Facilitated Password Reset

Service Desk Vulnerabilities, given the low adoption of self service solutions, most users today call the service desk for assistance in resetting, changing or unlocking their passwords.  Gartner call this process the facilitated password reset process (FPR).

Hackers are not stupid and will always attack the weakest link in the chain. It is becoming increasingly difficult to exploit technical vulnerabilities.  So, attackers will turn to exploiting the human element. Cracking the human firewall is often easier, requires little investment beyond the cost of a phone call and involves minimum risk.

The password reset process in most organisations lies within the domain of the I.T. Help desk which, is the primary target for social engineers. Help desk agents are trained to assist users and usually have elevated system privileges. It is natural for people to have a higher degree of acceptance for anyone who claims to be from the same organization.  Someone who seems to know company procedures, terminology and management.

A good social engineer, ensures agents are vulnerable to compromising compliance, particularly under stress. Using highly believable techniques, social engineers can target the help desk and request passwords to be changed.

So how do organizations today facilitate the process of those password resets at the service desk?

How do they authenticate the validity of both the request and identity of the user?

The service desk institute (SDI) undertook a survey in May 2018 of UK-based I.T. service desk managers. This was to understand more about how their organisations were tackling information security.  This along with the implications of GDPR legislation at the service desk.

83% of respondents thought that despite controls being put in place, it is still possible for a criminal to gain a password to a legitimate end users accounts via the service desk.

 The survey revealed that 35% of organisation’s surveyed had no clear authentication process.  Relying instead on the individual service agent to verify a caller’s identity. More alarmingly, close to 20% of I.T service desks do not authenticate end users at all when conducting password resets.

The SDI concluded that 35% of their members are open to security risks as they dispense credentials without clear and consistent authentication processes. Additionally they are at risk of exacerbating password management challenges. Encouraging potentially damaging end-user behaviour.

Facilitated password reset solutions.

These should be implemented with security as its primary concern.  However, IT-budget cuts and outsourcing, have meant that the password processes have become the victim of productivity KPI’s.

From a security perspective to be compliant a facilitated password reset process as a minimum must:

• Have a process where Management define the workflow.
• Process should be consistent, regardless of which agent answers the call.
• The process must be documented and prevent circumvention.
• Dynamic and contextual data must be used as part of the authentication process.
• An audit trail must provide evidence that the process has been followed.

The ITSM process is under constant price and resource pressure.  This is forecast to continue for the foreseeable future.  A balance needs to be struck between security and productivity.

Therefore from a delivery perspective a facilitated password reset solution must:

• Balance risk and cost.
• Minimise the impact of authentication on the service call.
• Be intuitive and easy to follow for the service desk agent.
• Cannot be expensive and complex.
• Must align the service desk process to self service.

Our Solutions

With background in both ITSM and security we provide the industry leading Facilitated Password Reset solution.  This is service desk agnostic, ensures security, compliance and reinforced the Self Service processes.

The solution meets all the security and delivery criteria listed above and provides:

• Verification and Authentication Proofing mechanism based on risk and user profiles: Balance the different user security profiles ensuring risk is weighted based on roles. This ensures stronger proofing where users have access to critical data.
• Self-Service: Provides an end to end process that routes the user back through the self-service process, ensuring adoption and security of passwords is maintained.
• Assisted Password Reset: Allows operators to unlock  or reset a user’s password without the need for unrestricted / direct AD access.
• Fully audited: Provides a complete audit trail plus the capability of alerting management and users of a potential breach.