Colin Mc Hugo

0 %
Colin Mc Hugo
Security Engineer Manager & CEO at Quantum Infinite Solutions Group Ltd.

How Should the Service Desk Reset Passwords?

May 4, 2021
Reset Password

Ask the common helpdesk technician what they do all day, and they’re going to most likely reply by saying that they reset passwords. Positive, helpdesk technicians do loads of different issues too, however in lots of organizations, a disproportionate variety of helpdesk calls are tied to password resets.

On the floor, having a helpdesk technician reset a user’s password most likely would not look like a giant deal. In any case, the technician merely opens Lively Listing Customers and Computer systems, right-clicks on the consumer account, and chooses the Reset Password command from the shortcut menu. Resetting a password on this manner is a straightforward course of. Organizations may even decide to make use of another instrument such because the Home windows Admin Heart and even PowerShell if they like.

One factor that most individuals most likely do not cease and take into consideration, nonetheless, is that regardless that the steps concerned within the password reset course of are easy sufficient, the process as a whole constitutes a major security risk.

Safety and the service desk

Step one within the password reset course of entails a consumer choosing up the telephone and calling the helpdesk to request a password reset. The issue with that is that the helpdesk technician who solutions the telephone has no manner of realizing whether or not or not the consumer is really who they declare to be.

Positively establishing a caller’s identification was much less of a problem when just about all customers labored within the company workplace, as a result of a consumer’s caller ID info might typically be used as a validation instrument. Whereas utilizing caller ID on this manner doesn’t utterly get rid of the probabilities of one consumer spoofing one other consumer’s identification, it does make it so {that a} consumer who needs to impersonate one other consumer must name the helpdesk from that consumer’s desk.

At the moment in fact, issues are far completely different than they as soon as have been. Because the pandemic drags on, many staff proceed to work at home. Even when the day arrives when folks can safely return to the workplace, a big proportion of workers will most likely proceed to work remotely.

Sadly, caller ID is just not an efficient instrument for validating a distant consumer’s identification. When a distant consumer contacts the group’s helpdesk, they’re calling from an outdoor line. It’s extremely simple for an exterior caller to spoof caller ID info. Telemarketers and phone scammers use this method on a regular basis. Fraudsters will usually, for instance, alter their caller ID info to make it seem as if they belong to a authorities company or a significant company. Merely put, caller ID can’t be trusted for calls originating exterior of the group.

So, if caller ID info is just not reliable, organizations should take into account how finest to validate a consumer’s identification after they name the helpdesk to request a password reset.

One particularly frequent validation approach entails asking the consumer a safety query. The technician may for example ask the caller what their pet’s title is, or what metropolis they have been born in. Sadly, this methodology additionally poses a safety danger.

The obvious danger posed by safety questions is that the Web makes it comparatively simple to assemble private details about somebody. An attacker may make a couple of calls to a company’s helpdesk only for the aim of discovering what kinds of safety questions they ask. As soon as the attacker is aware of the questions which might be most definitely to be requested, they’ll use search engines like google and social media to analysis a specific consumer’s solutions to these questions.

The opposite massive drawback with utilizing safety questions is that the helpdesk technician learns the reply to the query. An unscrupulous technician might then use this info for illicit functions.

This brings up an necessary level. There may be nothing stopping an unethical helpdesk technician from performing an unrequested password reset. The technician might notice {that a} specific consumer goes to be on trip for per week, after which reset the consumer’s password in order that they or another person can entry the account in the course of the worker’s absence.

Greatest practices for service desk password reset

For sure, there are some main challenges related to the password reset course of. One of the best ways to beat these challenges is to undertake a third-party password solution that can securely verify a user’s identity prior to performing a password reset. There are a number of methods during which Specops Software program can do that. One instance entails sending a one-time code to a consumer’s cell system. Moreover, the Specops resolution prevents helpdesk technicians from arbitrarily resetting passwords. A helpdesk technician can not reset a password till the consumer has validated their identification, making it unattainable for a technician to carry out an unauthorized password reset.

Study extra about how Specops can increase password reset security.

Posted in SecurityTags:
Write a comment