How Ought to the Service Desk Reset Passwords?

Reset Password

Ask the common helpdesk technician what they do all day, and they’re going to in all probability reply by saying that they reset passwords. Positive, helpdesk technicians do loads of different issues too, however in lots of organizations, a disproportionate variety of helpdesk calls are tied to password resets.

On the floor, having a helpdesk technician reset a user’s password in all probability would not seem to be an enormous deal. In spite of everything, the technician merely opens Lively Listing Customers and Computer systems, right-clicks on the consumer account, and chooses the Reset Password command from the shortcut menu. Resetting a password on this means is a simple course of. Organizations may even choose to make use of an alternate software such because the Home windows Admin Heart and even PowerShell if they like.

One factor that most individuals in all probability do not cease and take into consideration, nonetheless, is that although the steps concerned within the password reset course of are easy sufficient, the process as a whole constitutes a major security risk.

Safety and the service desk

Step one within the password reset course of entails a consumer choosing up the cellphone and calling the helpdesk to request a password reset. The issue with that is that the helpdesk technician who solutions the cellphone has no means of figuring out whether or not or not the consumer is actually who they declare to be.

Positively establishing a caller’s identification was much less of a problem when nearly all customers labored within the company workplace, as a result of a consumer’s caller ID data might generally be used as a validation software. Whereas utilizing caller ID on this means doesn’t utterly remove the possibilities of one consumer spoofing one other consumer’s identification, it does make it so {that a} consumer who needs to impersonate one other consumer must name the helpdesk from that consumer’s desk.

In the present day after all, issues are far completely different than they as soon as had been. Because the pandemic drags on, many staff proceed to do business from home. Even when the day arrives when individuals can safely return to the workplace, a major share of workers will in all probability proceed to work remotely.

Sadly, caller ID isn’t an efficient software for validating a distant consumer’s identification. When a distant consumer contacts the group’s helpdesk, they’re calling from an outdoor line. It’s extremely simple for an exterior caller to spoof caller ID data. Telemarketers and phone scammers use this system on a regular basis. Fraudsters will usually, for instance, alter their caller ID data to make it seem as if they belong to a authorities company or a significant company. Merely put, caller ID can’t be trusted for calls originating exterior of the group.

So, if caller ID data isn’t reliable, organizations should take into account how finest to validate a consumer’s identification once they name the helpdesk to request a password reset.

One particularly frequent validation method entails asking the consumer a safety query. The technician may as an example ask the caller what their pet’s identify is, or what metropolis they had been born in. Sadly, this methodology additionally poses a safety danger.

The obvious danger posed by safety questions is that the Web makes it comparatively simple to assemble private details about somebody. An attacker may make a number of calls to a company’s helpdesk only for the aim of discovering what sorts of safety questions they ask. As soon as the attacker is aware of the questions which can be probably to be requested, they will use engines like google and social media to analysis a selected consumer’s solutions to these questions.

The opposite large downside with utilizing safety questions is that the helpdesk technician learns the reply to the query. An unscrupulous technician might then use this data for illicit functions.

This brings up an vital level. There may be nothing stopping an unethical helpdesk technician from performing an unrequested password reset. The technician might understand {that a} explicit consumer goes to be on trip for every week, after which reset the consumer’s password in order that they or another person can entry the account throughout the worker’s absence.

Finest practices for service desk password reset

For sure, there are some main challenges related to the password reset course of. One of the best ways to beat these challenges is to undertake a third-party password solution that can securely verify a user’s identity prior to performing a password reset. There are a number of methods during which Specops Software program can do that. One instance entails sending a one-time code to a consumer’s cell system. Moreover, the Specops resolution prevents helpdesk technicians from arbitrarily resetting passwords. A helpdesk technician can not reset a password till the consumer has validated their identification, making it unattainable for a technician to carry out an unauthorized password reset.

Study extra about how Specops can increase password reset security.

Source link