FACILITATED PASSWORD RESET
FOR THE SERVICE DESK PROCESS
Secure password process in the service desk
Users call the service desk with password problems – even when they have self-service. Is this process secure? Can you trust the authentication process, or will it be easy to circumvent for an “attacker”? FastPass Facilitated Password Reset Module (FPR) offers a comprehensive and compliant solution for the assisted password reset process in the service desk.
FPR reduces the risk for data breaches and the costs associated with IT crime. The password reset process in the service desk is the easiest place for an “attacker” to gain access to user credentials and authentication. FPR helps you manage the risk and costs!
Facilitated password reset: CLOUD and ON-PREMISE
FPR controls the steps the service desk agent must do to authenticate a user calling in. Dynamic and contextual data is used for authentication, combined with static data and tokens. Even management approval can be integrated. Risks and costs with authentication can be balanced to fit different user groups. Facilitated Password Reset (FPR) is available for in-house and cloud.
- According to Service Desk Institute 35% of organizations don’t have a management approved process for user authentication. Most of the remaining 65% have a very “light” process. Cost of data breaches increases year after year according to IBM and Ponemon Institute with an average cost of $4mio in 2016 per data breach!
- The weakest link and the easiest place for an attacker to get access to information and rights is in the service desk. In many organizations, a phone call with a friendly tone will get you another user’s password from the service desk! The first step in any protection of IT-systems should target this process. Asking users for general static information like user-id, personal address, date-of-hire and likewise is simply too easy for a resourceful hacker!
Solution for large organizations
FastPass Facilitated Password Reset (FPR) introduces a management defined process for authentication and issuance of access codes. The service desk agents don’t need privileged passwords anymore. FPR uses dynamic and contextual information to help authenticate the users – information that is not available to hackers through social engineering. Other authentication methods include personal Q/As and use of tokens like SMS and private e-mails (the corporate email is of course not available!!).
For absolute authentication security, the user’s manager can be asked to vouch for his employee. This will of course require the manager to authenticate with his normal password.
In large organizations, there will be different processes for user-groups with no access to critical information and other user groups with access to critical or very critical data and processes. In this way management can balance risk and cost accordingly.
The ideal solution is a combination of advanced self-service and a secure facilitated process as FastPass Enterprise for self-service and FPR!
What is: FastPass Facilitated Password Reset (FPR)?
FPR is the tool for the service desk agents when users call with a password issue. This document is a short overview of the functionality in FPR. To understand the business benefits of FPR please see the announcement documents of FPR.
Different workflow for different user-groups:
Management can decide and configure the work-flow that the service desk agents must follow to issue a new password for the user. Management can balance risk and cost to fit the different user-groups. The user-groups are defined from AD group membership.
The most critical part of the process is to authenticate the user to an acceptable level. For some users, this will require 100% – for other users it might be enough, that it probably is the right user!
In large organizations, the process assumes a service desk agent talking to a user on a phone: mobile or fixed-line (internal phones typically).
Authentication (or proofing) of the user starts with dynamic and contextual data, like:
- Is this the user’s normal workstation?
- Is the user coming from the normal location?
The special quality with FastPass is, that FPR can see the user’s information even when he can’t log in to his workstation because he has a password problem! Other questions in this category might be:
- When was the last time you logged in?
- When did you last change your password?
- Why didn’t you do self-service?
The service desk agent can use the static questions/answers from the self-service solution and see if the answers are trustworthy. It can be questions like:
- Who was your favorite boss?
- Enter the numbers 5-9 of your driver license.
The answers might be partly truncated.
If the user has some kind of token (like a mobile phone) the service desk agent can involve this token in the process (sending a code via SMS to the user). Other methods for something the user has can be included too. It is important to understand, that the user might not have his token – as he is not able to do a self-service password reset!
For some users and in some situations, it is necessary to involve a manager or another trusted person (like a manager in the service desk) who will vouch for the user’s identity.
FastPass FPR will be based on the information gathered and the user’s profile decide if the user can get a new password. The decision is based on the number of points required for this user-group. Some user-groups might only need a few points whereas others might need maximum points. Some questions or requirements can be mandatory.
If the user can’t be approved, the service desk agent can escalate the incident to the management level.
For an approved user, the service desk agent can then forward:
- A re-enrolment key to password self-service where the user then can make his own password
- A one-time password
The password can be delivered in different ways to protect the transmission of the password.
All steps and data are logged for monitoring.
Basic reporting is available in FPR, but data can too be transferred to the company’s data warehouse for analysis together with other authentication information. The transfer can be real-time or batch.
Alerts can be defined to send real-time alerts to users, managers service desk and security managers for all different kinds of predefined situations. Likewise, tickets can be forwarded to the central ITSM tool.