Problem solve

Verifying passwords from the Help Desk

How can you verify password changes from the Help Desk if you physically cannot see the person or validate their identity?

Good question! It is rather easy for someone to use what is known as social engineering to call the help desk and have someone's password reset. Then they have a way to login and at the same time deny the legitimate user access.

This has been "solved" in several ways in the corporate environment. Some of the solutions are better than others. One way is to ask the person to provide some "secret" information to authenticate who they are. Many places use Mother's Maiden Name (MMN) for this secret. Others use the last four digits of the user's Social Security Number (SSN). Both of these may be sufficient if the information to be gained is of marginal value, such as retrieving the password for access to a Web site. However, for access to a corporate network, this probably is not of much value, as MMN and SSN are not all that hard to obtain.

One method that has proven successful is to have the help desk look up the phone number for the user in the company database. They then instruct the user not to answer the next phone call, but let it go to voice mail. Then, the help desk calls the person at their phone number of record and leaves the new password in their voicemail. This way the user must authenticate to the voicemail system in order to get the password.

Is this method perfect? By no means is it perfect. However, it does have the advantage of using another "secure" (as secure as your voicemail system might be) system to do the authentication that cannot be accomplished by face-to-face meeting.

For more information on this topic, visit these other searchSecurity resources:
Featured Topic: Passwords
Best Web Links: Passwords/Authentication

This was last published in February 2002

Dig Deeper on Password management and policy

SearchCloudSecurity

Verifying passwords from the Help Desk

Dig Deeper on Password management and policy

Las Vegas shores up SecOps with multi-factor authentication

RSA teams up with Yubico for passwordless authentication

Cloud Skype phones require firmware update by July 1

Essential desktop troubleshooting tools for every IT pro

SearchCloudSecurity

6 SaaS security best practices to protect applications

Review these 7 CASB vendors to best secure cloud access

CASB explained: Know its use cases before you buy

SearchNetworking

Considerations for SASE management and troubleshooting

Cisco sweetens Acacia deal by $2 billion

SASE challenges include network security roles, product choice

SearchCIO

Parler sues AWS, seeks restraining order

Digital healthcare top priority for CIOs in 2021

C-suite execs give future technology predictions for the decade

SearchEnterpriseDesktop

Will Windows 10 be the last Windows OS?

CES: Laptops sport designs friendly for remote workers

Evaluate if Windows 10 needs third-party antivirus

SearchCloudComputing

COVID-19 and remote work shift cloud predictions for 2021

Cloud providers jockey for 2021 market share

How to build a cloud center of excellence

ComputerWeekly.com

Top IT predictions in APAC: 2021

2021 IT Priorities: APAC Key Technology Areas Infographic

MoD reports 18% rise in data loss incidents