Password Reset Best Practices For Your Users
Understand how hackers attack the service desk through forgetten passwords
When users forget passwords, they call the service desk to get a new password to get back to their work. It happens every day many times in most service desks.
But how does your service desk prevent that passwords are passed on to a wrong individual? Do you have a password reset manager assisting the service desk?
Best Practice # 1 Have a Management Decided Process
According to a Service Desk Institute research, 35% of organizations do not have management decided process – each analyst must make his own. Does this make us secure?
In the remaining 65%, the majority uses questions for data easily available like employee number, manager’s name, department number, and other information readily available for criminals.
of organizations expect password related issues to take up more than of their calls.
of IT service desks don’t authenticate end-users when conducting password resets.
of survey respondents stated that their IT service desk in place to ensure the identity of service requesters
Current password self-service solutions rely heavily on, particularly security questions, with only 7% of implemented solutions offering more innovative authentication methods.
of respondents state that password resetting, versus 38% where this is limited to a select group, and 12% where no one on the service desk has any access to it
83% of respondents think that, despite controls being in place, it’s still possible for a criminal to gain a password to a legitimate end-user’s account (via the IT service desk)
SDI Report "On Security, GDPR and Self-Service Passwords
Best Practice # 2 Create An Authentication Process For The Service Desk
The assisted process in the service desk
The easiest way to get a password for a legitimate user is simply to call a service desk and ask. You might have to charm or threaten to get the password, but lots of penetration tests have proven, that this is the easy way in!
Why a privileged user from the service desk or user administration department will give a password to a “wrong” user:
No authentication process is defined by management.
A weak authentication process is easy to bypass.
The privileged user is busy (it’s Monday morning) and hopes for the best.
The user on the phone charms or threatens the privileged user.
The privileged user is corrupt / criminal.
IDC cites other research from 2016 stating that 63% of data breaches are caused by some sort of password issue. IDC suggests using self-service of passwords as the way to become compliant in the password process. No matter how good the self-service solution is, some users will need assistance. When there is an assisted process, it must be secure and compliant. This is a huge challenge.
IDC proposes a model where:
At least two persons are involved (a supporter and a voucher).
The supporter’s privileges to do password resets on their own are removed.
Users are allowed to get a key from the 2-person process enrolling them in self-service, so they make the new password themselves.
As this is a much more expensive process that is standard today, for many companies it will be necessary to move more than 80% of the calls to self-service, which means that the cost of the manual process becomes manageable.
Best Practice #3 Follow Identity Verification Principles
Gartner calls the process for Identity Verification Client.
“The reality is that no matter how foolproof a Self-Service Password Reset (SSPR) solution is, the need for service-desk-assisted password resets will likely always be there.”
“An Identity Verification allows a delegate (such as an administrator or service desk operator) to perform a password reset or account unlock on behalf of another user. That said, there are often security holes in the identity verification process.”
How can we make the identity verification process secure?
We must have a common process decided by management
We must have different workflows to balance risk and costs for different user groups
We must prevent circumventions by the service desk analyst, this means no privileged passwords!
We must include many different information types for the manual authentication – in particular, dynamic and contextual data in addition to static data and tokens
For individuals with very high-security settings, we must include multi-factor authentication
Monitoring and alerts must be part of the solution
The only true way to enforce the secure workflow is in a flexible It-system designed for the authentication task. Take a closer look at FastPass Identity Verification Process (IVC), which really is a password reset best practices implemented.
Identity Verification for the future
It seems obvious that an IT-based solution for identity verification is needed. The primary concern must be ITsecurity, but management has more requirements.
Management must be able to define the process the service desk analysts perform when assisting users. In general terms, the solution must be compliant and circumventions to the process from the service desk analysts must be prevented.
Large organizations still have many calls for the service desk even if password self-service off-loads around 80%. Costs related to the process for the service desk and for the users must not be higher than what is needed for security. Different user groups have different security profiles and should be treated differently.
The authentication or proofing of users must be based on dynamic and contextual information in an intelligent way. Static information will in many cases be OK, but can’t stand alone as it in some case are too easy to get at.
In summary, the IVC process must be:
Compliant Specific per user-group Proofing must be dynamic and contextual
A very strong proofing is when a person presents herself to the service desk analyst with an identity card including a photo. In the real world of service-desks they are centralized and users are scattered around the world.