Facilitated Password Reset
Service Desk Vulnerabilities, given the low adoption of self service solutions, most users today call the service desk for assistance in resetting, changing or unlocking their passwords. Gartner call this process the facilitated password reset process (FPR).
Hackers are not stupid and will always attack the weakest link in the chain. It is becoming increasingly difficult to exploit technical vulnerabilities. So, attackers will turn to exploiting the human element. Cracking the human firewall is often easier, requires little investment beyond the cost of a phone call and involves minimum risk.
The password reset process in most organisations lies within the domain of the I.T. Help desk which, is the primary target for social engineers. Help desk agents are trained to assist users and usually have elevated system privileges. It is natural for people to have a higher degree of acceptance for anyone who claims to be from the same organization. Someone who seems to know company procedures, terminology and management.
A good social engineer, ensures agents are vulnerable to compromising compliance, particularly under stress. Using highly believable techniques, social engineers can target the help desk and request passwords to be changed.
So how do organizations today facilitate the process of those password resets at the service desk?
How do they authenticate the validity of both the request and identity of the user?
The service desk institute (SDI) undertook a survey in May 2018 of UK-based I.T. service desk managers. This was to understand more about how their organisations were tackling information security. This along with the implications of GDPR legislation at the service desk.
83% of respondents thought that despite controls being put in place, it is still possible for a criminal to gain a password to a legitimate end users accounts via the service desk.
The survey revealed that 35% of organisation’s surveyed had no clear authentication process. Relying instead on the individual service agent to verify a caller’s identity. More alarmingly, close to 20% of I.T service desks do not authenticate end users at all when conducting password resets.
The SDI concluded that 35% of their members are open to security risks as they dispense credentials without clear and consistent authentication processes. Additionally they are at risk of exacerbating password management challenges. Encouraging potentially damaging end-user behaviour.
Facilitated password reset solutions.
These should be implemented with security as its primary concern. However, IT-budget cuts and outsourcing, have meant that the password processes have become the victim of productivity KPI’s.
From a security perspective to be compliant a facilitated password reset process as a minimum must:
- Have a process where Management define the workflow.
- Process should be consistent, regardless of which agent answers the call.
- The process must be documented and prevent circumvention.
- Dynamic and contextual data must be used as part of the authentication process.
- An audit trail must provide evidence that the process has been followed.
The ITSM process is under constant price and resource pressure. This is forecast to continue for the foreseeable future. A balance needs to be struck between security and productivity.
Therefore from a delivery perspective a facilitated password reset solution must:
- Balance risk and cost.
- Minimise the impact of authentication on the service call.
- Be intuitive and easy to follow for the service desk agent.
- Cannot be expensive and complex.
- Must align the service desk process to self service.
With background in both ITSM and security we provide the industry leading Facilitated Password Reset solution. This is service desk agnostic, ensures security, compliance and reinforced the Self Service processes.
The solution meets all the security and delivery criteria listed above and provides:
- Verification and Authentication Proofing mechanism based on risk and user profiles: Balance the different user security profiles ensuring risk is weighted based on roles. This ensures stronger proofing where users have access to critical data.
- Self-Service: Provides an end to end process that routes the user back through the self-service process, ensuring adoption and security of passwords is maintained.
- Assisted Password Reset: Allows operators to unlock or reset a user’s password without the need for unrestricted / direct AD access.
- Fully audited: Provides a complete audit trail plus the capability of alerting management and users of a potential breach.
Education User Cases user case
Large institutions with staff and student numbers exceeding 14,000 people, who need to be able to manage any password resets, whilst on multiple campuses or remotely, using multiple applications.
Solution FastPass can be used to integrate with various IT Service Management tools, to help support systems that may already be in place. Crucially it allows users to self-serve and reset their own passwords without the need to visit or contact an IT facility or helpdesk.
Government User Cases user case
Employee password practices are the greatest material threat to an organisation. The ability to strengthen password policies beyond Active Directory and manage the employee's implementation of these polices is key to preventing data breaches.
Therefore there is a growing need to be able to securely reset or unlock passwords remotely. We have been able to support this flexible working practice by using the Synchronization functionality to enable their own devices in the work place.
Managed Service Providers (MSP's) User Cases user case
Increasing price pressures and the need for innovation will force MSP's to either invest in automation or pull out of the Managed Service Desk market place. Password related calls account for up to 35% of their call volume.
Our holistic approach allows those MSP's to shift left and deliver password resets via self-service with a proven track record of 95% adoption rate without having to commit investments to install and maintain the solution.
Retail User Cases user case
Shop floor employees, within the retail operations are often transient and in many cases have shared logins (tills etc).
We deliver retail specific solutions that include code cards to enable the sharing of passwords amongst shop floor workers. We also provide interceptor technology to capture all changes made outside of our self-service solution e.g. via control, alt, delete and apply co-operate password policies to those changes.