Creating a password-reset program with corporate text messaging

Learn how to use corporate text messaging as the cornerstone of an enterprise password-reset program in this expert response from Randall Gamby.

Randall Gamby, HP

Our enterprise wants to create a more secure password-reset system. I know that some enterprises are able to send password reminders via SMS. Is there a way to set this up at my enterprise without buying a new product?

If you have an email system, then you can create a password-reset program by sending a message to any SMS device,...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

assuming the users have registered their telephone numbers and the carriers they use. The issue is: How do you determine that a user's password is about to expire in order to send a reminder?

Assuming this expiration information can be captured, simply create a plain-text email containing fewer than 160 total characters in your email client, and address it to the cellular number at the carrier's email domain. The major US cellular carriers use the following format with a limit of 160 characters in the subject and message body (total): 10_digit_number@cell.carrier_domain.com.

Here are some examples of widely used wireless carrier text message email addresses:

Carrier	Send Email to phonenumber@....
Alltel	@message.alltel.com
Cingular/AT&T	@txt.att.net
Nextel	@messaging.nextel.com
Sprint	@messaging.sprintpcs.com
SunCom	@tms.suncom.com
T-Mobile	@tmomail.net
VoiceStream	@voicestream.net
Verizon	@vtext.com

Remember: The signature block in the message counts toward the 160 characters.

Also, it's important to note that it's not a good idea to set up a system where a password reminder is sent as an SMS message after a series of failed login attempts, since you can't guarantee the user's system and phone are always separated. If the user loses his or her laptop bag along with the laptop, the person who finds it may be attempting to log in to the user's account. After three failed attempts, if the bag starts to ring when the user's mobile phone receives a message with a new password reset, the attacker will have no problem logging into the machine.

As a final note, SMS password reset systems provide an out-of-band communications method to contact the end user. This method is more secure than the typical in-band methods being used by most organizations; like asking a series of security questions, the answers to which may be easily found by looking on a user's Facebook or LinkedIn profile. But SMS password resets are also dependent on the user's phone being able to accept SMS messages, that the user has a good carrier signal, that the user's phone is charged and operational and that the phone is in the hands of the user and not lost along with his or her workstation. Any of these issues could derail an effective reset process.

For more information:

Learn more about the pros and cons of using SMS for two-factor authentication in your enterprise.
Read best practices for risk-based multifactor authenticaiton.

This was last published in January 2010

SIM card

Smishing targets mobile users and IT must prepare to fight it

Why are fewer companies using SMS 2FA for authentication?

What are the best ways to prevent a SIM swapping attack?

Please create a username to comment.

Comparing SASE vs. traditional network security architectures

Defining and evaluating SOC as a service

Get to know the elements of Secure Access Service Edge

Tech users weigh in on upcoming approval of more Wi-Fi 6 spectrum

CloudGenix-Palo Alto buy combines SD-WAN with cloud security

A deep dive into the differences between 5G and Wi-Fi 6

C-suite executives offer advice on working remotely during pandemic

How IT can build an agile business partnership

Former Cisco CEO offers C-suite leadership tips in time of crisis

Compare UEM capabilities of Citrix Workspace vs. VMware Workspace One

VMware Workspace One feature speeds remote onboarding

Discover how Catchpoint helps end-user experience monitoring

5 tips that can lead to Azure cloud management success

AWS security options grow with Amazon Detective

Explore the pros and cons of cloud computing

Coronavirus: Video calling, collaboration applications usage rise steeply in UK homes

Covid-19 apps pose threat to digital privacy on a global scale

Business data science teams need to be multi-disciplined, says Trainline

Dig Deeper on Password management and policy

SIM card

Smishing targets mobile users and IT must prepare to fight it

Why are fewer companies using SMS 2FA for authentication?

What are the best ways to prevent a SIM swapping attack?

Related Q&A from Randall Gamby

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.