Ways to protect the password before the user receives their first password
Nobody wants a user’s password to be in the hands of other people than the user herself. We do however have situations where the user needs help with the password. A frequent situation is forgotten password when we need help from the service desk. This can be solved with password self-service.
The handover of the first password -when you have your first day at work – is however tricky.
Who makes the password? Who gets the password to hand over to the employee? How protected is it? Any risk that it can be used before the new person starts? Is it a smooth and efficient process, where we always have the password available and take very few resources?
You might trust your manager to do it – but do you trust all managers?
Does it work as well for high security and low-security users? Does it work well for internals as well as external contractors?
The above questions show that it is not only one situation we must consider. Most organizations need to find their individual processes: secure and efficient.
The ideal solution
The ideal solution will enable the employee to do her own password without any password being issued in advance – not even a temporary password. Still the process must be secure and prevent any other than the new user to perform the transaction. As always with security different security levels might be accepted based on the user’s security sensitivity.
With FastPass you can configure a secure workflow, matching the security requirements for different groups.
A couple of examples show a simple and a more advanced mode:
When we hire a new employee, we get the private email and private phone number.
As part of the initial IT introduction, the new employee is also asked to log in to the FastPass self-service portal.
The user selects “Initial enrollment”. FastPass will automatically send an Invitation-PIN to the user’s mobile phone and e-mail. With this PIN the employee can make his first real password. Nobody else has been involved!
Furthermore, we can ask the user to enter more personal information and connect to MFA tokens for later identity verification by the service desk or for password self-service.
We have the private email and phone number.
As part of the initial IT introduction, the new employee is also asked to log in to the FastPass portal.
The user selects “Initial enrollment”. FastPass will automatically send an Invitation-PIN to the user’s mobile phone and e-mail. We will however require a personal verification. So FastPass will request the manager to confirm in FastPass that her new employee is truly waiting for a confirmation. In this way, we combine tokens with the trust of human recognition. The manager's task can be delegated to another trusted colleague.
After the initial verification, the employee can make his first real password. Nobody else has touched the password!
Furthermore, we can ask the user to enter more personal information and connect to MFA tokens for later identity verification.
These are only examples using FastPass Self-Service Password Reset solution from FastPass V4. You can define and configure many different processes to fit your organization.