Home News How Should the Service Desk Reset Passwords?

    How Should the Service Desk Reset Passwords?


    Reset Password

    Ask the common helpdesk technician what they do all day, and they’re going to in all probability reply by saying that they reset passwords. Positive, helpdesk technicians do loads of different issues too, however in lots of organizations, a disproportionate variety of helpdesk calls are tied to password resets.

    On the floor, having a helpdesk technician reset a user’s password in all probability does not seem to be a giant deal. In any case, the technician merely opens Lively Listing Customers and Computer systems, right-clicks on the person account, and chooses the Reset Password command from the shortcut menu. Resetting a password on this method is a simple course of. Organizations may even choose to make use of another device such because the Home windows Admin Heart and even PowerShell if they like.

    One factor that most individuals in all probability do not cease and take into consideration, nonetheless, is that though the steps concerned within the password reset course of are easy sufficient, the process as a whole constitutes a major security risk.

    Safety and the service desk

    Step one within the password reset course of includes a person choosing up the cellphone and calling the helpdesk to request a password reset. The issue with that is that the helpdesk technician who solutions the cellphone has no method of realizing whether or not or not the person is actually who they declare to be.

    Positively establishing a caller’s identification was much less of a problem when nearly all customers labored within the company workplace, as a result of a person’s caller ID data may typically be used as a validation device. Whereas utilizing caller ID on this method doesn’t utterly eradicate the probabilities of one person spoofing one other person’s identification, it does make it so {that a} person who needs to impersonate one other person must name the helpdesk from that person’s desk.

    Immediately after all, issues are far totally different than they as soon as have been. Because the pandemic drags on, many employees proceed to make money working from home. Even when the day arrives when individuals can safely return to the workplace, a big proportion of staff will in all probability proceed to work remotely.

    Sadly, caller ID shouldn’t be an efficient device for validating a distant person’s identification. When a distant person contacts the group’s helpdesk, they’re calling from an outdoor line. It’s extremely straightforward for an exterior caller to spoof caller ID data. Telemarketers and phone scammers use this system on a regular basis. Fraudsters will usually, for instance, alter their caller ID data to make it seem as if they belong to a authorities company or a serious company. Merely put, caller ID can’t be trusted for calls originating exterior of the group.

    So, if caller ID data shouldn’t be reliable, organizations should take into account how greatest to validate a person’s identification once they name the helpdesk to request a password reset.

    One particularly widespread validation approach includes asking the person a safety query. The technician may as an illustration ask the caller what their pet’s identify is, or what metropolis they have been born in. Sadly, this methodology additionally poses a safety danger.

    The obvious danger posed by safety questions is that the Web makes it comparatively straightforward to assemble private details about somebody. An attacker may make just a few calls to a corporation’s helpdesk only for the aim of discovering what varieties of safety questions they ask. As soon as the attacker is aware of the questions which might be most probably to be requested, they will use engines like google and social media to analysis a specific person’s solutions to these questions.

    The opposite huge drawback with utilizing safety questions is that the helpdesk technician learns the reply to the query. An unscrupulous technician may then use this data for illicit functions.

    This brings up an necessary level. There may be nothing stopping an unethical helpdesk technician from performing an unrequested password reset. The technician could understand {that a} specific person goes to be on trip for every week, after which reset the person’s password in order that they or another person can entry the account through the worker’s absence.

    Greatest practices for service desk password reset

    Evidently, there are some main challenges related to the password reset course of. One of the simplest ways to beat these challenges is to undertake a third-party password solution that can securely verify a user’s identity prior to performing a password reset. There are a number of methods during which Specops Software program can do that. One instance includes sending a one-time code to a person’s cellular gadget. Moreover, the Specops answer prevents helpdesk technicians from arbitrarily resetting passwords. A helpdesk technician can not reset a password till the person has validated their identification, making it not possible for a technician to carry out an unauthorized password reset.

    Be taught extra about how Specops can increase password reset security.

    Source link