Passwords can be a pain, they get forgotten and on their own, and can easily be hacked. They should be in the past, but they're not, so how do we reduce the burden now and eliminate the excessive IT helpdesk requests with this issue?
Calls to helpdesks to reset passwords eat up valuable support staff time. According to Forrester Research each reset costs £50 (US$ 70), while Gartner says that 20 percent to 50 percent of all help desk calls are for password resets.
Phishers gonna phish
Automating the password reset process can help, but enterprises must make sure that in automating, extra security threats aren’t introduced. For example, password resets are often sent out via email. If a hacker has gained access to that email, through a phishing attack, that hacker can reset the password allowing them to gain access to an enterprise’s infrastructure.
When it comes to phishing, a password reset email is one of the oldest scams in the book and by far the most popular one carried out by scammers. Many such attacks have been linked to expired password tricks. This is a ploy used to take identifying information and account access by enticing users into entering their details on a webpage able to collect them. Cybercriminals can circulate a malicious link or attachment to obtain login credentials and account info straight from the user so as to gain access to data.
If your organisation doesn’t have a means to verify who has requested a password reset via a second factor of authentication, then this sort of attack is likely to be very successful for the hacker.
Hosting old passwords
When it comes to password resets, organisations have to contemplate how the locally cached credentials are treated. This is important to ensure a remote user can continue to access infrastructure securely.
When signing into a domain-joined PC while in the office, a cached copy of their password hash is stored locally on their system. This enables the computer to verify a user if a domain controller cannot be reached for authentication.
The problem for remote users comes when their organisation enforces password expiration and the user fails to update their password before expiration. This results in the user no longer having access to services and won’t be able to change their password by themselves. This results in a costly call to the helpdesk to change a password.
Microsoft does not offer solutions to update locally cached credentials when working remotely without a connection to Active Directory. One way around it is to deploy a solution that enables users to securely reset, change or unlock their accounts from anywhere, and any device.
Benefits of automated password resets with the security of 2FA
The solution to these problems can be to allow your users to change or reset passwords without needing to go through the helpdesk by using automated MFA approaches.
Specops offers enterprises a self-service password reset that is available 24/7 and accessible regardless of device and location. Specops uReset features easy on-boarding or pre-enrolment options to ensure users adopt the solution.
Administrators can pre-enrol users with the identity providers using details that already exist in Active Directory. Eliminating this job from users decreases friction and increases the probability they will use the solution instead of calling the helpdesk.
Vital security for passwords
Multi-factor authentication should be regarded as a necessary security requirement for anything that today requires a password, not as an added extra.
Password security is vital. A secure strategy when it comes to passwords needs to be combined with a self-service password reset service for the enterprise. This enables end users to reset or unlock their own accounts, offloading this task from harassed IT staff.
Please visit: https://specopssoft.com/product/specops-password-reset for more information about decreasing the password reset problem.