Password Resets and the Remote Workforce: A Security Disaster Waiting to Happen

Written by

In light of the COVID-19 pandemic, a new challenge is beginning to arise – the need to change or reset passwords remotely. At best it’s a bit of work. At worst, it’s a security nightmare.

We’re a few months into the pandemic and IT organizations have learned a lot about getting a remote workforce up and running. Everything from endpoints, to connectivity, to applications have all been the focus of thousands of proverbial fires that have risen as organizations worked to shift their operations to one that works almost exclusively remotely.

However, a new issue has begun to rear its ugly head: maintaining Active Directory (AD) authentication. More specifically, the ability for users that either need to periodically change or reset their AD password. It’s one of those aspects of administration that – for any given user – may or may not be an issue on a frequent basis, but over time, it eventually impacts every user.

Whether a password has expired, been forgotten or has been administratively reset by IT, the end result for remote workers is a complete inability to access and use corporate resources. Let’s look at each scenario to see what steps are needed to reset the password and the security concerns that arise.

Periodic Password Changes

Many organizations have given up on forcing periodic password changes since Microsoft stopped recommending it in 2019. However, for those that still have forced password changes in effect and/or have disabled or limited credential caching, the cached credentials on your corporate Windows endpoints are going to expire, requiring the user to connect to the domain and perform a password update.

Remote workers using a corporate Windows device can update their cached credentials using Windows 10’s built-in Change a Password functionality, providing they can connect to the corporate network (read: the domain) via VPN. If connectivity to the domain isn’t possible, the cached credentials should continue to work, but if an update is still needed, it’s going to require a call to the service desk.

In cases where the user has forgotten their password (and, presumably, now needs to enter it to access resources instead of relying on cached credentials in the OS or web browser) or it has been reset by IT due to concerns over it being compromised, the user needs to obtain the new password established by the service desk and, potentially, update it themselves.

What’s the Big Deal?

You might be thinking I’m making this into a huge issue when it’s little more than a quick issue to resolve for either the user or IT. When users can properly connect and update their password within Windows 10, you’re 100% correct. However, the issue here is anytime the act of resetting a password by the service desk occurs, there is major security concern.

If you were a remote worker and your password needed to be (or was administratively) reset, you need to call the service desk, provide as much verification that you’re actually you as is required, and then are given a password over the phone. In this day and age of cybersecurity, there are several red flags:

  • There is no verification – unless the service desk has a series of security questions to ask of you to prove you are the account owner, verification is nonexistent. Add in the concept that deepfake audio is now used by cyber-criminals to fake being someone else, and it becomes clear that calling and hearing a familiar voice is definitely not enough
  • More than one person knows the password – if the service desk updates and communicates a new password to the user on, say, a personal device, that’s the password for the foreseeable future. Now, two people know that password
  • It’s a potential breach of data security compliance – depending on the regulation, newer verbiage is very specific around ensuring appropriate control over who has access to protected data sets. If the organizations’ password update process results in the service desk staff knowing the password, the organization itself may be in trouble should there be a data breach.

Keeping Remote Workforce Authentication Secure

The crux of the problem that needs to be solved is two-fold – the user needs to validate themselves and the service desk shouldn’t know the password. The best way to address this truly is to utilize a self-service password reset solution. Usually accessible either via web browser (for personal devices) or integrated into the logon process (for corporate devices), password self-service uses an on-boarding process where the account owner enrolls into the service or is pre-enrolled for validation during a password reset. Verification methods can range from questions and answers to more secure methods depending on the self-service password reset solution. When the need arises to reset a password, the user can verify and reset the password on their own, overcoming the security problems associated with using the service desk.

What’s Hot on Infosecurity Magazine?