For most software and online service accounts, passwords are the main line of defense. However, it is common for many users to have dozens of user accounts for different apps and services. Security requirements dictate that each password have sufficient complexity and be updated periodically.
This leaves users with the challenging task of coming up with sufficiently secure passwords as well as remembering which passwords go with which account. Unfortunately, that leads to passwords like P@ssword123 written on a post-it note stuck to the monitor. And the fact of the matter is that sometimes even those passwords are lost or forgotten.
Getting back into an account after forgetting or losing a password results in a frustrating experience for users if there isn’t an automated password reset system in place. If there isn’t a password reset functionality built into the account or application they are trying to use, they will have to submit a ticket to the Help Desk and then wait for the support technicians to respond, unlock the account, reset the password, and send the new password to the user.
This process is even more frustrating in the case of a user getting locked out of their computer or workstation. Since they won’t be able to access their email account to submit the Help Desk ticket, they may have to call a support line, navigate an automated phone system, and confirm their identity over the phone, all before the support tech will be able to issue a new password.
There are several security vulnerabilities inherent to managing password resets through Help Desk tickets. Through the ticketing system, it becomes difficult to confirm the identity of the person requesting the new password. Even over the phone, giving out a new password carries risks. How is the support technician supposed to verify that it is, in fact, the senior vice president on the line, and not a hacker manipulating him into giving out a fresh password that unlocks sensitive materials? Clearly there are risks involved with giving support techs the responsibilities of handing out passwords.
It would seem that a self-serve password reset system would be superior. However, it’s not that simple. There are security risks involved in self-serve systems too. Removing the human element prevents hackers from having someone to trick into handing out a password, but computer systems are also susceptible to manipulation.
It is critical to have a self-service password management system that also supports two-factor authentication. If the password reset system just sends a temporary password or a password reset link to an email address, it is not much more secure than having a tech give out a new password over the phone. A compromised email address creates risk for passwords. If a hacker steals a user’s email address password, then they will be able to reset the passwords to a number of that user’s accounts.
One of the most secure ways to manage self-service password resets is to require two-factor authentication. The second factor helps confirm the user’s identity. The second factor could be something like image recognition, a secret question, or a code delivered to a cell phone via text message. This ensures that even if the user’s email address is compromised, a hacker will still have another barrier to prevent him from resetting the password and accessing the account.
If your Help Desk team is still managing password reset requests manually, it might be time to find a different solution. The time of your Help Desk staff is valuable and shouldn’t be taken up by tasks as trivial as resetting a password. This is especially true because of the security vulnerabilities that come with manual password resets. ReACT, by ASPG, provides an enterprise grade password reset and management tool that supports two-factor authentication. To see how much easier it can be, sign up for a free trial of ReACT.
Photo Credit: Juan J. MartÃnez via: imager.io, cc
