How To Protect Password Resets Without Mobile Push or OTP Apps

There is no question: multi-factor authentication helps protect business-critical resources using password-based authentication. In addition, as businesses have transitioned to a hybrid-based workforce, many organizations have adopted self-service password reset solutions (SSPR). Also, many have added multi-factor authentication for helpdesk professionals to verify the identity of users calling in to resolve a password or account lockout issue.

However, how can organizations successfully implement multi-factor authentication for password resets when not every user has a mobile device to verify their identity?

Why enable multi-factor authentication on password resets?

We often think of multi-factor authentication, specifically two-factor authentication, used in conjunction with logging into business-critical systems with a password to add an additional layer of protection. However, it is also crucial to secure password resets with multi-factor authentication. Why is this?

Attackers have increasingly targeted password resets for gaining quick and easy access to network credentials. For example, suppose an attacker knows enough information about an employee gained through social media pages, LinkedIn, and other sites. In that case, they can call the helpdesk number and masquerade as a real user to have their password reset. It is especially dangerous in larger organizations where helpdesk staff may not personally know every user in the company.

Given enough personal information about the user in question, much of which can be harvested from social media pages, an attacker may be able to successfully go through the process with the helpdesk staff to reset the password. Once they have reset the password, the attacker can access the account in the same way as a legitimate user.

These dangers emphasize the need to enable multi-factor authentication for password reset operations. Requiring multi-factor authentication when a password reset is needed forces the attacker to present the legitimate “factors,” regardless of whether they have other legitimate information.

When not every user has a mobile phone

There is a challenge with many multi-factor Self-Service Password Reset (SSPR) solutions…