strengthen account protections, if needed.
  2. Rate Limits: Only a few requests for password resets can made per hour for each requestor (IP Address).  Additionally, guessing security question answers and the answers to other identity verification questions is limited to only a few failures per hour.  This effectively limits brute force guessing attacks on the password reset system.
  3. Proactive Information Updates: Starting next week, we will be proactively prompting WebMail users to update their contact information periodically to ensure that it is both up-to-date and that there are multiple factors available.
  4. Blocking Password Resets from Disallowed IPs. Customers that block access to WebMail using our Custom Account/Domain/User Firewall features or our Domain-level access restrictions by region or country also effectively restrict password resets.  LuxSci only permits password reset requests originating from IP addresses that are permitted to login to LuxSci WebMail interface as the user in question.
  5. Avoiding Weak Two Factor.  As some folks have their alternate email on their cell phone, LuxSci will not permit that combination of 2 factors to be a valid method for identity verification if there is any other, better two factor combination available (e.g. security question plus text message).  The combination of alternate email address and text message is a “weak two factor” as access to one’s cell phone may provide access to both of those factors.

If you have any questions about configuring your account’s Password Reset options, please contact LuxSci Support.

Leave a Comment

You must be connected or logged in to post a comment. This is to reduce spam comments.

If you have not previously commented, you can connect using existing social media account, or register with a new username and password.