Man login to system using multi-factor authentication

How To Protect Password Resets Without Mobile Push or OTP Apps

There is no question: multi-factor authentication helps protect business-critical resources using password-based authentication. In addition, as businesses have transitioned to a hybrid-based workforce, many organizations have adopted self-service password reset solutions (SSPR). Also, many have added multi-factor authentication for helpdesk professionals to verify the identity of users calling in to resolve a password or account lockout issue.

However, how can organizations successfully implement multi-factor authentication for password resets when not every user has a mobile device to verify their identity?

Why enable multi-factor authentication on password resets?

We often think of multi-factor authentication, specifically two-factor authentication, used in conjunction with logging into business-critical systems with a password to add an additional layer of protection. However, it is also crucial to secure password resets with multi-factor authentication. Why is this?

Attackers have increasingly targeted password resets for gaining quick and easy access to network credentials. For example, suppose an attacker knows enough information about an employee gained through social media pages, LinkedIn, and other sites. In that case, they can call the helpdesk number and masquerade as a real user to have their password reset. It is especially dangerous in larger organizations where helpdesk staff may not personally know every user in the company.

Given enough personal information about the user in question, much of which can be harvested from social media pages, an attacker may be able to successfully go through the process with the helpdesk staff to reset the password. Once they have reset the password, the attacker can access the account in the same way as a legitimate user.

These dangers emphasize the need to enable multi-factor authentication for password reset operations. Requiring multi-factor authentication when a password reset is needed forces the attacker to present the legitimate “factors,” regardless of whether they have other legitimate information.

When not every user has a mobile phone

There is a challenge with many multi-factor Self-Service Password Reset (SSPR) solutions today. Many require that users have access to a mobile phone to receive OTA (over-the-air) tokens via text message or use an OTA app to generate the token needed for validating the multi-factor request. While most users have a mobile device capable of receiving OTA tokens via text messages or using an OTA app to generate the tokens needed, some users may not have a mobile device or are unwilling to use their mobile device for work.

In addition, some users may resist installing corporate OTA apps or receiving text messages on personal mobile devices if a corporate device is not provided to them or at least subsidized. For these cases, having a versatile solution capable of offering multiple options for users to provide their identity is a crucial requirement.

In these cases, organizations need solutions that do not specifically require mobile devices for OTA capabilities only. They need additional authentication factors to provide other options for proving identity during password reset workflows.

MFA solutions without the need for a mobile device

Specops uReset self-service password reset provides an enterprise self-service password reset platform that helps to provide organizations with the capabilities and features needed to meet today’s SSPR challenges. In addition, it provides a secure way for Active Directory users to change their passwords from anywhere, using any device.

With Specops uReset, businesses can enable their end-users to perform everyday tasks related to servicing their Active Directory user accounts and triaging their own issues such as password resets, changing passwords, unlocking accounts, etc. Specops uReset provides a unique SSPR solution among competitors and provides flexible password resets with a wide range of multi-factor authentication options.

It also provides users with multi-factor proof of identity outside of needing a mobile device to receive an OTA code via text or using an OTA app to generate a code for multi-factor identification. In addition, it provides many other options for verifying identity so that end-users can effectively and securely provide identity verification to helpdesk personnel.

Specops authentication screen
Multi-factor services available for authenticating users for self-service password reset

While Specops uReset provides many options allowing users to use mobile devices, it also offers alternative options allowing users to prove their identity without a mobile device. Note the following authentication methods that do not require a mobile device:

  • Manager Identification – When a user authenticates with Manager Identification, an authentication request is sent to their manager in text or email. The manager must then confirm the user’s identity by approving the request.
  • Personal email – The user may not have a mobile phone to receive mobile OTA codes via text or an OTA app. However, they may be able to access their email to receive a code. This option allows using this as one of the required factors, bypassing the need for a mobile device.
  • Secret questions – This factor is a knowledge-based authentication service that allows users to verify their identity by answering a set of questions they only know and are not easily guessed
  • Tumblr – users can enroll and authenticate using their Tumblr account credentials
  • Twitter – users can enroll and authenticate using their Twitter account credentials
  • Flickr – users can enroll and authenticate using their Flickr account credentials
  • LinkedIn – users can enroll and authenticate using their LinkedIn credentials
  • Trusted Network Locations – Trusted Network Locations is an identity service that allows administrators to designate specific IP ranges as trusted network locations.
  • Yubikey – The YubiKey is a hardware authentication device. Users can authenticate by generating One Time Passwords (OTP) with their Yubikey (only if the Yubikey supports Yubico OTP as a security function).

Specops uReset provides a robust platform that allows businesses to provide options to their employees for self-service password reset (SSPR) functionality. With Specops uReset, organizations can offer flexibility to employees who may not have a mobile device and who are unable to use OTA texts or mobile apps.

Specops uReset provides several other options allowing employees to verify their identity in other ways using other third-party services, email, network locations, and other hardware devices capable of generating OTA codes, such as a Yubikey. You can test out Specops uReset in your AD for free, anytime.