We launched the ForgeRock Trust Network Technology Partner Program in November 2017 with a clear goal in mind: to enable easier and more seamless integration of complementary technologies to the ForgeRock platform. With innovation at the heart of our work at ForgeRock, we knew we needed to make it simple and straightforward to evolve to meet our customers' needs, and we wanted to bring valuable new capabilities into the program. In just four months, we’ve signed more than 20 partners, and we’re adding more every day. As we considered the types of organizations we'd like to include in the ForgeRock Technology Partner Program, the area of risk and fraud management arose as a high priority need. A market leader providing a differentiating capability in the risk and fraud space, VeriClouds was a natural fit as launch partner.
The VeriClouds solution is simple: it arms organizations with the ability to detect and prevent account breaches through the CredVerify service. VeriClouds has built - and continues to add to - a proprietary database of more than nine billion known credentials leaked on the dark web. This repository is used to detect, verify, and remediate user-centric risks across a broad range of end-points, online services, and infrastructure. For VeriClouds clients, this means that even if enduser account credentials are compromised, their data stays secure. How so? During user registration, password resets, and at the time of authentication, CredVerify compares credentials submitted against its database of leaked credentials. This is a huge step in mitigating risk and ensuring your data security.
Consider this: From March, 2016 to March, 2017, Google discovered 1.9 billion usernames and passwords exposed via data breaches and traded on black market forums. These were credentials for services like Dropbox, LinkedIn and thousands of other apps and websites. With the use of the CredVerify integration, ForgeRock customers will be able to detect and force a password reset for affected end users. This capability, along with strong authentication options that ForgeRock natively supports, ensures that the identity of users remain uncompromised, helping to avert the kind of data breaches that have plagued dozens of large enterprise brands in recent years.
How It Works:
The configuration options for the module let you choose the “Check Policy” as well as “User ID Type." The two options for policy type are Enterprise or Consumer. Enterprise tries to match all leaked passwords without matching User ID to the cracked password, ensuring maximum security. Consumer matches your User ID with a list of cracked passwords for that username.
For example, let’s say you configured an Enterprise policy and an end user makes an authentication request with a username of Bob.Smith with password Sup3r5ecure. If CredVerify found an entry in their system with username Alice.Smith and password Sup3r5ecure, authentication would fail and the user would be required to reset their password. If you chose Consumer, access would only be denied if the username and cracked password matched—a more lenient policy but still effective in protecting end-user data.
With the “User ID Type” field, you can select Username, Email, Hash, Phone Number or Auto Detect. This represents the type of User ID that the end user is entering. Auto Detect can be selected when multiple user ID types could be entered by the end user. For example, you would select auto detect for a service like Twitter, where your username can be your handle, an email or a phone number.
During authentication, the user login experience is unchanged from what ForgeRock customers would experience without CredVerify. The only difference is that when a known cracked password is used, the user is not authenticated and will be prompted to reset their password. CredVerify is also available when authenticating through Access Management's REST API with no additional configuration required. This means that whether a user is logging in through a web browser or through a mobile application, ForgeRock and CredVerify will help protect your organization and your data.
With cracked passwords becoming readily available to bad actors, it is more important than ever to take strong precautions when securing the data of your organization and of your customers. We're excited to bring VeriClouds and the CredVerify service into the ForgeRock Technology Partner Program, and look forward to helping our joint customers benefit from this innovative new offering. Questions or comments? Send us a message on Facebook or Twitter and we'll get back to you.