Ask the average helpdesk technician what they do all day, and they will probably answer by saying that they reset passwords. Sure, helpdesk technicians do plenty of other things too, but in many organizations, a disproportionate number of helpdesk calls are tied to password resets.
On the surface, having a helpdesk technician reset a user's password probably doesn't seem like a big deal. After all, the technician simply opens Active Directory Users and Computers, right-clicks on the user account, and chooses the Reset Password command from the shortcut menu. Resetting a password in this way is an easy process. Organizations can even opt to use an alternative tool such as the Windows Admin Center or even PowerShell if they prefer.
One thing that most people probably don't stop and think about, however, is that even though the steps involved in the password reset process are simple enough, the process as a whole constitutes a major security risk.
Security and the service desk
The first step in the password reset process involves a user picking up the phone and calling the helpdesk to request a password reset. The problem with this is that the helpdesk technician who answers the phone has no way of knowing whether or not the user is truly who they claim to be.
Positively establishing a caller's identity was less of an issue when virtually all users worked in the corporate office, because a user's caller ID information could sometimes be used as a validation tool. While using caller ID in this way does not completely eliminate the chances of one user spoofing another user's identity, it does make it so that a user who wishes to impersonate another user would have to call the helpdesk from that user's desk.
Today of course, things are far different than they once were. As the pandemic drags on, many workers continue to work from home. Even when the day arrives when people can safely go back to the office, a significant percentage of employees will probably continue to work remotely.
Unfortunately, caller ID is not an effective tool for validating a remote user's identity. When a remote user contacts the organization's helpdesk, they are calling from an outside line. It is incredibly easy for an external caller to spoof caller ID information. Telemarketers and telephone scammers use this technique all the time. Fraudsters will often, for example, alter their caller ID information to make it appear as though they belong to a government agency or a major corporation. Simply put, caller ID cannot be trusted for calls originating outside of the organization.
So, if caller ID information is not trustworthy, organizations must consider how best to validate a user's identity when they call the helpdesk to request a password reset.
One especially common validation technique involves asking the user a security question. The technician might for instance ask the caller what their pet's name is, or what city they were born in. Unfortunately, this method also poses a security risk.
The most obvious risk posed by security questions is that the Internet makes it relatively easy to gather personal information about someone. An attacker might make a few calls to an organization's helpdesk just for the purpose of discovering what types of security questions they ask. Once the attacker knows the questions that are most likely to be asked, they can use search engines and social media to research a particular user's answers to those questions.
The other big problem with using security questions is that the helpdesk technician learns the answer to the question. An unscrupulous technician could then use this information for illicit purposes.
This brings up an important point. There is nothing stopping an unethical helpdesk technician from performing an unrequested password reset. The technician may realize that a particular user is going to be on vacation for a week, and then reset the user's password so that they or someone else can access the account during the employee's absence.
Best practices for service desk password reset
Needless to say, there are some major challenges associated with the password reset process. The best way to overcome these challenges is to adopt a third-party password solution that can securely verify a user's identity prior to performing a password reset. There are several ways in which Specops Software can do this. One example involves sending a one-time code to a user's mobile device. Additionally, the Specops solution prevents helpdesk technicians from arbitrarily resetting passwords. A helpdesk technician cannot reset a password until the user has validated their identity, making it impossible for a technician to perform an unauthorized password reset.
Learn more about how Specops can increase password reset security.