On January 12, 2024, the New York State Department of Financial Services (“NYDFS”) released a new Industry Letter on the use of self-service password reset (“SSPR”) services, which enable users to reset their own password without the assistance of help desk or IT professionals.
The Industry Letter discusses the risks associated with the use of SSPR services – specifically allowing for a password reset with only email address (personal or business), SMS or voice message. The NYDFS goes on to point out vulnerabilities with solely using these common authentication factors. Among the specific factors addressed in the Industry Letter, NYDFS takes the position that relying on email addresses as a criteria for account validation is “unreasonably risky” and “especially unwise,” because they can often be found on social media or other public websites and are “easy to guess.” In a similar vein, the Industry Letter notes that SMS and voice messaging authentication carry a high level of risk because of their susceptibility to SIM-swapping.
While the Industry Letter is not in response to any specific event and there is no express prohibition (or guidance) on SSPR services in the Cybersecurity Regulation, it is possible that it is motivated at least in part by a recent increase in successful social engineering attacks, whereby threat actors have been able to obtain user credentials through sophisticated social engineering techniques involving SSPR services to access company systems, and in certain cases, deploy ransomware. The Industry Letter and associated recommendations carry several important implications for companies and cybersecurity professionals, while emphasizing that companies should “understand the risk and implement appropriate controls.”
Potential for Increased Staffing Requirements: One recommendation in the Industry Letter is that organizations should limit the user population permitted to use SSPR services. However, managing the daily caseload of requests could easily overwhelm current staffing levels at many organizations, necessitating the expansion of help desk and IT teams well beyond current levels.
Bandwidth Allocation: If companies provide SSPR services options to their employees, NYDFS recommends implementing a defense-in-depth strategy with regards to SSPR, including the logging and monitoring of successful and unsuccessful SSPR attempts. An unintended consequence of this recommendation, however, is that it may consume significant resources of covered entities due to the potentially large volume of password reset requests. Relatedly, another unintended consequence is that threat actors could flood a covered entity with SSPR requests, consuming the bandwidth of their IT department (as they are reviewing logs and monitoring the activity), leaving the covered entity potentially vulnerable to a cyber-attack via other means.
Limited Options for Secure Authentication: In light of the risks associated with the most common authentication factors for SSPR, highlighted above in the Industry Letter, the options NYDFS seems to approve appear to be somewhat limited. NYDFS does not raise issue with push notifications sent to user mobile devices or physical tokens as authentication factors for SSPR. Another option seems to be security questions/answers (“SQSA”) as an authentication factor for SSPR, but SQSA remains vulnerable to similar social engineering vulnerabilities as NYDFS noted regarding email addresses. Lastly, biometric authentication methods could be another option for authentication for SSPR, but this option comes with a host of legal and privacy issues that covered entities must consider before implementing.