Credential screening providers are critical business partners who help mitigate the risks of cyberattacks and choosing the right one can prevent exposure of additional risks.

Depending on how the data is handled, you can introduce more or less risk into your environment. We hope this article is valuable in helping you determine which credential screening provider is right for your organization.

Credential Screening: The Basics

What is the provider’s latency for
each type of credential check (P50, P90, P99, and P99.9)? How will this impact
the user login experience?

Does the provider rely on password
cracking to match against their database? 
Cracking more advanced hashing algorithms is not possible when a
provider is processing millions of records a day, so how many credentials are
they actually matching on?  What
percentage is left uncracked?  How do
they handle b-crypt and other hard to crack hashes?

If the provider cracks passwords, is
your security team comfortable with the risk of cracked passwords being
transferred?  Are they comfortable with
the responsibility for storing users’ data from other systems to comply with
GDPR and other PII laws?

Do they have the ability to allow
comparisons with salted or hashed passwords?

Will the solution give you flexibility
in your credential screening policy? Meaning if a user’s credentials are
compromised, can you handle it in different ways like forced password reset,
step-up authentication, etc.? 

Can you integrate the API to be a definitive
risk signal in your authentication and fraud prevention policy?

Does the provider provide realistic database
numbers?  There are an estimated 3B
people with email addresses on the whole planet so there is a finite amount of
data that can be reliably sourced without duplication.  Are they inflating numbers and/or including
duplicates in their numbers?    

Do they source their data internally
or buy the data from another data provider? If they buy the data from another
source, do they disclose that to their customers? 

Do they use automated technology for
sourcing data? Do they use human threat research, if so how many people?  Do they use a combination of both? 

Does the provider have the capability
to interface and/or integrate their screening solution with your IT systems to
allow users to seamlessly log in to your organization‘s system in a secure
manner?

Does the provider outline API
documentation clearly for your team to implement it?  Can your team get access to the technical
team in case of issues?

Does the provider check passwords?
Full credentials? Both?

What is the provider’s breadth of SDKs
and Client Libraries to simplify integration? Java, .NET, etc..

Legal Compliance

Can the provider certify their
compliance with all applicable federal, state and local laws, consumer
reporting, privacy protection, data destruction and other governing laws?

Does the provider certify that their
employees (and any sub-contractors) sign a confidentially and non-disclosure
agreement that meets your company‘s requirements?

Can the provider clearly articulate
the processes available to your company when a compromised credential is
discovered?  

Has the provider been held liable for
their business practices in the past? Are they currently facing any active
claims?

Data Protection, Privacy and Security Measures

Does the provider have a written
Information Security Policy that adheres to known best practices and provides a
high level of data protection?

Does the provider have system security
in place that fully meets your data security requirements, including communicating
and securing data?

Does the provider meet your physical
security requirements for securing their own systems that meets current IT security
standards?

Does the provider have a written
policy that states that personally identifiable information is never resold by
them?

Can the provider provide periodic
reports verifying data protection procedures are being followed or allow their
processes to be audited?

Does the provider’s data breach policy
meet your requirements?

Does the provider‘s disaster recovery
plan meet your requirements?

Quality Assurance

Does the provider have a documented
quality assurance policy and on-going process in place to ensure the highest level
of accuracy is maintained?

Ask the provider if their processes
have been audited by a certified external organization and the frequency that
audits occur.

Business, Financial and Future

Has the provider been in business and
have they offered this product last three years?  Are they VC-funded and what is their run rate
so you can avoid providers with a limited lifespan?  Or do they operate off of their own revenue
sources? 

Does the provider have Errors &
Omissions insurance or insurance that meets your company requirements?

Require the provider to fully disclose
previous litigation within the last five years and any that occurs while the
contract is in place.

Is credential screening core to their business or just something they have as an add-on to other products?

If you have questions about this list or compromised credential screening in general, please contact us at [email protected]

The post Questions To Ask When Considering A Credential Screening Solution appeared first on Enzoic.

Recent Articles By Author

• The Login Was the Breach
• Summer Is Prime Time for Account Takeover
• The 2026 Verizon DBIR

More from Enzoic

*** This is a Security Bloggers Network syndicated blog from Enzoic authored by Enzoic. Read the original post at: https://www.enzoic.com/considering-a-credential-screening-solution/