Security

Question

Verifying Users Requesting Password Changes

By fhannaford ·
Tags: Security
We are an MSP and often have client users request help with passwords. Looking for 'current' guidance on effective ways to verify people are who they say they are. It used to be that calling them worked, but so much spoofing of phone numbers and emails anymore that doesn't seem very effective.
Looking for what others are doing these days...
Thread display: Collapse - | Expand +

All Answers

Collapse -

I haven't called in for password help in about 2 decades.

by rproffitt Moderator In reply to Verifying Users Requestin ...

All major sites have a password reset feature. Almost all send a message to the user's email or phone with a verification code for resets.

I worry that you don't have such a system as you are a MSP. How can your company be 20 years in the past?

Collapse -

Shoe on head

by kevinwood In reply to Verifying Users Requestin ...

While we are not an MSP - for internal company password resets where we need person verification we make our staff take a picture of themselves with a shoe on their head - this ensures we get a real-time photo of them (who has access to another persons photo with a shoe on their head???) as well introduces a bit of shame on their part for putting themselves in this situation. This may not be an effective method for an MSP since it is likely more customers you are dealing with but you get the idea. I was in this situation for a password reset for Instagram and they asked for a real-time picture of myself holding piece of paper with a unique code they provided where they could verify my visual identity with other pictures on my account. Other than that a password reset link sent to a known e-mail address or SMS code to a known cell number would work as well. Hope that helps!

Collapse -

2FA method using SMS code on user´s cellphone

by IreneoDJr In reply to Verifying Users Requestin ...

So far, the combination of sending reset link to the registered e-mail and SMS code continues to be efficient in doing personal verification for password request changes, but for added security, you may also strat using some pre-configured security check questions like mother´s maiden name, or brand of the first car owned, etc...

Collapse -

MFA method using SMS code on user´s cellphone

by IreneoDJr In reply to Verifying Users Requestin ...

So far, the combination of sending reset link to the registered e-mail and SMS code continues to be efficient in doing personal verification for password request changes, but for added security, you may also strat using some pre-configured security check questions like mother´s maiden name, or brand of the first car owned, etc...

Related Discussions

Related Forums