IBM Security Verify

 View Only

Password intelligence infused in IBM Security Verify SaaS

By Milan Patel posted Thu April 20, 2023 03:21 PM


The promise of removing passwords has been an endeavor security practitioners have embarked on for years. Although there has been progress, matter a fact is many individuals still use passwords as they interact with brands and other digital entities, especially in CIAM use cases. A Forrester report indicated that 52% of respondents in a survey of US smartphone users use the same password or variation of the same password across multiple online accounts[1]. The same survey also indicated 54% of respondents just prefer to use passwords for consumer websites or mobile apps rather than passwordless authentication[2]

The promise of passwordless authentication is being realized by experiences delivered by passkeys and even more emerging experiences such as verifiable credentials and decentralized identity. Although these are being adopted in market, the data still shows that passwords are prominent and will continue to be prominent in the coming years - even though we deliver experiences to remove passwords! 

Because of this, IBM Security Verify started to explore a way to help organizations and individuals get more intelligence and provide real time feedback on the secureness or insecureness of passwords used. Password policies define the constraints that a password must have but there still exists an exploitation that users are being phished or using common passwords that meet the policy requirements. 

IBM Security Verify has taken note of both this vector and the natural human behavior of using passwords, and with that, we’d like to introduce IBM Security Verify Password Intelligence, powered by IBM Security X-Force. 

IBM Security Verify Password Intelligence powered by IBM Security X-Force

As IBM Security Verify looked to address how the phished, common password intelligence challenge could be solved, we did not have to go too far to find experts in the field. IBM Security X-Force is comprised of researchers, ethical hackers, and engineers from across the globe. The X-Force team crawls the web to find phishing websites and reverse hacks the sites to identify the phished passwords that ultimately may be used in password spraying and credential stuffing attacks.

With this intelligence, IBM Security Verify’s Password Intelligence capability allows Verify tenant administrators to define enforcement policies that incorporate password intelligence checks to mitigate the use of phished or common passwords. 

Verify tenant administrator configuration: 

Verify tenant administrators can configure the experience for how password intelligence is captured and how end user experience is defined. This also allows tenant administrators to define sources for password intelligence, mitigation points, and identified flows.

  • Password intelligence sources allow Verify administrators to enable the IBM Security X-Force intelligence list and/or upload a customer list. Verify will check the X-Force provided password intelligence and/or Verify administrator uploaded list. 
  • Password intelligence mitigation configuration allows Verify tenant administrators to “Audit”, “Warn”, or “Enforce” individuals as they use passwords on the intelligence list.
  • Password intelligence check flows allow Verify administrators to define different user experiences for mitigation across login flow and account create, password change, and password reset flows. The reason for this is to ensure existing user experience is not compromised for current users while adopting an enforce policy for new user creation – visibility without impacting user experience is possible across each of these flows. 

Verify tenant insights and reports: 

As logins are captured and the password intelligence capability is enabled, Verify tenant administrators will be able to gain insights into where users have triggered the password intelligence policy to get an aggregation of the organizations population. 

The password intelligence report will provide details into which password intelligence sources are being triggered, which mitigation path is being triggered, and a table of all the user logins for future insights on user activity. 

Although the move to passwordless authentication and onboarding should be the strategic approach, the practicality of operationalizing can be limiting based on individual understanding of technology and access to technology (ex: passkey enabled devices, authenticator apps, etc). IBM Security Verify is positioned to help solving the challenge now while also providing the strategic path forward to deliver passwordless authentication and onboarding at scale. 

Learn more about IBM Security Verify and spin up a free trial. 

[1] Forrester Report: The State of Customer Authentication, 2022

[2] Forrester Report: The State of Customer Authentication, 2022