Inquire the regular helpdesk technician what they do all working day, and they will likely response by stating that they reset passwords. Sure, helpdesk experts do lots of other items as well, but in a lot of companies, a disproportionate quantity of helpdesk phone calls are tied to password resets.
On the surface area, acquiring a helpdesk technician reset a user’s password likely does not seem to be like a big deal. Following all, the technician simply just opens Lively Listing People and Personal computers, appropriate-clicks on the person account, and chooses the Reset Password command from the shortcut menu. Resetting a password in this way is an easy process. Companies can even choose to use an substitute resource this kind of as the Windows Admin Centre or even PowerShell if they want.
One particular thing that most individuals almost certainly do not cease and think about, even so, is that even however the methods included in the password reset approach are straightforward sufficient, the system as a total constitutes a key security risk.
Security and the service desk
The very first phase in the password reset procedure involves a user choosing up the phone and contacting the helpdesk to request a password reset. The dilemma with this is that the helpdesk technician who responses the phone has no way of knowing no matter whether or not the consumer is definitely who they claim to be.
Positively setting up a caller’s identity was significantly less of an issue when nearly all users worked in the corporate business office, mainly because a user’s caller ID facts could occasionally be employed as a validation resource. Although utilizing caller ID in this way does not wholly reduce the possibilities of one particular person spoofing another user’s id, it does make it so that a consumer who wishes to impersonate one more consumer would have to connect with the helpdesk from that user’s desk.
These days of course, things are far diverse than they after ended up. As the pandemic drags on, a lot of employees continue to operate from home. Even when the day comes when people today can securely go back again to the business office, a sizeable proportion of staff will almost certainly proceed to do the job remotely.
Regrettably, caller ID is not an powerful resource for validating a remote user’s id. When a distant person contacts the organization’s helpdesk, they are contacting from an outside the house line. It is amazingly quick for an exterior caller to spoof caller ID information and facts. Telemarketers and telephone scammers use this strategy all the time. Fraudsters will usually, for example, alter their caller ID details to make it surface as though they belong to a federal government company or a major corporation. Only place, caller ID can’t be trustworthy for calls originating outside of the firm.
So, if caller ID information and facts is not dependable, corporations need to consider how very best to validate a user’s identification when they simply call the helpdesk to ask for a password reset.
A person particularly typical validation method entails asking the user a security query. The technician may for occasion ask the caller what their pet’s title is, or what metropolis they were being born in. Unfortunately, this system also poses a security risk.
The most obvious risk posed by security concerns is that the Internet makes it relatively simple to acquire private facts about an individual. An attacker might make a few phone calls to an organization’s helpdesk just for the intent of identifying what sorts of security concerns they ask. The moment the attacker understands the thoughts that are most possible to be asked, they can use lookup engines and social media to research a distinct user’s responses to those inquiries.
The other large issue with employing security queries is that the helpdesk technician learns the solution to the query. An unscrupulous technician could then use this facts for illicit applications.
This brings up an vital stage. There is absolutely nothing halting an unethical helpdesk technician from undertaking an unrequested password reset. The technician may perhaps understand that a distinct consumer is going to be on holiday vacation for a 7 days, and then reset the user’s password so that they or anyone else can access the account through the employee’s absence.
Greatest practices for services desk password reset
Needless to say, there are some big challenges linked with the password reset process. The best way to prevail over these worries is to adopt a 3rd-party password answer that can securely validate a user’s identity prior to carrying out a password reset. There are several strategies in which Specops Software can do this. Just one case in point involves sending a one particular-time code to a user’s cell gadget. Furthermore, the Specops solution stops helpdesk experts from arbitrarily resetting passwords. A helpdesk technician are not able to reset a password right until the user has validated their identity, making it unachievable for a technician to execute an unauthorized password reset.
Discover more about how Specops can enhance password reset security.
Found this short article interesting? Comply with THN on Fb, Twitter and LinkedIn to read through additional special written content we write-up.
Some areas of this article are sourced from: