Forgot Your Password and Locked Out of the Admin Site?
Here's How to Avoid That

Every month, the CloudGate support team receives inquiries from multiple administrators who are locked out of their admin sites. The most common reason for this trouble is a forgotten password. How can you prevent such issues and ensure secure authentication?

The Wide Impact of an Administrator Forgetting Their Password

Let's consider the problem of what happens when an IT administrator forgets the password to access the admin site.

Being unable to access the admin site means no work or tasks can be performed there, which can cause significant disruption. Not only will the administrator's own work be stalled, but they won't be able to promptly respond to urgent inquiries from users, potentially leading to difficult situations.

Furthermore, if a user forgets their password, they can request a password reset from an in-house administrator, resolving the issue internally and relatively quickly. However, if no one else in the company can access the admin site, you might have no choice but to contact the service provider.

Service providers, upon receiving a password reset request, will often first verify the identity of the person making the request to prevent impersonation. If identity verification isn't completed accurately, it can take a long time before the service's password is reset and access is restored.

Typically, the information used for identity verification is often a recovery password specified during the initial service contract or information provided at the time of agreement. However, such information isn't used in daily work, making it hard to remember. Moreover, if this information isn't properly handed over due to administrator transfers or departures, identity verification could take even longer. During this time, all internal administrative tasks will be stalled, which in turn will halt the work of internal users.

How to Recover Your Password Yourself

To prevent such situations, ISR guides CloudGate UNO administrators on the following self-recovery methods:

However, even with these preparations for self-recovery, it will still take some minimum amount of time, meaning business operations are likely to be halted to some extent.

The Limitations of Password-Only Authentication

Fundamentally, password-only authentication mechanisms have several security issues. In the case of an administrator site, the most conceivable risk is the compromise of administrator privileges. If an administrator site only has password-only authentication configured, and if that password is an easy-to-remember one or set to personally identifiable information, it can be easily bypassed through phishing, brute-force attacks, or credential stuffing. If administrator privileges are exploited illegally, the damage to the company is expected to be severe.

Perhaps because cybercrime and ransomware attacks make headlines almost weekly these days, public awareness of cybersecurity seems to be slowly changing. 1Password, a Canadian password management service company, surveyed 2,000 North American workers about employee sentiments and behaviors regarding cybersecurity and key aspects of modern work. According to this report, 50% of respondents stated that the biggest threat facing their company is employees falling for scams and phishing. However, despite this awareness, the survey revealed that bad security practices remain deeply entrenched in the workplace.

Bad habits include:

49% of respondents used personally identifiable information in their passwords. (Notably more prevalent among directors and above)

34% of respondents reused passwords, knowing the risks.

Additionally, the same survey revealed results that hint at the limitations of remembering passwords. The main methods for remembering work passwords are as follows:

49% Just remember it

24% Write it down

29% Use a password manager

The number of services and applications an individual uses for work is on the rise. This means an increasing number of passwords to remember, making simple memorization insufficient and leading to the use of features like password managers. However, there are concerns about the vulnerability of password manager features themselves, and if the master password for a password manager is compromised, a large number of passwords could be leaked instantly, making it difficult to call it a good security measure. Furthermore, reliable password managers with security features are often paid services, leaving concerns about cost.

The Rise of One-Time Passwords and Their Pitfalls

As people gradually began to realize that "password-only authentication is dangerous," the adoption of one-time passwords became more common, particularly on websites requiring high security, such as financial sites. A One-Time Password (OTP) is a disposable password that can only be used once within a certain period.

Fundamentally, authentication relies on three factors: "knowledge," "possession," and "biometrics." It's said that the more different factors used, the stronger the security.
In the case of authentication using an ID and password, both factors belong to "knowledge," so authentication is completed with only one factor. On the other hand, for authentication using an OTP issued after entering an ID and password, in addition to the knowledge factor, a possession factor (smartphone used to receive the OTP generated by SMS notification or an app) is added, placing it in the multi-factor authentication category. Therefore, security is higher compared to ID and password authentication.

However, OTPs can lead to phishing scams where authentication information is stolen, meaning they're not a secure multi-factor authentication method. So, how can we prevent issues like forgotten passwords and perform secure authentication that avoids phishing?

The Solution: Passwordless Authentication

It's clear that password-only authentication has limitations in both management and security. So, if passwords are the problem, why not adopt a "passwordless" approach?

CloudGate UNO allows you to use passwordless authentication (FIDO2 / Pocket CloudGate) across all plans, without using a password as an authentication factor. It uses biometric information (fingerprint/face) or PINs to verify identity on an "authentication device" or "terminal," and then authenticates based on that result. This eliminates the need to remember information like passwords and reduces the effort of typing during authentication. Furthermore, the biometric information and PIN used are securely stored within the authentication device and are never transmitted over the network. This makes it resistant to leakage/theft from phishing and other attacks, offering superior convenience and security.
To learn more about passwordless authentication:• FIDO2 Passwordless Authentication• Pocket CloudGate (App with biometric authentication and security notification features)

Summary

When an administrator forgets their password for the admin site, the following concerns arise:

• If the admin site only allowed password-only authentication, the administrator would be locked out if they forgot their password.
• Administrator tasks and responding to urgent user inquiries would be stalled, disrupting operations.
• If easy-to-remember or personally identifiable information is used for passwords to prevent forgetting them, there's a risk of it being guessed and used for unauthorized logins, compromising administrator privileges.
• While OTP usage for security is increasing, OTPs are vulnerable to phishing and cannot be considered a sufficient countermeasure.

To prevent such situations, we recommend implementing FIDO2 passwordless authentication, which is strong against phishing and convenient because it "doesn't use passwords."