Problem solve

Verifying passwords from the Help Desk

How can you verify password changes from the Help Desk if you physically cannot see the person or validate their identity?

Good question! It is rather easy for someone to use what is known as social engineering to call the help desk and have someone's password reset. Then they have a way to login and at the same time deny the legitimate user access.

This has been "solved" in several ways in the corporate environment. Some of the solutions are better than others. One way is to ask the person to provide some "secret" information to authenticate who they are. Many places use Mother's Maiden Name (MMN) for this secret. Others use the last four digits of the user's Social Security Number (SSN). Both of these may be sufficient if the information to be gained is of marginal value, such as retrieving the password for access to a Web site. However, for access to a corporate network, this probably is not of much value, as MMN and SSN are not all that hard to obtain.

One method that has proven successful is to have the help desk look up the phone number for the user in the company database. They then instruct the user not to answer the next phone call, but let it go to voice mail. Then, the help desk calls the person at their phone number of record and leaves the new password in their voicemail. This way the user must authenticate to the voicemail system in order to get the password.

Is this method perfect? By no means is it perfect. However, it does have the advantage of using another "secure" (as secure as your voicemail system might be) system to do the authentication that cannot be accomplished by face-to-face meeting.

For more information on this topic, visit these other searchSecurity resources:
Featured Topic: Passwords
Best Web Links: Passwords/Authentication

This was last published in February 2002

Dig Deeper on Password management and policy

SearchCloudSecurity

Verifying passwords from the Help Desk

Dig Deeper on Password management and policy

Las Vegas shores up SecOps with multi-factor authentication

RSA teams up with Yubico for passwordless authentication

Cloud Skype phones require firmware update by July 1

Essential desktop troubleshooting tools for every IT pro

SearchCloudSecurity

6 AIOps security use cases to safeguard the cloud

Implement Kubernetes for multi-cloud architecture security

Google forms cyber insurance pact with Allianz, Munich Re

SearchNetworking

Wi-Fi 6 rollout requires careful review of network devices

How cloud-native networking will transform infrastructure

The role of network observability in distributed systems

SearchCIO

Enterprise architecture has business's ear at Scottish Water

4 IT contract negotiation strategies to drive value in 2021

Turning data into actionable insights with machine learning

SearchEnterpriseDesktop

Incorporating zero trust into endpoint security

Keeping tabs on employees in the hybrid workplace

Top 6 endpoint security software options in 2021

SearchCloudComputing

Choose the right serverless container service

IBM boosts vertical cloud push with financial services cloud

Open source cloud platforms and tools to consider

ComputerWeekly.com

Ireland’s DPC launches probe into Facebook leak

CW Middle East: Qatari regulator launches platform to help combat money laundering

Amdocs joins Open Networking Foundation