Self-serve password reset programs help make organizations more productive and keep data secure. In organizations without a self-serve password reset solution, Help Desk staff spend a lot of time resetting passwords. In addition to the time spent resetting passwords, there are many security vulnerabilities inherent to managing password resets through phone calls to the Help Desk, especially since it is difficult to confirm someone’s identity over the phone.
The data security risks of not using a self-serve password reset system are immediately apparent. A determined hacker could call into the Help Desk posing as the CEO or a high-ranking vice president and demand to have their password reset. From there, they could continue with the social engineering attack to verify their identity over the phone, leaving the Help Desk employee with little choice but to reset the password and grant them access to the account.
Authentication factors over the phone are typically based on some sort of challenge questions. However, these challenge questions are typically about information that would not be difficult for a hacker to uncover. Oftentimes they are questions about where the user went to school or their mother’s maiden name. The first could easily be found on LinkedIn, and the second could be uncovered on Facebook. After a quick examination of a manual password reset process, it becomes very clear that confirming users’ identity over the phone is a very insecure authentication factor.
Self-serve password reset systems provide much better security. However, some self-serve systems have security vulnerabilities too. Removing the human element prevents hackers from having someone to trick into handing out a password, but computer systems are also susceptible to manipulation. Implementing a self-serve password reset program alone is not enough to keep account data secure. It is also important to protect accounts with multi-factor authentication.
Usernames and passwords are the most common way data is protected in most organizations. However, single-factor authentication is not sufficient for keeping sensitive data out of the hands of determined hackers. Organizations that are concerned about the security of their data should also require a second form of authentication when logging in from a new device or when resetting a password. Multi-factor authentication requires users to identify themselves both through something they know (such as a username or email account credentials) and something they have (like a cell phone or key fob).
During a typical password reset, the user will enter their email address or username and then be sent a password reset link or a temporary password. After clicking that link, they will come to a screen where they can enter a new password. To make this process more secure, users should be prompted at this point to offer a second factor of authentication. This second factor could be a code that is sent to a cell phone via SMS. Users may also possess a key fobs that displays a regularly updated code that they would have to enter before resetting the account’s password. After completing the two factors of authentication–email and entering a passcode sent to a physical device–the user is then able to complete the self-serve password reset process and enter a new password. The password they select is then usable across the system.
The beauty of a self-serve password reset program is that it does not rely on individuals who could be susceptible to social engineering hacks. Instead, the automated process is able to use more objective criteria for granting a password reset. And the second authentication factor prevents hackers from being able to enter the account by stealing the password OR guessing at challenge questions.
To learn more about multi-factor authentication for self-serve password resets, read on about ASPG’s security product, ReACT.
