S3 Suite Account Recovery
Nok Nok™ S3 Authentication Suite (Nok Nok S3 Suite) uses Authenticators to make authentication simple for users, strong by protecting against scalable attacks and scalable by supporting a variety of different authenticator models.
When users lose their last or only authentication method (forgotten password, etc.), account recovery needs to be performed in order to re-enable access to the account.
Most of us have experienced the need to to recover an account when we have forgotten one of the many passwords that we are required to remember: this is typically called “Password Reset” and solved by sending a one-time usable link or passcode to the user. In a recent Gigya study it was revealed that password resets are triggered by more than 80% of the users each year.
Replacing password based authentication using Nok Nok’s next generation authentication reduces the need for account recovery substantially as users do not “forget” their biometric or other authentication method that does not require the user to memorize a passcode. However, lost or stolen authenticators (e.g. smartphones) might still require the need for account recovery.
Nok Nok S3 Suite includes support for global account recovery from a single platform to make it easier to handle the remaining number of account recovery incidents, regardless of the location of the user or modality in use. The supported account recovery methods delivered by the Nok Nok S3 Suite include:
- authenticating the user using one or more alternative methods (not relying on the lost authenticator) and
- verifying that the identity attributes of the recovery applicant match the ones of the legitimate user (“identity proofing”).
Strong Authentication needs Strong Recovery
With increasing cyber attacks, the need for strong authentication is on the rise. But what if it is easier for attackers to break accounts by triggering account recovery? Just as strong authentication often involves two factors, account recovery should also provide at least the same level of assurance in order to not become the weakest link and downgrade the assurance level.
In a scenario in which two factor user authentication is required, only sending out a one-time passcode to the registered email address of the legitimate user is not sufficient and would degrade the overall assurance level to essentially become a weak single factor authentication. Instead strong recovery needs to include the equivalent of two factors.
Nok Nok S3 Suite Account Recovery Support
The Nok Nok S3 Suite provides a flexible policy based platform for identity proofing and account recovery. It supports account recovery by one-time passcodes to be delivered to the user and by online ID Proofing methods.
Using the account recovery policies, these recovery methods can be enforced in any combinations using “AND” and “OR” operations to achieve desired security level. This concept makes it easy to configure the acceptable recovery methods that pair well with strong two factor authentication.
There is no “one size fits all” recovery method supporting all geographies and verticals. The S3 Suite comes with a Recovery Backend API to add interfaces to multiple account recovery methods/provider and makes it easy to add more ID proofing methods in the future.