Creating a password-reset program with corporate text messaging

Learn how to use corporate text messaging as the cornerstone of an enterprise password-reset program in this expert response from Randall Gamby.

Randall Gamby, HP

Our enterprise wants to create a more secure password-reset system. I know that some enterprises are able to send password reminders via SMS. Is there a way to set this up at my enterprise without buying a new product?

If you have an email system, then you can create a password-reset program by sending a message to any SMS device,...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

assuming the users have registered their telephone numbers and the carriers they use. The issue is: How do you determine that a user's password is about to expire in order to send a reminder?

Assuming this expiration information can be captured, simply create a plain-text email containing fewer than 160 total characters in your email client, and address it to the cellular number at the carrier's email domain. The major US cellular carriers use the following format with a limit of 160 characters in the subject and message body (total): 10_digit_number@cell.carrier_domain.com.

Here are some examples of widely used wireless carrier text message email addresses:

Carrier	Send Email to phonenumber@....
Alltel	@message.alltel.com
Cingular/AT&T	@txt.att.net
Nextel	@messaging.nextel.com
Sprint	@messaging.sprintpcs.com
SunCom	@tms.suncom.com
T-Mobile	@tmomail.net
VoiceStream	@voicestream.net
Verizon	@vtext.com

Remember: The signature block in the message counts toward the 160 characters.

Also, it's important to note that it's not a good idea to set up a system where a password reminder is sent as an SMS message after a series of failed login attempts, since you can't guarantee the user's system and phone are always separated. If the user loses his or her laptop bag along with the laptop, the person who finds it may be attempting to log in to the user's account. After three failed attempts, if the bag starts to ring when the user's mobile phone receives a message with a new password reset, the attacker will have no problem logging into the machine.

As a final note, SMS password reset systems provide an out-of-band communications method to contact the end user. This method is more secure than the typical in-band methods being used by most organizations; like asking a series of security questions, the answers to which may be easily found by looking on a user's Facebook or LinkedIn profile. But SMS password resets are also dependent on the user's phone being able to accept SMS messages, that the user has a good carrier signal, that the user's phone is charged and operational and that the phone is in the hands of the user and not lost along with his or her workstation. Any of these issues could derail an effective reset process.

For more information:

Learn more about the pros and cons of using SMS for two-factor authentication in your enterprise.
Read best practices for risk-based multifactor authenticaiton.

This was last published in January 2010

Smishing targets mobile users and IT must prepare to fight it

Why are fewer companies using SMS 2FA for authentication?

What are the best ways to prevent a SIM swapping attack?

How were attackers able to bypass 2FA in a Reddit breach?

Please create a username to comment.

Privacy-preserving machine learning assuages infosec fears

How Azure, AWS, Google handle data destruction in the cloud

Multi-cloud security strategies rely on visibility, uniformity

Tech pros focus on application delivery during pandemic

How the cloud fractures application delivery infrastructure ops

Why network configuration templates are useful in automation

Post COVID-19 strategies for CIOs on leading through crisis

Workplace of the future undergoes last-minute alterations

Return-to-office plans stress safety, security, collaboration

Citrix microapps look to ease office reopening

VMware Workspace One unifies reshaped digital workforces

Macs to run on Apple silicon, leaving Intel behind

Review the top sessions from recent cloud conferences

Test your cloud knowledge: VMs vs. containers vs. serverless

Cloud lock-in fears aren't as prevalent as you might think

Royal Holloway: An enhanced approach for USB security management

Green tech needed for post-Covid economic recovery

Three counts on Amdocs to support enterprise business expansion

Dig Deeper on Password management and policy

Smishing targets mobile users and IT must prepare to fight it

Why are fewer companies using SMS 2FA for authentication?

What are the best ways to prevent a SIM swapping attack?

How were attackers able to bypass 2FA in a Reddit breach?

Related Q&A from Randall Gamby

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.