Password reset tickets – On one hand, they’re easy. On the other hand, they’re extremely annoying. The time you spend fixing the users password problems is the time your company could spend on bigger issues.
How bad is it? And how can you improve it?
It’s 2021 and working remotely has become a norm. Especially since the Coronavirus outbreak. Luckily mobile devices like smartphones and tablets enable the user to work wherever and whenever they want. When they do, the access to company data must be secure, and as seamless as possible.
Everything works perfectly until somebody needs to reset or change their Active Directory password. Because password reset tickets are avenues for possible intrusion if the password reset is been processed by the help desk or other technical teams of the organization.
The account of any employee that does not remember the password is vulnerable. If the best practices for identity, access, and password management are not been followed by the processes implement by the help desk, this vulnerability can be increased.
Therefore, don’t leave any room for any intrusion. Ensure that the password reset process performed by the help desk is highly secure.
We came up with two approaches, so that Password reset is nothing you have to worry about:
- The classic help desk setup to reset the password
- The new approach which reduces IT friction to zero
The classic help desk setup to reset the password
Begin with the password reset tickets and calls.
The first step is to guarantee the security of the help desk. The first line of defense to be attacked is the help desk. Therefore, ensure that all necessary security steps have been taken. This comprises security training, NIST-compliant processes, and secure machines.
Next is to verify the user and make sure the account belongs to the user when a password request is submitted either through a call or an email. Ensure that a strong and impenetrable verification process has been integrated. This implies that you need to avoid regular security questions. Common questions like high school details, mother’s maiden name, or the employment date of the employee that can be easily figured out online by these online hackers should be avoided.
Preferably, verify users with multi-factor authentication (MFA) that either requires a token device or the user’s response to a text or email. This implies that a handy device is very effective in access and identity management. If this cannot be implemented, use questions based on personal information that will be impossible for hackers to determine.
Temporary password from help desk
A temporary password can sometimes be provided by the help desk for password reset requests. This method is usually not effective because two individuals are already aware of the password which could lead to possible intrusion.
Implement these guidelines if this method will be used.
- Use a special password for every user. Use a different temporary password for every user to avoid a situation where multiple accounts can be accessed by a single mistake.
- Make use of lengthy passwords that is more than sixteen characters.
- Generate these passwords randomly to comprise different character sets that cannot be easily predicted such as HiredateName.
- Combine lowercase, uppercase as well as special characters. Avoid using standard and clear alternatives such as zero substituted for letter 0 and three substituted for letter E.
- You need to also create a verification process to make sure the user changes the temporary password provided. Make sure this verification process mandates the user to only use strong and secure passwords.
Password reset emails
A verification process should also be in place to make certain that a hacker is not sending the request in a situation where you use an email to respond to requests. For an added layer of security, notify the user via email or any other means to inform them of a password reset request and/or that a password reset has occurred. You should also include a link that can be used to reach out to your help desk if the user is not aware of the password reset request to quickly prevent any attack.
Ensure that the temporary or new password is not included in the email. Also, make sure the username of the account holder is not included. Hackers can easily intercept the email and have access to half the information that can be exploited. Ideally, you only have to provide a password reset link a user can easily use to modify their password without the need for a temporary password. When doing this,
- Ensure your email looks professional, correctly spelled, and nothing like a phishing email.
- Determine an expiration time for the email and make sure it can only be used once. This will prevent another opportunity for online criminals.
- Always add a link that users can use to reach out to the support team if they need additional help or did not request a password reset.
Be careful of the page users are redirected to after clicking the reset link since the page does not include any user or account information. For instance, avoid redirecting to a portfolio account login or administrator login page that will provide information about the user’s account level, privilege or portfolio to potential hackers.
Finally, create an opportunity to educate your customers and employees through the password reset page. This will enable the employees to become more security conscious for added safety. Inform them of the importance of using strong, hard-to-remember passwords and the possible loss they face if there is a breach on their account.
The new approach which reduces IT friction to zero
The high price of the help desk service
Processing password requests manually is – as you may know – a very time-consuming and expensive approach. This is why many companies calculate each Password Reset Ticket with roughly 50 $.
Too much you may think – Think again. Because a minimum of two parties is involved for a single ticket: the help desk employee, as well as the requester.
An example:
A well-known North American Bank, with more than 65,000 employees has 15,000 Password related tickets – every single month. Multiply this with the rate of 50$ per ticket and you will end up with the high number of 750,000 $ Per month.
We have created a calculator so you can calculate how high your password related expenses are:
The solution: Empower the user directly
Hypergate Authenticator makes sure the process is seamless and easy. This effective tool removes the IT or help desk completely from the password request process through an automated more secure approach.
However, frustrating delays and all other vulnerabilities associated with the manual procedure can be eliminated with Hypergate.
If there is an issue with the password of the user, he or she can reset and change it directly on their device, without contacting IT staff for help (SSPR). Also, there is no need on having to use a computer. With Hypergate Authenticator your employees The password change can be executed in less than a minute.
How does Hypergate deliver this?
Hypergate turns your mobile device into a fully-fledged Kerberos client that uses the same infrastructure like a computer. This gives your company more flexibility in designing a modern workplace without having to change the existing backends and infrastructure elements.
Reduce IT cost
Remember the North American Bank? Hypergate Authenticator costs a fraction of their Password- related IT costs and works on all the major EMM’s like MobileIron, SOTI, VMware, and so on. Check the supported EMM list.
More than you expect
If you think offering on-device Resets while also seamless Single Sign-On is a tall order, think again. Hypergate enables SSO on both platforms (Android Enterprise & iOS), as well as a user-friendly password reset functionality—in a single solution.
Single Sign-On?
For the less tech-savvy people, Single Sign-On could be simplified in the following way:
An enterprise tends to have multiple services which it uses internally for everyday and business- critical processes. As companies are conscious about their valuable data which they store on various services, they tend to have logins preventing simple access to those.
Hence instead of having a separate login for every single service, with Single-Sign-On, you enable your users to seamlessly login into multiple services.
How Can I Try This Myself?
Simply request a 30-day free trial or ask for a mobility reseller to help you.
