The IAM Loginapp offers many user self-services allowing token registration and activation as well as user profile self-services and password change. The following hints help to keep the security level up when providing self-services to customers.
Restrict access self-services to authenticated users.
- Make sure only users with an adequate level of authentication may access certain self-services.
- Example: do not allow users to change the password when only authenticated using a "remember-me" cookie.
- Restrictions on self-services can be configured in the "Application Settings" of the Loginapp
Token registration, migration or other self-services must require strong authentication.
- Example: never allow self-registration of a 2nd factor token (e.g. MTAN) after only username password authentication.
- Token Migration should never be possible from weak authentication (username and password) to strong authentication (unless additional "authenticity" is added by e.g. sending an activation letter).
User self-registration leads to weak authentication only.
- Typically, user self-registration only involves the verification of an email address
- This may only lead to single-factor (weak) authentication - usually username and password
- A strong authentication factor may be added by e.g. sending the user a letter and with that verifying the postal address (assuming the postal service is authentic)