I called the bank the other day, and even though I was only asking a simple question, I had to provide the last 4 digits of my social security number, my birthdate, and my verbal password. These security measures are in place in order for the banks to protect the assets they deem critical (which is every single penny they’re holding). And if you want to, say, change your verbal password, they will be asking you to confirm details about specific transactions, account numbers, etc. — all in an effort to ensure that you are absolutely, without a doubt, you.
For comparison, let’s examine the task of resetting a password via the helpdesk. As consistently noted by a huge number of surveys over the years, password resets make up a vast majority of helpdesk calls. The problem is that password resets may also be one of the least secure methods of gaining access to an organization’s assets. Users simply call in and request a password change. There are no challenge questions, no validation of the person’s identity — only the need for the helpdesk staff to address the caller’s request. This makes no sense at all. , as this process could give a malicious insider or external attacker the ability to access a set of credentials.
So, why is this age-old process left so insecure?
The answer is simple: Without a solution that stores the information needed to verify each user, it’s impossible for a helpdesk tech to know if someone is who they say they are. In an age where external threats are adopting attacks that are completely malware-less by simply posing as an individual in the organization, if security is truly important to your organization, perhaps it’s time to remove the helpdesk from the password reset equation.
To maintain a secure stance on password resets, like the banks, you will need an effective way to validate a user before resetting the password. A solution providing this service needs to have a few key capabilities:
- Authentication Methods: Upon making a request to reset a password, users need to be challenged to prove their identity. The right solution will maintain a few pieces of information for every user within the organization. Challenge methods can include authentication questions, Actve Directory attribute confirmation, and answer requirements (e.g. number of questions, types of answers, and case sensitivity).
- Multiple Levels of Verification: Low-level users and executives probably shouldn’t use the same level of verification. It’s important that the solution you choose provides a way to establish increased verification requirements, such as additional questions that are increasingly more strict.
- Ease of Adoption: It’s not enough to just do a search on the web, find a password self-service solution, and install it. To be effective, you need every user to be enrolled. Users need to provide answers to the authentication questions, in order to populate the database and enable a more secure password reset process than what the helpdesk provides. Accordingly, the solution you choose also needs to ensure that it’s easy to adopt and easy to use.
Because of password resets, your current security strategy probably has a gap in it, and your helpdesk techs are potentially facilitating this gap. The only way to close this gap is to employ the same levels of protection that your bank uses: require your users to verify their identity before resetting their passwords. By utilizing the right password self-service solution, you’ll not only reduce or eliminate helpdesk calls, but you’ll also put your organization in a stronger security stance.