Does your service desk give passwords away?

If at least 35% of companies don’t authenticate users with a password reset call – what is then at risk?

Does your service desk give passwords away?

When users forget passwords, they call the service desk to get a new password to get back to their work. It happens every day many times in most service desks. But how does your service desk prevent that passwords are passed on to a wrong individual? Do you have a password reset manager assisting the service desk?

According to a Service Desk Institute research 35% of organizations do not have a management decided process – each analyst must make his own. Does this make us secure?

In the remaining 65% the majority uses questions for data easily available like employee number, manager’s name, department number and other information readily available for criminals.

Facilitated password reset principles

Gartner calls the process for Facilitated Password Reset. “The reality is that no matter how foolproof a Self-Service Password Reset (SSPR) solution is, the need for service-desk-assisted password resets will likely always be there.” “A facilitated reset allows a delegate (such as an administrator or service desk operator) to perform a password reset or account unlock on behalf of another user. That said, there are often security holes in the facilitated reset process.”

How can we make the facilitated password process secure?

  • We must have a common process decided by management
  • We must have different workflows to balance risk and costs for different user groups
  • We must prevent circumventions by the service desk analyst, this means no privileged passwords!
  • We must include many different information types for the manual authentication – in particular dynamic and contextual data in addition to static data and tokens
  • For individuals with very high security settings we must include multi-person authentication
  • Monitoring and alerts must be part of the solution

This can of course be done manually, but the only true way to enforce the secure workflow is in a flexible It-system designed for the authentication task. Take a closer look at FastPass Facilitated Password Reset module (FPR), which really is password reset best practices implemented.

How passwords are broken

The assisted process in the service desk

The easiest way to get a password for a legitimate user is simply to call a service desk and ask. You might have to charm or threaten to get the password, but lots of penetration tests have proven, that this is the easy way in!

 

What is password reset best practices?

“It is a well-defined process, balancing risk and costs for different users, to authenticate users as securely as their role requires. Self-service for all users who can, and a facilitated process for other users. The process will be most effective when implemented in an IT workflow”. This is the password reset best practices.

Testimonials

”We strive continuously to improve our service. It is important to us to deliver modern and simple solutions helping customers to a more efficient operation. The cooperation with FastPass is yet another step in this direction”.

Mads Jacobsen
 Associate vice president

... seen an 80% reduction in assisted password resets. We’re very satisfied with the product. It has significantly freed us up from frustrating and unrewarding password resets

Oliver Holmes

Deputy Director, Technology and Operations

... The numbers have grown to the point that it would be impossible to operate in today’s busy environment without a password management service

 

 

FastPass handled 2,531 password calls, or more than 80% of the total password calls from all the users.

Per Kristensen

Project manager

 

...we have met our Customers’ Service and Cost Improvement challenges by reducing our call abandon rates by over 55% and our average wait times by over 60%, despite our overall budget being reduced.

Pete Townley

Lead Service Delivery

 

… about 90% use FastPass to reset their passwords. So we’ve seen a substantial reduction in calls to the help desk.

Winston Hughed

Vice President IT

 

We are very pleased with the product.  Fast pass has simplified password management and eliminated many password related calls

 

Chuck Mick

ERP Manager

Nyrstar has chosen FastPass to automate and improve the processes related to users’ forgotten passwords. This has improved user satisfaction and reduced the workload in the IT HelpDesk.

The number of forgotten passwords per involved user per year has dropped from 1,6 to 0,3. This is an improvement of 83%!

Hans Lauwers

SAP

 

... The numbers have grown to the point that it would be impossible to operate in today’s busy environment without a password management service

Haydn Tarr

IT Technical Lead & Coordinator

 

Our employees use it to synchronize their Windows password with their IBM i password when they need to be changed every 90 days due to compliance. We find this is a quiet, behind-the-scenes way for our employees to change and remember their passwords.”

Larry Marxen

Director of Information Systems

 

North America T: +1 (212) 419-4921

Europe T: + 45 4810 0410

FastPassCorp A/S 1350 Avenue of the Americas, 2nd Floor, New York, NY 10019, USA FastPassCorp A/S Lyngby Hovedgade 98Kgs. Lyngby, DK 2800 Denmark

© FastPassCorp A/S. All Rights Reserved.