How should IT help desks securely verify the identity of users who are calling for password reset assistance?
IT help desks should use a variety of methods to securely verify the identity of users who are calling for password reset assistance, including:
Asking for identifying information: Users can be asked to provide their name, date of birth, and other personal information to confirm their identity. This information should be checked against company records to ensure accuracy.
Asking security questions: Users may be asked to answer security questions that only they are likely to know the answer to, such as their mother's maiden name or the name of their high school. These questions should be carefully selected to ensure that they are not easily guessable.
If possible, verify that the user is using equipment we know the user regularly use. This might be his standard workplace workstation or his standard mobile PC. This raises technical challenges as the user can’t sign-in with password problems. Some solutions have, however, solved this.
Asking questions related to the user’s behavior when connected to the IT-system. Information can be found in Active Directory and other systems. Examples can be geo-location, time of day for normal operation, when was the last log-in, when was the last time you used a printer? what printer? and many others.
The more you can rely on dynamic and contextual data instead of personal data -which might be known to a criminal- the more secure will your verification be.
Sending a verification code: Users can be sent a verification code via email or text message that they can provide to confirm their identity. This code should be unique and time-limited to ensure security.
Using two-factor authentication: Users may be required to use two-factor authentication, such as a code sent to their phone or a biometric factor, to confirm their identity. This adds an additional layer of security to the process.
Using caller ID spoofing detection: Help desks may use caller ID spoofing detection tools to confirm that the caller's phone number is legitimate and matches the user's phone number on file. This helps to prevent identity fraud.
As some questions / challenges might be difficult to answer for the “real” person it is suggested to use a point-based score, where the user must achieve a predefined number of points to be verified. This allows for the user to fail a single test and still be verified. For some important users some tests might be mandatory.
If the user can’t be verified through the standard verification process, the verification must be done by a trustworthy 3.rd person like the requestor’s manager. Alternatively, the user must show up to the verification unit with document proof including photo or other bio links.
To make sure the identification process is compliant and to prevent social engineering, the Help Desk personnel must verify the user as part of an it-workflow instructing the supporter on what to do. There should not be any ways for the supporter to circumvent the workflow as defined by management. Each proofing part must be noted for alerts and auditing.
It is also important for IT help desks to protect the privacy of users and ensure that personal information is handled in a secure and confidential manner. They should also ensure that they follow relevant laws and regulations, such as anti-discrimination laws and privacy laws.
Which organizations prescribe how user verification for it-security must be done?
There are several organizations that prescribe how user verification for IT security should be done. Some examples include:
The National Institute of Standards and Technology (NIST) in the United States: NIST is a federal agency that develops technical standards and guidelines for the government, including standards for user verification. NIST has published several documents related to IT security, including the "Digital Identity Guidelines" and the "Multi-Factor Authentication and Identity Assurance" guidance, which provide recommendations for implementing strong user verification processes.
The International Organization for Standardization (ISO): ISO is an international organization that develops and publishes international standards for a wide range of industries, including IT security. ISO has published several standards related to user verification, including ISO/IEC 27001, which provides guidelines for establishing, implementing, maintaining, and continually improving an information security management system.
The Payment Card Industry Data Security Standard (PCI DSS): PCI DSS is a set of security standards that apply to organizations that accept, process, store, or transmit credit card information. PCI DSS requires strong user verification processes to ensure that only authorized users have access to sensitive data.
The Cybersecurity and Infrastructure Security Agency (CISA) in the United States: CISA is a federal agency that works to protect the nation's critical infrastructure from cyber threats. CISA has published several resources related to IT security, including guidance on implementing strong user verification processes.
These are just a few examples of organizations that prescribe how user verification for IT security should be done. There are likely many others, depending on the specific industry and regulatory environment.
Related Identity Verification Insights
Protect your Passwords today with FastPass
Get in touch with us today by filling up the form and our team will get back to you as soon as possible.