Deep Dive into Password Reset Process - Security score - Support and Troubleshooting

Deep Dive into Password Reset Process - Security score Summary This article aims to provide insights into the Security score calculation of password reset processes

Will provide insights on which Business rules and script includes used for the score calculation. Will give a clear understanding of the individual calculation parameters and overall score calculation logic. Release Any version

Instructions The security score of the password reset process is one of the key metrics for system administrators to gauge how strong the password reset process is configured.

Please find the total flow Security score calculation logic:

Business Rule: Calculate security score

Script Includes called when the above business rule is triggered:

PwdProcessStrengthCalculatorUtil PwdProcessStrengthCalculatorUtilSNC

In the script include PwdProcessStrengthCalculatorUtilSNC The calculation flow is as below:

_getIdentificationScore() This will validate if the process is using multiple identification methods like email+phone.

_getverificationScore() This calculates the score for the verification methods like SMS, security code, and security questions.

_getconfigurationScore() This will validate the configuration settings if an email/sms reset URL or autogenerated password is used.

_getpolicyScore() This calculates the password policies like enforcing the history policy, and the strength of the password(length, complexity etc)

_getpolicystrength() -->This will evaluate the individual policy settings like disallowing user data, repetition/sequence thresholds etc. Using all the above scores we will calculate the overall security score of the password process.

Deep Dive into Security Score Calculation:

1. Identification Score Max: 20 points

Enable multiple identification methods. If customer is using only one, Add another (e.g., username + email). Adds ~5 points Enable CAPTCHA . If it's not enabled, enabling it adds 10 points. It also helps prevent bots from exploiting the reset flow.

2. Verification Score Max: 40 points Use at least two verification methods with medium or high security level. Each method can add 15 (medium) or 25 (high) points. Avoid using only low-level (10 or 0) methods like basic email or SMS without URL. Ensure the minimum number of verifications configured is met. Use the Email Password Reset URL (or SMS with URL): This gives low-level verifications 10 points instead of 0. Tip: Balance mandatory and optional verifications to meet or exceed the min_verifications value.

3. Configuration Score Max: 20 points Enable either: Email/SMS Password Reset URL Or auto-generate passwords If neither is enabled, you're capped at 10 points here. Enabling either gives you the full 20.

4. Password Policy Score Max: 15 points Enable Password Policy on the Credential Store (if not already). Enable Enforce History Policy (e.g., last 5 passwords can't be reused). Use a "High" strength password policy. Enable: Disallow user data in the password Repetition threshold Sequence threshold These add up quickly and push the score closer to the max.

Using the above calculation logic we can achieve the required security score of the password reset process.