10th May 2021, Kathmandu
Now and then, when employees forget passwords, they call the service desk to change or reset them. The help desk does other tasks too, but the average help desk assistant claims they reset passwords all day. In most organizations, a disproportionate amount of help desk calls are tied to reset passwords.
It may not seem to be a big deal having help desk assistants fixing passwords; after all, they open active directory users and computers, right-clicks on the user account, and closes the reset password command from the shortcut menu. This process is much easier. According to preference, organizations can even opt to use an alternative tool such as the Windows Admin Center or even PowerShell.
However, People fail to recognize the security risk involved with the password reset process; that’s why it is necessary to secure the password reset process.
According to a Service Desk Institute Research, 35% of organizations don’t get secure management to approve the reset process done by the service desk or analyst, and the other 65% is used for questioning data and resources readily available for criminals.
To provide a password to a legitimate user, including penetration tests such as identity verification to minimize the security issue. When there’s no authentication process assigned by management, there is a chance that the administration will provide a password to the wrong user. The IT-based solution is needed for identity verification, yet management should define the process performed by service desk analysts. The authentication process must be based on dynamic information because static information is too easy to get into.
The user’s caller IP can also be used as validation tools sometimes. Nevertheless, the caller’s identity doesn’t eliminate the risk of another user impersonating to seek help from that user’s desk. It’s still unsafe and easy to spoof caller ID information as people call from an outside line remotely. This technique is used by telemarketers and telephone scammers most of the time. Due to this reason, caller ID cannot be trusted.
The security question is another common validation technique asking random questions about pet names and born addresses. It poses the most obvious security risk that is the internet makes it easy to gather personal information about people. If the question is known, attackers may search for relative answers to that question. Also, wrong-minded technicians may misuse the information as they know all the answers to such questions.
So, the main point is even unethical technicians can be a threat as they can perform an unrequested password reset. They may take advantage of users who are on leave, vacations, or away from work.
Adoption of third party password solution can be used to securely verify a user’s identity for resetting passwords, such as sending a one-time code to the user’s mobile device, multi-factor identity verification which will make it impossible for technicians to perform an unauthorized password reset and enrollment notifications on mails or from any active directory on user’s device. These methods can be used for securing the whole process without causing trouble to the users.