Helpdesk password reset best practices
(Last updated on February 17, 2020)
If your organization is currently using a self-service password reset solution, it is critical that the helpdesk staff who manage the system, and assist users, consistently follow best practices. This post will provide tips for reducing password-related calls to the helpdesk, and outline some security measures for safeguarding user accounts.
Educate and direct to self-service
Password related helpdesk calls are not only costly, but also drain IT resources that can be better spent on more pressing issues. So when a self-service password reset solution, such as Specops uReset, is implemented, the helpdesk staff cannot fall into the trap of continuing to unlock accounts. Refer users to an FAQ, or provide them with a guide that walks them through the enrollment, and password reset process. The aforementioned guide should be made available to all users, and also used during the employee onboarding process. In addition to showing them what to do, you must also explain the benefits of the solution which include: 24/7 availability, accessibility from any web browser / multi-device support, and maximum security as your password will never be shared with the IT staff.
Know who is calling the helpdesk
The helpdesk is a popular target for hackers. The most popular tactic used is social engineering. While social engineering is extremely common when using security questions, it is much less common if multi-factor authentication is used. Specops uReset enables the helpdesk to verify the accounts of users, using any of their enrolled identity services, or by sending a text message, containing a code, to the mobile number associated with the user’s account. For high security accounts the helpdesk can layer the identity services for increased security. This removes the opportunity for user impersonation.
Issue temporary passwords
Once a user has been verified, the helpdesk can set a new password for the user. When setting a new password, the password must be unique to the user. The same password should not be re-used, and the password should not follow a guessable formula, i.e. a variation of the user ID. Finally, the “never share your password rule” also applies to the helpdesk, thus the new password should be temporary, and the user must be required to change their password at next logon.
Keep an eye on the statistics
It is best practice to view the individual statistics for all users requiring a password reset. A full history of system usage for the user can help identify if the user is using the system correctly. An excessive amount of password resets indicates an opportunity to further educate the user about password reset best practices.
Typically, when organizations evaluate a self-service password reset solution, the focus is getting people to use the new system. The helpdesk is often overlooked even though they play a critical role in educating users and strengthening security. Don’t forget the role of the helpdesk and give them the features they need to follow these best practices.