Stop social engineering against your service desk

with FastPass Identity Verification solutions

Hackers impersonate real users digital identity to get a password from the service desk

FastPass IVM controls the supporters verification of the users' digital identity through a dynamic and secure workflow.

Perfect for identity verification solution for password reset

Dynamic and contextual data from the user’s workstation and environment is used

The workflow will dynamically adapt to the users’ security profile

Information from many resources including Active Directory and external data is included

Comprehensive compliance reporting available plus SIEM integration

Remove privileged passwords from service desk supporters

FastPass IVM for password resets for AD, SAP, Oracle, IBM, LDAP and external WEB-services

Hackers use social engineering methods to con the service desk supporters to issue passwords for real users.

Hackers can’t fool FastPass Identity Verification Manager to trust anything but facts. Give control to FastPass and stop the hackers!

FastPass Identity Verification Manager (IVM) prevents voice-based hacking = vishing.

IVM controls the entire identity verification process, to know your customer more. Instructing the service desk supporter what questions and tests to do depending on the user’s security profile.  Trusted identity verification can be implemented fast based on FastPass templates.

I have more questions about IVM

THE IVM PROCESS

When a user calls the service desk to get a password reset then the service desk supporter uses IVM to verify the identity of the caller. A standard process can include:
IVC-Process-Graphic-3

For each correct or trustworthy answer, IVM credits point to the call. When enough points have been reached, then IVM will release a new password, to be passed on to the user.

To reduce the risk of identity fraud all information related to the user will be logged for monitoring and analysis in our user verification solutions. All details can be configured individually for the verification steps to fit the organization’s data and infrastructure and security policies.

IVM FEATURES

DOWNLOAD FULL PRODUCT SHEET

IVM IMPLEMENTATION

To achieve rapid results, IVM is delivered with templates that can be used as basic processes immediately. They correspond to a simple process, an average process, and a heavily secure process to protect its users from a wide range of identity fraud.

The templates can then gradually be altered or new ones can be added, as the service desk and IT security agree that adjustments need to be made.

This means that IVM can be installed and implemented very quickly.
IVC-Screenshot

The FastPass Identity Verification Manager suite currently covers
  • FastPass Self-Service Password Reset (SSPR)
  • FastPass Identity Verification Manager (IVM)

Identity verification benefits from the data and components of SSPR, so we recommend a combined solution.

Identity verification manager increases security and reduces the risks of social engineering, while SSPR delivers productivity and efficiency for both users and the service desk.

The combination of SSPR and IVM is a security solution with a strong business case.

IVM FUNCTIONAL DETAILS

Identity Verification Manager controls the verification process – the service desk supporter assists IVM. This is crucial to prevent skilled hackers with good social engineering techniques take control via the supporter. See table below.

IVM Table

As inspiration: A customer’s requirements for IVM

  • Solution need to read validation data from SAP and Avaya.
  • The application must be able to utilize SAP data to for validation
  • The users phone number
  • The user’s computer listed in asset assignment
  • Primary User logged in most of the asset
  • Birthdate
  • Start Date of employment
  • Manager of the employee
  • Employee Number
  • Utilize SMS for verification
  • Utilize XXX email for verification
  • The application must record that validation identifying the agent who is processing the validation, who they are trying to validate and pass or fail on the validation.
  • Reporting on pass and fail attempts. Unique number for reach and all attempts recorded. Be able to report on single users.
  • On demand reporting for pass and fail attempts, agent usage of the solution and what data is validated the most by the agent with the customer.
  • Reporting on history of use of solution by all account roles and average time to process a validation.
  • Vendor will provide a non-disruptive test plan of solution in a production environment
  • Compliance with XXX security requirements:
  • At least a three-tier access: (1) Administration Role that has unrestricted access to configure, administrate, and test the solution (2) Support Agent role with least privileges to use the solution to validate employees (3) An Auditor roll that has access to all audit logs at any given time
  • Integrated with active directory
  • System audit logs & User activity logs are available. Can be exported to excel format.
  • Identify and authenticate agents prior to allowing access to the application by active directory verification
  • Ensure Multifactor Authentication is enabled for privileged access to solution by XXX identified agents using either Okta or SecurID.
  • Ensure that credentials are stored and transmitted in an encrypted format (LDAPS, HTTPS). AES256 or better encryption.
  • Ensure that data is encrypted at rest and in transit

Verify if John Doe is legit

The critical part of the password reset process is identity verification solutions.

How can the service desk agent confirm that it is a legitimate user? This task is taken over by Identity Verification Manager - IVM.

which will control what actions to take and decide when the verification is OK, based on specific knowledge about each user.

FAQ image
Who will be using IVM in my organization?

In situations where it is important to verify the correct identity of a person phoning in. Service desk supporters have lots of situations where they need to know for sure, who they are giving service. Rendering a password to the wrong person might be a disaster. Staff in HR and Finance have the same need for secure verification of employees.

What makes IVM more secure than good standard procedures with good staff?

Even the best staff can be manipulated by a good social engineer to help and deviate from the procedures. IVM controls the process – it is not the staff or supporter who decides the verification process and when we can trust the caller.

Can’t the hacker prepare for the IVM verification questions?

The most important and secure elements in IVM are the Dynamic and Contextual tests. Even though the user is not logged in – IVM gets information from the workstation, and then knows if this is the user’s own PC or not. We can see the geo-location and we can see if she is asking at her normal workhours. This
is close to impossible for a hacker to produce. IVM tests for a multitude of tokens – and the hacker can’t prepare.

Is IVM available for on-premise and Cloud?

Yes.

Can IVM work stand-alone without FastPass Self-service Password Reset (SSPR)?

Yes. However some verification tests are only available when SSPR is implemented.

Will the service desk supporter have to switch between the ITSM tool and IVM in a service call?

Yes – but the supporter will not notice it. IVM can be integrated seamless with the ITSM tool, so the supporter will not see or know when the process switches to IVM and back to ITSM.

What will it take to implement IVM?

Using the IVM template it can be done fairly quick. Some organizations will however make their own verification process and even different processes for different groups and then it will take more time. Please see the IVM Implementation guide.

How long does it take to implement?

Technical implementation can be done in a day. Using FastPass templates then organizational implementation can be done fast too: Less than a week. When the customer wants to design an individual workflow then the decision process will take time. The technical implementation is relatively short.

How quickly can a proof of concept be setup?

With FastPass a POC can be up and running within a day. With additional target systems (SAP/Oracle etc.) expect to add some more days.

What out of the box interfaces are available for integrating with ITSM?

IVM integrates based on ticket-number and returns status to ITSM system. Easy integration with most major ITSM systems.

What out of the box interfaces are available to importing data from back office systems (e.g. HR)?

With IVM data from back-office systems can be utilized easily through either AD, direct insert into the FastPass database, or from specific database tables.

What security accreditation has the tool got?

FastPass V4 has been penetration tested by Backbone Security.com Inc. - 811 Ann St. Stroudsburg PA 18360

What operating systems does the client support and is there a BYOD/ optimized website version?

The IVM client is in responsive design and works with Major browser versions (e.g. Chrome / Edge).

What languages are supported?

IVM is only used by administrators and supporters and the language is in English. Questions for user verification can be translated to local languages. Labels/Buttons etc. will be localized in late 2021.

What automated reporting and notifications can be configured to detect suspicious behavior?

Notifications can be setup to notify on unusual number of access from individual users having multiple failed attempts.

What is the largest user base this tool has been implemented on?

Has been tested with 100,000+ users.

Can the solution be setup in a standalone implementation rather than Multi- tenant Fastpass cloud?

The FastPass solution is available for on-premise as well as for FastPass Cloud. Service Providers can operate their own multi-tenant cloud solution.

Does the system self-calibrate or need to be taught for dynamic information (e.g. do you need to tell it user x is UK based or does it know the last three logins were from the UK so when someone logs in from India it flags it up as suspicious)?

IVM knows what PC the user normally uses and will flag if the user comes from a new device. Location- based information is planned for release in early 2022 it will also learn the user’s normal behavior and use it as a baseline.

Do users using SSPR need to re-enrol to benefit from IVC?

With IVM, users don’t have to be enrolled. Enrolling users will however increase the number of verification tests and the quality. Users already being enrolled in an earlier version will immediately be able to benefit from the Enrollment.

Art of Deception Image ebook
Art of Deception Quote

If we want to take human error out of identity verification solutions, we must have an IT workflow controlling the agent. The process must be designed according to security specifications from IT security. There should be different processes for user groups with different security profiles. The tests must include many different items: data, tokens, and even manager approval, where needed.

The password reset process at the service desk can be an excellent industry-leading gateway for hackers to breach IT systems.

Learn more about how IVM can help your organization

Get in touch with us today by filling up the form and our team will get back to you as soon as possible.

Scroll to Top