Depending on how the data is handled, you can introduce more or less risk into your environment. We hope this article is valuable in helping you determine which credential screening provider is right for your organization.
What is the provider’s latency for each type of credential check? How will this impact the user login experience?
Does the provider rely on password cracking to match against their database? Cracking more advanced hashing algorithms is not possible when a provider is processing millions of records a day, so how many credentials are they actually matching on? What percentage is left uncracked? How do they handle b-crypt and other hard to crack hashes?
If the provider cracks passwords, is your security team comfortable with the risk of cracked passwords being transferred? Are they comfortable with the responsibility for storing users’ data from other systems to comply with GDPR and other PII laws?
Do they have the ability to allow comparisons with salted or hashed passwords?
Will the solution give you flexibility in your credential screening policy? Meaning if a user’s credentials are compromised, can you handle it in different ways like forced password reset, step-up authentication, etc.?
Can you integrate the API to be a definitive risk signal in your authentication and fraud prevention policy?
Does the provider provide realistic database numbers? There are an estimated 3B people with email addresses on the whole planet so there is a finite amount of data that can be reliably sourced without duplication. Are they inflating numbers and/or including duplicates in their numbers?
Do they source their data internally or buy the data from another data provider? If they buy the data from another source, do they disclose that to their customers?
Do they use automated technology for sourcing data? Do they use human threat research, if so how many people? Do they use a combination of both?
Does the provider have the capability to interface and/or integrate their screening solution with your IT systems to allow users to seamlessly log in to your organization‘s system in a secure manner?
Does the provider outline API documentation clearly for your team to implement it? Can your team get access to the technical team in case of issues?
Does the provider check passwords? Full credentials? Both?
What is the provider’s breadth of SDKs and Client Libraries to simplify integration? Java, .NET, etc..
Can the provider certify their compliance with all applicable federal, state and local laws, consumer reporting, privacy protection, data destruction and other governing laws?
Does the provider certify that their employees (and any sub-contractors) sign a confidentially and non-disclosure agreement that meets your company‘s requirements?
Can the provider clearly articulate the processes available to your company when a compromised credential is discovered?
Has the provider been held liable for their business practices in the past? Are they currently facing any active claims?
Does the provider have a written Information Security Policy that adheres to known best practices and provides a high level of data protection?
Does the provider have system security in place that fully meets your data security requirements, including communicating and securing data?
Does the provider meet your physical security requirements for securing their own systems that meets current IT security standards?
Does the provider have a written policy that states that personally identifiable information is never resold by them?
Can the provider provide periodic reports verifying data protection procedures are being followed or allow their processes to be audited?
Does the provider’s data breach policy meet your requirements?
Does the provider‘s disaster recovery plan meet your requirements?
Does the provider have a documented quality assurance policy and on-going process in place to ensure the highest level of accuracy is maintained?
Ask the provider if their processes have been audited by a certified external organization and the frequency that audits occur.
Has the provider been in business and have they offered this product last three years? Are they VC-funded and what is their run rate so you can avoid providers with a limited lifespan? Or do they operate off of their own revenue sources?
Does the provider have Errors & Omissions insurance or insurance that meets your company requirements?
Require the provider to fully disclose previous litigation within the last five years and any that occurs while the contract is in place.
Is credential screening core to their business or just something they have as an add-on to other products?