5.3.3. Self-services

The IAM Loginapp offers many user self-services allowing token registration and activation as well as user profile self-services and password change. The following hints help to keep the security level up when providing self-services to customers.

Restrict access self-services to authenticated users.

  • Make sure only users with an adequate level of authentication may access certain self-services.
  • Example: do not allow users to change the password when only authenticated using a "remember-me" cookie.
  • Restrictions on self-services can be configured in the "Application Settings" of the Loginapp

Token registration, migration or other self-services must require strong authentication.

  • Example: never allow self-registration of a 2nd factor token (e.g. MTAN) after only username password authentication.
  • Token Migration should never be possible from weak authentication (username and password) to strong authentication (unless additional "authenticity" is added by e.g. sending an activation letter).

User self-registration leads to weak authentication only.

  • Typically, user self-registration only involves the verification of an email address
  • This may only lead to single-factor (weak) authentication - usually username and password
  • A strong authentication factor may be added by e.g. sending the user a letter and with that verifying the postal address (assuming the postal service is authentic)