How are ‘self-service’ password reset programmes reducing the enterprise password security enigma?
Passwords can be very irritating. They get forgotten, & on their own can easily be hacked. They should be a historic curiosity, but they are so very not. The question is how do we now reduce this reset burden & eliminate the ‘excessive’ IT help-desk requests on this issue?
It goes almost without saying that calls to help-desks to reset passwords take up a lot of valuable staff time. Forrester Research report that each reset costs £50 (US$ 70), & Gartner observes that 20% to 50% of all help desk calls are for password resets.
Phishers – they just Gonna Phish
Automating the password reset process can be useful, but businesses must make sure that in automating, extra security threats are not accidently introduced. Here is an example. Password resets are often sent out via email. If a hacker has already gained access to that email, through, say, a phishing attack, then that hacker can reset the password allowing them to gain their access to a firm’s infrastructure.
When it comes to phishing, a password reset email is one of the oldest scams & by far still the most popular one. Many of these attacks have been linked to ‘expired password tricks.’
This is a ruse used to take identifying information, & account access, by ‘tempting’ users into putting in their details on a webpage which is able to collect them. Cyber-criminals can then go on to circulate a malicious link or attachment in order to obtain login credentials, & account info, straight from the user so as to gain access to data.
If an organisation does not have a way to verify who has requested a password reset via a second factor of authentication, then this type of attack is likely to be, unfortunately, very successful for the hacker.
Hosting old passwords
When it comes to password resets, organisations have to examine how locally cached credentials are dealt with. This is vital in order to ensure a remote user can continue to access infrastructure properly securely.
As you sign into a domain-joined PC in the office, a cached copy of their password hash is then stored locally on their system. This allows the PC to verify a user if a domain controller cannot be reached for authentication.
The problem for remote users is when their organisation enforces password expiration, & the user fails to update their password before expiration. This means that the user no longer having access to services & will not be able to change their password by themselves. So, an expensively billed call is needed to the help-desk in order to change a password.
Microsoft unfortunately does not offer solutions to update locally cached credentials when working remotely without a connection to Active Directory. A way around it is to use a technique that will allow users to securely reset, change or unlock their accounts from anywhere, & on any device.
Automated password resets
The solution to these problems can be to allow your users to change or reset passwords without needing to go through the help-desk by using automated MFA approaches.
Specops offers a self-service password reset that is available 24/7 & accessible despite of device & location. Specops uReset features easy on-boarding or pre-enrolment options to ensure users adopt the solution.
Administrators can pre-enrol users with the identity providers using details that already exist in Active Directory. Eliminating this job from users decreases friction & increases the probability they will use the solution instead of calling the help-desk.
Vital passwords security
Multi-factor authentication should be regarded as a necessary security requirement for anything that today requires a password, not as an added extra.
Password security is vital. A secure strategy when it comes to passwords needs to be combined with a self-service password reset service for the enterprise. This enables end users to reset or unlock their own accounts, offloading this task from busy IT staff.
More information: https://specopssoft.com/product/specops-password-reset about decreasing the password reset difficulties.