Identity Verification Manager in Practice

Anders-Meyer

Anders Meyer | CEO FastPasscorp

At FastPass, we envisioned the FastPass Identity Verification Manager (IVM) back in 2017.  It took a few years to build, followed by additional time to perfect. Now, we are at a point where the solution has matured. When we approach our business partners, they often have a limited view of what FastPass can do for them within Identity Verification Management.

In this blog, I will discuss some of the use cases and implementations we have undertaken to help readers understand the variety and flexibility of IVM and how it is being utilized in the field.

What FastPass IVM is in Short

 

FastPass IVM is a product designed to verify a user’s identity, particularly when a user contacts the internal Service Desk to prevent social engineering attacks through vishing. Although some customers utilize IVM in other areas beyond the Service Desk, this remains its primary application and focus.

FastPass IVM is employed to validate a user’s identity when they require assistance from the Help Desk. For some customers, this verification occurs with every call; for others, it is reserved for more sensitive operations, such as credential loss. In general the IVM verification is based on prior knowledge of the user and it will in most cases be an employee or student of the organization.

FastPass IVM Logo

FastPass Infographic flow

Protecting the Agent

It is well known that hackers use social engineering methods to persuade the help desk supporters to give away passwords or other critical types of information. The easiest way to do this is to get the supporter to deviate from the verification instructions.

To prevent this, our customers remove the privileged rights to the supporters so they can’t reset a password by standard Microsoft administrative tools – only FastPass IVM can generate a new password according to the configured rules. This means that the configured rules for verification become mandatory!

The consequence of this is that the supporter truthfully can tell anyone pushing to get a password immediately without any tests that it can’t be done. A real user will accept it and a hacker probably will give up

Same Profile for All?

Integration into ITSM systems has proven to be important, as it eases the workload for the agent handling the call and automates the process of selecting the appropriate proofing level (if you choose to have different profiles for different operations).

We typically find that larger customers maintain two different overall proofing levels, with two distinct operational proofing levels within them. On one end, you have common users who require only basic verification for non-sensitive operations. On the other end, there are privileged accounts that require password resets, necessitating a higher level of verification. This setup results in four different proofing profiles. We can categorize these as “high-risk” and “normal” on the user side, and “sensitive” and “normal” on the operations side.

How Proofings Work

Proofings are the individual components of the verification process. These can range from assessing the caller’s knowledge about their manager’s name to performing an Authenticator push operation. FastPass IVM addresses the proofing process from a scoring perspective, requiring a user to reach 100% to be verified.

The score for each proofing item can vary depending on the action and the user, both positively and negatively. For example:

  • A user calls in and states they have a mobile phone and can receive a PIN code. For high-risk users, correctly answering this might score 25%, whereas a normal user in a sensitive operation might score 50%. Conversely, if the answer is incorrect, the high-risk user might be deducted 20%, while the normal user might be deducted 10%.

Locating Proofings in the Real World

When we start engaging in a project with IVM, one of the first tasks is to locate proofing objects that we can utilize. Please note that in about 50% of implementations, we add custom data and questions as this is very easily done.

Typically, we tap into the current validation process as the first step. So, to name ones that we often meet– from strong to weak:

  1. Strong Types: Authenticators (like Okta or Duo), TOTP codes, RSA devices, eIDs, biometric. Manager/Colleague Approval.
  2. Medium Types: Email pin, SMS Pin, “carry” tokens (like an access card), device IDs, serial numbers (hardware or software).
  3. Weak Types: Manager data, Name Peers, working location, employee id, Challenge Questions, seniority, presence and userID in other systems.

This varies significantly from organization to organization. In about 50% of cases, customers choose to utilize FastPass SSPR to leverage the synergy from proofing items that users enroll with. When enrolling in SSPR, FastPass can gather user data such as mobile phones, TOTP codes, and special questions, which can be reused in IVM.FastPass Verification Data Tokens

When FastPass Really Starts Adding to the Process

Apart from the standard proofing methods mentioned above, FastPass introduces additional dynamic and contextual options to enhance the verification process. Some examples include:

  • Is the user sitting in front of their device? When the FastPass agent is used, it can verify if the user is actually in front of their usual PC. If the user typically uses this device, it can add points to the proofing process.
  • Is the user present on a trusted network? Whether using the agent, a browser, or a mobile device to connect to FastPass, this option can contribute to the overall score.
  • Is the user connecting from a known location? Deduct points when the location is unknown.
  • Is the user calling the service desk during their usual working hours?
  • Has the user made multiple calls to the service desk recently? Frequent or unusual contact can trigger alerts.
  • Is the user's account disabled or expired? The system can query the user's knowledge about this status and alert the agent.
  • Has the account been inactive for an extended period (e.g., months)? This can prompt a warning to the agent.

These dynamic and contextual checks allow IVM to establish an initial score and provide crucial information to the agent. For example:

  • If a user calls shortly after a previous call or still has an active call, the agent is immediately warned.
  • If the user connects from their usual workstation, it positively impacts the score. Conversely, if the user connects from an unfamiliar workstation, it results in a negative score and alerts the agent.
  • If the user typically does not log into a Windows Desktop and cannot connect, this does not alter the initial score, as it is a normal situation for that user.

FastPass includes approximately 30 different scoring scenarios just around the user connecting,  these can be used immediately, offering substantial flexibility. This allows for the creation of robust verification scenarios using the built-in options.

ITSM Integration in More Detail

The typical integration with ITSM systems is two-fold. One aspect involves the flow from ITSM to FastPass. A simple link is generated to allow FastPass to retrieve a few key pieces of information:

  1. ID of the ticket
  2. UserID
  3. Problem category

Using this data, FastPass will automatically look up the user and initiate the appropriate proofing process.

The other part involves the actions taken once the identity verification is completed or paused. FastPass updates the ticket automatically based on the result. If the authentication succeeds, the passed and failed items and their scores are added to the ticket (no personal data is passed, just scores). If the operation is escalated, FastPass can automatically reassign the call to another call group and send an email to the user or manager if necessary.

Please Read this article about Integrating to ITSM for more information in this topic.

Normal Operation

Users calling for help with printers, office questions, and other minor issues typically undergo a quick identity verification process. We usually let FastPass send a PIN to their work email or use MFA methods. FastPass then notes the verification process directly in the ticket.

More critical cases, such as credential loss, require a more stringent process. This is the area where social engineering and hackers attempt to infiltrate. Typically, this process is more rigid, demanding two-factor authentication.

FastPass IVM Bridges the Gap

Newly onboarded users often miss information or fail to enroll in certain areas. This can be due to their manager not fulfilling their responsibilities, such as providing the user with their employee ID or assisting with MFA system enrollment. In such cases, IVM can be used to automatically email the user’s manager and reassign the ticket to a group that handles these issues.

Another option, if the agent is unable to validate the user's identity, is to reassign the call to a manager who can verify the user's validity, for example, by contacting the manager or colleagues directly.

FastPass IVM Logo

In conclusion, the FastPass Identity Verification Manager (IVM) stands out as a versatile and robust solution tailored for modern IT service desks. By offering customizable proofing levels, dynamic scoring scenarios, and seamless integration with ITSM systems, FastPass IVM not only enhances security but also streamlines the user verification process. Whether handling routine inquiries or critical security concerns, FastPass IVM provides the tools necessary to ensure efficient and secure identity management.

Check the Side-By-Side video showing that FastPass IVM also increases the speed of end user verification.

To explore how FastPass IVM can benefit your organization, book a meeting with our experts.

Related Posts

Scroll to Top