There’s no doubt: multi-factor authentication helps protect critical business resources using password-based authentication. Additionally, as businesses have shifted to a hybrid workforce, many organizations have adopted self-service password reset (SSPR) solutions. Additionally, many have added multi-factor authentication for help desk professionals to verify the identity of users who call to resolve a password or account lockout issue.
However, how can organizations successfully implement multi-factor authentication for password resets when not all users have a mobile device to verify their identity?
Why enable multi-factor authentication during password resets?
We often think of multi-factor authentication, especially two-factor authentication, used in conjunction with logging into business-critical systems with a password to add an extra layer of protection. However, securing password resets with multi-factor authentication is also crucial. Why is it?
Attackers have increasingly targeted password resets to gain quick and easy access to network credentials. For example, suppose an attacker knows enough information about an employee obtained through social media pages, LinkedIn, and other sites. In this case, they can call the help desk number and pretend to be a real user to reset their password. This is especially dangerous in large organizations where help desk personnel may not personally know every user in the enterprise.
With enough personal information about the user in question, most of which can be extracted from social media pages, an attacker may be able to successfully go through the process with help desk personnel to reset the password. pass. Once the password is reset, the attacker can access the account in the same way as a legitimate user.
These dangers underscore the need to enable multi-factor authentication for password reset operations. Requiring multi-factor authentication when a password reset is needed forces the attacker to present the legitimate “factors” whether or not they have other legitimate information.
When not all users have a mobile phone
There is a challenge today with many multi-factor self-service password reset (SSPR) solutions. Many require users to have access to a mobile phone to receive OTA (over-the-air) tokens via text message or use an OTA app to generate the token needed for multi-factor request validation. While most users have a mobile device capable of receiving OTA tokens via SMS or using an OTA app to generate the necessary tokens, some users may not have a mobile device or may not want to use their device mobile for work.
Additionally, some users may resist installing corporate OTA apps or receiving text messages on personal mobile devices if a corporate device is not provided to them or at least subsidized. For these cases, having a versatile solution that can offer multiple options for users to provide their identity is a critical requirement.
In these cases, organizations need solutions that don’t specifically require mobile devices for OTA capabilities only. They need additional authentication factors to provide additional proof of identity options during password reset workflows.
MFA solutions without the need for a mobile device
Specops uReset Self-Service Password Reset provides an enterprise self-service password reset platform that helps provide organizations with the capabilities and functionality needed to meet today’s SSPR challenges. Additionally, it provides Active Directory users with a secure way to change their passwords from anywhere, using any device.
With Specops uReset, companies can enable their end users to perform day-to-day tasks related to maintaining their Active Directory user accounts and sorting out their own issues such as resetting passwords, changing passwords password, account unlocking, etc. Specops uReset provides a unique SSPR solution among competitors. and provides flexible password resets with a wide range of multi-factor authentication options.
It also provides users with multi-factor proof of identity in addition to requiring a mobile device to receive an OTA code via SMS or using an OTA app to generate a multi-factor identification code. Additionally, it offers many other identity verification options so that end users can provide efficient and secure identity verification to help desk personnel.
Although Specops uReset provides many options for users to use mobile devices, it also provides alternative options for users to prove their identity without a mobile device. Note the following authentication methods that do not require a mobile device:
- Identity of the manager – When a user authenticates with Manager Identification, an authentication request is sent to his manager by SMS or e-mail. The manager must then confirm the identity of the user by approving the request.
- Personal email – User may not have a mobile phone to receive mobile OTA codes via SMS or OTA app. However, they may be able to access their email to receive a code. This option allows it to be used as one of the required factors, bypassing the need for a mobile device.
- secret questions – This factor is a knowledge-based authentication service that allows users to verify their identity by answering a set of questions that they know and are not easy to guess
- tumblr – users can register and authenticate using their Tumblr account credentials
- Twitter – users can register and authenticate using their Twitter account credentials
- Flickr – users can register and authenticate using their Flickr account credentials
- LinkedIn – users can register and authenticate using their LinkedIn credentials
- Trusted network locations – Trusted Network Locations is an identity service that allows administrators to designate specific IP ranges as trusted network locations.
- yubikey – The YubiKey is a hardware authentication device. Users can authenticate by generating one-time passwords (OTP) with their Yubikey (only if the Yubikey supports Yubico OTP as a security feature).
Specops uReset provides a robust platform that enables enterprises to provide their employees with options for self-service password reset (SSPR) functionality. With Specops uReset, organizations can provide flexibility to employees who may not have a mobile device and cannot use OTA texts or mobile apps.
Specops uReset offers several other options for employees to verify their identity in other ways using other third-party services, email, network locations, and other hardware devices capable of generating OTA codes, such as a Yubikey. Yoyou can test Specops uReset in your AD for free, anytime.