Security and Arc XP Identity
Arc XP Identity allows clients to deliver frictionless and secure identity management customer experiences.
Behind the scenes, Arc XP employs many policies and procedures to keep your data safe. Our commitment to best practices and constant strengthening of our security position has resulted in our continued ISO 27001 certification.
This document focuses on areas where Arc XP and you share responsibility, where your coding and configuration choices impact your security posture, and not on the aspects Arc XP handles exclusively. It helps you make informed decisions to protect your customers and your business.
The following sections highlight some common attack methods that criminals can exploit if you don't use the available protective measures.
Threat: Credential stuffing
Credential stuffing occurs when attackers use stolen credentials from data breaches to try logging into many websites, hoping to find accounts where people reuse their credentials.
Solution: reCAPTCHA
reCAPTCHA effectively blocks automated attacks. Google provides a pass/fail (v2) or bot score (v3); Arc XP Subscriptions verifies this server-side to determine whether or not to process the request. For more information on implementing reCAPTCHA within Arc XP Subscriptions, see Secure your site against attacks: CORS domains, blocked email domains, and reCAPTCHA.
Using the Bot protection services offered by Arc XP’s CDN partner also makes executing this attack more challenging.
Threat: Brute force credential attack
Brute force credential attacks occur when attackers repeatedly try different username and password combinations until they find one that works. This is generally not a random approach, but instead, it is a combination of common passwords or side-channel information to reduce the search space.
Solution: Account lockout
Arc XP Identity lets you set how many wrong login attempts are allowed before an account gets locked. After an account is locked, login attempts are automatically blocked until the lockout period ends—or a customer service agent unlocks the account.
Solution: Password strength
Arc XP Identity allows you to configure the length and complexity of user passwords.
Threat: Bulk account creation
Creating bulk accounts is when attackers create hundreds or thousands of junk accounts, impacting the quality of your customer database and potentially impacting downstream services.
Solution: reCAPTCHA
reCAPTCHA is the most effective solution to preventing programmatic account creation.
Leveraging the Bot protection services offered by Arc XP’s CDN partner also makes executing this attack more challenging.
Leveraging reCAPTCHA can also help thwart programmatic guessing.
Important
Arc XP provides both prevention and response tools for security incidents. However, Arc XP obligations are limited to notifying and suggesting mitigation steps. If you don't use available preventive measures, Arc XP cannot remedy some situations. For example, if an attacker creates many fake accounts because preventive measures weren't in place, you'll be responsible for managing those accounts (including deleting the accounts).
Preventive measures
When leveraging Arc XP’s Identity service for user authentication, consider two key defensive tools: Bot protection service and reCAPTCHA. These tools work differently but complement each other. Together, they provide stronger protection for your customers' data and your business reputation against the many creative attackers on the Internet.
Bot protection services
Arc XP partners with a strategic CDN that offers Bot protection services. This service intelligently detects bad bots and prevents malicious activity. Bot protection provides the following benefits:
Automatically detects and stops low-and-slow attacks using AI-updated lists of malicious IPs, user agents, and bots analyzed from daily Internet traffic.
Enhances threat detection for suspicious traffic and actively intercepts attacks in progress.
Gives customers accurate, self-adjusting traffic assessments to distinguish between malicious and legitimate user requests.
Uses tiered responses to block bots without revealing detection methods to attackers.
Reduces the need to create ACS tickets, resolving issues quickly without manual intervention.
reCAPTCHA
Arc XP Subscriptions offers an integration with Google’s reCAPTCHA v2, which you can configure to protect APIs that are most susceptible to attack, such as user sign-in and account creation APIs.
Tip
A CAPTCHA (an acronym for Completely Automated Public Turing Test to Tell Computers and Humans Apart) is a security measure designed to differentiate bots from humans, typically with an image or audio challenge. CAPTCHAs are widely used on the Internet to prevent bots from signing up for accounts, spamming comments, and buying products.
reCAPTCHA is Google’s CAPTCHA system. It was released in 2007 and is currently used by more than 13 million websites. It is the most used CAPTCHA system to date as it provides a decent level of protection against the most common types of bot threats.
Google's invisible reCAPTCHA connects a security challenge to a button on your website. After a user completes this challenge, Google provides a verification token to the user's browser. This token is then sent with any requests to your backend systems. Your backend checks with Google to confirm the token is valid before processing the request. If valid, the system continues normally; if invalid, it blocks access with a 401 unauthorized response.
Site visitors with limited browsing history or blocked third-party cookies are more likely to be asked to complete a challenge. While this adds friction to login and checkout processes, it is the most effective way to prevent automated attacks.