The password reset process is getting into focus as the number of security breaches grow. Gartner analyst Lori Robinson has in (G00297006) ‘Future Proofing Your Password Management Solution’ made the following conclusion:
“A facilitated reset allows a delegate (such as an administrator or service desk operator) to perform a password reset or account unlock on behalf of another user. That said, there are often security holes in the facilitated reset process.
Enterprises should extend strong authentication methods to the facilitated reset. The identities of users calling into a service desk should be vetted using not only Q&A, but voice biometrics, OOB, or other strong authentication methods.
It is important that an end-to-end record of the password reset is kept. Delegates acting on behalf of the user should be authenticated, and an audit record of who performed the facilitated reset should always be kept.”
You might see alternatives to strong authentication at the service desk. You might even argue that for users without access to sensitive information then single-factor authentication is enough.
But can you argue against the need and requirement for a compliant password reset process in the service desk?
We are interested to learn what organizations are doing for the facilitated password reset process. Please comment on this post!