Making Self-Service Password Reset and Account Recovery Secure

Self-service password reset (SSPR) and self-service account recovery (SSAR) are essential for reducing IT workload and empowering users. However, these solutions, if not implemented securely, can become an organization's biggest security hole. Up to 50% of all IT help desk tickets are for password resets, costing approximately $70 each. While SSPR and SSAR aim to solve this, traditional methods are often fundamentally broken, leaving organizations vulnerable to costly account takeovers.

What Are SSPR and SSAR?

SSPR and SSAR are self-service features that allow users to reset their passwords or recover access to their accounts without needing help from an IT professional. While this can drastically cut operational costs and reduce help desk tickets, it introduces a significant security issue.

Definitions and Business Use Cases:

• SSPR (Self-Service Password Reset): Allows users to reset a forgotten password without IT intervention.
• SSAR (Self-Service Account Recovery): Enables users to regain access to a locked or compromised account on their own.

The Risk of Traditional Recovery Methods

Traditional SSPR and SSAR solutions rely on methods that are easily exploited by attackers, turning a convenience into a major security vulnerability. These gaps leave organizations open to account takeover (ATO) and social engineering.

• Security questions: Easily guessed or found online through social engineering, making them a weak form of authentication.
• SMS/email OTPs: Susceptible to phishing and SIM swaps, where attackers can intercept the codes sent to a user's device.
• Authenticator apps: Can be bypassed with "push bombing" attacks or rendered useless if a user loses or replaces their device.

Why Identity Verification Is Critical

Verifying a user's identity before granting access is the only way to ensure security during password resets or recovery. Modern solutions use a multi-factor identity verification (IDV) process that combines document scanning with liveness detection to confirm that a real, present person is requesting access.

The Modern SSPR Challenge: Uniting Security and Simplicity

Effective account recovery presents a difficult challenge: how do you balance the need for absolute security with the user's demand for a fast, simple experience? Traditional methods often fail this test. A lengthy call to a help desk might be secure, but it creates frustration and high operational costs. Conversely, a simple security question is easy for the user but offers almost no real protection against a determined attacker.

The ideal solution is an intelligent, adaptive flow that can orchestrate multiple signals of identity. It should be able to create a recovery path that is appropriate for the level of risk, making the process frictionless for legitimate users while presenting insurmountable barriers for fraudsters.

This modern approach moves beyond simple checks to a holistic verification of a user's identity, ensuring that convenience and security are no longer a trade-off.

The HYPR Affirm SSPR/SSAR Flow

HYPR Affirm is a secure, self-service solution that solves the paradox of traditional SSPR and SSAR. It eliminates the vulnerabilities of legacy methods by using a robust, multi-layered identity verification process.

Here’s how Affirm verifies the user at each step:

• User Initiates SSPR/SSAR: The process begins when the user requests a password reset or account recovery from the login screen or a dedicated service portal.
• Phone number, Location Check: This includes phone number verification to confirm possession, along with checks on geographic location to identify anomalies.
• ID Document Scan and Selfie Liveness Check: The user is prompted to scan a government-issued photo ID (like a driver's license or passport). HYPR then performs a certified liveness check with a selfie to confirm the user is physically present, preventing deepfake and presentation attacks in compliance with NIST standards.
• Automated Verification & Intelligent Escalation: The system instantly cross-references all identity data points to make a verification decision. If the evidence is conclusive, the user is approved. If the risk signals are uncertain, the flow can be automatically escalated to a secure manager or help desk agent chat or a live video call for final, human-assisted verification.
• Phishing-Resistant Credential Reset: Once fully verified, the user securely completes their password reset or account recovery, establishing a new, phishing-resistant credential for safe, ongoing access.

Conclusion

• Traditional SSPR/SSAR methods are not secure and can lead to costly account takeovers.
• Multi-factor identity verification is the most effective way to secure the recovery process.
• HYPR Affirm replaces vulnerable methods with a seamless, secure flow that cuts costs and reduces risk.

FAQs

Q: How does HYPR Affirm prevent deepfake attacks? A: HYPR Affirm uses a certified liveness check that analyzes the user's selfie in real-time to ensure they are a physically present person, not a deepfake or a static photo.

Q: Can HYPR Affirm be used with different types of IDs? A: Yes, HYPR Affirm is designed to work with various government-issued photo IDs, such as driver's licenses and passports.

Q: What is the cost benefit of using HYPR Affirm? A: By reducing help desk tickets for password resets and account recovery by up to 95%, HYPR Affirm can drastically cut operational costs for organizations.

Related Resources 

• The Self-Service Paradox: Securing Password Reset
• Multi-Factor Authentication (MFA) vs. Phishing-Resistant MFA
• How to Implement a Secure SSPR Solution