Password Resets are a Bullshit Job
Forrester Research estimates that the average cost of a single password reset done by helpdesk is about $70 USD a year, while Gartner estimates that 30% to 50% of all helpdesk calls are for password resets (Wertheim). That’s a lot of money funneled into a bullshit function, in what would be an absolutely thrilling job supporting corporate IT infrastructure.
Background
Let’s think about password resets for a general person that uses the internet. That’s about 60% of all persons globally, or 4.66 billion people (Johnson). Thinking about how typical user accounts function, and how 78% of users forget and request a password reset for at least one or some of their online accounts (Leuthvilay and Grinshtein), when was a call to a support rep necessary to reset that password? Probably never. Why? Some quick napkin math would suggest 3.6 billion calls, at a cost of $252 billion to support this impractical approach - the entire GDP of Chile (World Bank and OECD).
Of the top ten Fortune 500 companies that provide online user accounts for their services, none of them require a call to a helpdesk to reset passwords. So why then, in corporate settings, are employees forced to call or otherwise contact IT support to change their password.
Google accounts hold personal and private email correspondence, photos taken from a mobile device, documents, personal contact lists, locations and search history.
Amazon accounts store all purchases and spending habits, addresses, and credit card information.
Bank accounts allow withdrawal of money to other accounts, create cheques, access spending history, request loans, credit cards, and store profits from business, salary, savings, or other income.
Online pharmacy accounts have a history of prescriptions, allergies, health insurance information and engagement of health professionals.
Credit bureaus like Experian, Equifax, and TransUnion in the USA provide up to two years of credit checks, credit scores, home addresses, employer and employment information, and loan repayment history.
What do all of these examples have in common? None of them require a call to anyone to reset the account password. One can arguably conclude that any unauthorised access to any of the above online accounts is a serious breach of a person’s private and confidential information, with sometimes dangerous consequences; identity theft, embezzlement, and loss of privacy of a person’s entire life. Some people store passwords of their other online accounts - unencrypted in a Word doc, notes app, or email - further propagating personal damage (Leuthvilay and Grinshtein).
It’s baffling to think that some of the largest global organisations are spending money that could be appropriated into innovative technology solutions that prevent bullshit work from ever making it to a human. If some of your most personal accounts do not require the intervention of a human to verify you, and allow you to change your password, why then are employees of corporations subjected to this bullshit.
Consumer Self-Service Password Resets
Most consumer self-service password reset mechanisms are not perfect. Typically, one or more methods are used to assist with gaining access to accounts online.
Security questions: predefined questions and answers you have provided during account setup. By answering these questions correctly, you can regain access to your account.
Multi-factor authentication (MFA): spoken more here, this method requires more than just asking security questions which can be stolen through social engineering. When your bank sends you a code via SMS, or you need to approve a login from your mobile device, this is a form of MFA.
PIN verification: similar to MFA, however rather than requiring an app, a phone, or a hardware authentication token, an email is sent to you with a code you can enter during the password reset process. It can also be a randomly generated link to the password reset page.
Biometrics: calling an automated line and uttering specific phrases for voice identification, or using fingerprint or iris scanning technology to verify account owners in apps. This method has started gaining traction due to the increasing ubiquity of biometric-enabled smartphones.
Cybercriminals can socially engineer people to hand over answers to their security questions through spear-phishing; a sophisticated method of pretending to be a trustworthy entity by using specific details of the targeted person to gain trust and collect information (Kaspersky). This can be especially difficult to spot, as the attacker may have collected personal information to legitimise the contents of the email. Social networking sites have made this especially easy for attackers. Publicly available information on these websites can be harvested for these kinds of attacks.
While not common, MFA and PIN verification is also vulnerable to attack. Compromised email accounts that receive reset links or authentication codes as part of the password reset process can be intercepted. Mechanisms to prevent reset links and codes sent via email from being used (or reused) expire after a short period of time, so attackers need to act quickly to compromise the account they are trying to gain access to. Compromised inboxes are dangerous, as any other accounts utilising self-service password reset options and the email of the compromised inbox can reset any of that person’s accounts from all over the internet.
Consumer biometrics are slowly gaining traction, mostly on mobile devices and some laptops. When first logging into an app on a phone using a traditional username and password, the option to enable biometric authentication is offered. When enabled, logging into the app again will require the person to scan their fingerprint or use a form of facial recognition - depending on the capabilities of the smartphone (Sharma). The iPhone’s FaceID facial recognition technology offers a 1 in 1,000,000 chance of a random person gaining unauthorised access to that phone or its secured apps (Apple Inc.). Pretty good odds in the owner’s favour. The issue some organisations take umbrage to this approach, and have yet to adopt this method, is that a smartphone’s operating system (that is, the software that manages the functions of the phone, including the security features) is fallible to vulnerabilities. There have been at least 16 known zero-day exploits discovered in 2021 alone for the iPhone’s operating system (Naraine), and almost double of all known zero-day exploits from 2020 (O’Neill). A record year for exploiting our personal smart devices.
These are compelling reasons to have an actual person verify organisational employees. Can we do better?
Better Password Resets
There is no one replacement solution to the management of passwords, and passwords alone aren’t the only layer of protection organisations should count on (think defence in depth). However, until there’s ubiquitous and trusted biometric technology in our computers and smartphones, passwords are here to stay and remain part of the security equation.
Similarly with password resets, we should consider a layered and adaptive approach by automating and moving this costly responsibility away from the helpdesk.
Single sign-on (SSO): a technology which reduces the number of passwords employees need to remember by authenticating once per day or when network changes occur.
Tokens and Public Key Infrastructure (PKI): digital certificates and Challenge-Response devices like Yubico security keys or RSA SecurID.
Company behavioural and technical policies: requiring only complex passwords, automatic account lockouts after numerous unsuccessful login attempts, and policies on how to store your password.
Many organisations employ physical security keys, digital certificates on managed devices (computers and smartphones provided to an employee), and limit the number of passwords required to remember with the help of SSO login portals. When accessing sensitive information, access control groups and secondary administrator account credentials (typically with more complex password requirements, and expiration dates) provide this elevated access. VLANs, dedicated and restricted virtual machines for performing and running commands that modify sensitive systems are also utilised. Mandatory company-wide training on security best practices, and notifications when new devices are logged into with a person’s credentials alert and keep employees vigilant on the importance of IT security.
As it stands now, password resets occur when a support representative and the affected person are able to see each other in real time - as in, over a video call or in-person. The representative will use a security photo, taken on the employee’s first day during orientation, as the source of truth. Before the photo is taken, a form of government ID is validated, so that the person in the photo is who they are. The photo is typically stored in a HR system like Workday, and the photo can be accessed by members of the support team to assist with identity validation.
Remember however, the costs associated with this approach as mentioned earlier. This method is also vulnerable to attacks to the system which stores the photos, and by the people who are responsible for following the validation process. There’s a growing trend, and concern, for outsourcing technical support to vendors and contractors. Outsourced representatives don’t work for and aren’t vetted by the organisation that utilises them, which leaves this method open to abuse. (See: “Hackers are offering Apple employees in Ireland up to €20,000 for their login details”.) It is known amongst tech support groups that IT support accounts are compromised frequently either through a breakdown in the verification process, or from rogue players pretending to be legitimate workers for this purpose.
Fourth-Factor Authentication
Should then an organisation risk giving responsibility of password management to a group of IT support techs who don’t know the person they’re assisting? Most of them do. We challenge why the responsibility should fall onto the support tech. After all, years of tertiary education should amount to a role worthwhile in the industry.
There are some emerging approaches that could shift the current paradigm.
Hardware security keys with biometrics: with risks of vulnerabilities in smartphones, using a purely hardware-based enclosed stateless fingerprint scanner and MFA key.
Vouching method: Assisted method where organisational structures (managers and reports) take part in a collaborative identification and token access control approach.
Voice authentication: a form of biometrics that uses hundreds of traits of a person’s unique voice to ensure the individual on the phone is who they say they are.
Other Authentication Factors which use client management technologies to infer security compliance before credentials are requested. Out of the scope of this report, but worth mentioning.
Biometrics are the future. While there are some laptop and desktop computers that have fingerprint or facial recognition functionality, not all do. Each approach varies among operating systems and vendors, so it becomes difficult to streamline one standard of authentication amongst a diverse technology ecosystem. Having a security key that also acts as a fingerprint scanner wouldn’t require organisations to replace their entire fleet of machines, a costly and time consuming endeavour. Deploying biometric security keys could take days to adopt, instead of months (Yubico Inc.). This is a fairly new technology, launched by Yubico in October 2021.
While not a new concept, a vouching method could be implemented to utilise the natural emergence of social networks from organisational structures or close work-based relationships. In 2006, a paper by RSA Security was published with a concept of “someone you know” as a means of authentication when a password reset is required (Brainard et al.). Helpers would be the gatekeepers to providing tokens that would then allow people who had forgotten their passwords to unlock their accounts and set up a new one - completely bypassing the helpdesk. It doesn’t appear to have gained any traction from the research we’ve conducted. It bears mentioning.
An interesting concept created by Nuance - known for its dictation software - shows how voice authentication is possible, and perhaps a viable alternative to speaking with a support tech. Their solution uses a combination of over 140 traits of a person’s voice to create a profile that distinguishes the speaker from a recording (Nuance Communications, Inc.). Their algorithm can even account for changes to a person’s voice as they age, and when they are unwell and they sound under the weather. There are a number of Australian Government departments that use this technology, completing the verification process while on hold, before making it to a representative (Nott). The technology falters with twins who sound alike, but a confidence score is calculated and thus the threshold for a successful verification could be modified to take this into consideration.
Conclusions
It’s naive to assume that our helpdesks will completely eradicate password resets as they are today. When any automated verification systems fail, a human is the best fallback option. There are emerging methods of verification that should be seriously considered; biometric and MFA security keys, voice verification, and vouching for one another using organisational and social structures. The support team in any organisation is a costly function, so their time and resources must be shifted to innovative solutions that strengthen the technologies enabling their workforce to work effectively and efficiently.
The lengths at which organisations will take to secure their data as compared to personal accounts on the internet is telling as a society where we focus our priorities. Are our private conversations and emails, photos, shopping history and location data less important than the intellectual property of a business whose sole objective is to maximise profits? Sounds bullshit to me.
If you’d like to increase your digital security, reach out to our consultants at contact@hba.consulting.
Technology analysis reports like this is part of what we love to do! If you need concise research reports on tech topics like these, start a conversation with us.
References & Further Reading
Apple Inc. “Face ID Security.” Apple, Nov. 2017, https://www.apple.com/ca/business-docs/FaceID_Security_Guide.pdf.
Brainard, John, et al. “Fourth-Factor Authentication: Somebody You Know.” Proceedings of the 13th ACM Conference on Computer and Communications Security, 2006, pp. 168–78, https://doi.org/10.1145/1180405.1180427. Association for Computing Machinery.
Contributors to Wikimedia projects. “Global Internet Usage.” Wikipedia, 20 Oct. 2021, https://en.wikipedia.org/wiki/Global_Internet_usage.
Johnson, Joseph. “Internet Users in the World 2021.” Statista, 10 Sept. 2021, https://www.statista.com/statistics/617136/digital-population-worldwide/.
Kaspersky. “What Is Spear Phishing? - Definition.” Usa.Kaspersky.Com, 13 Jan. 2021, https://usa.kaspersky.com/resource-center/definitions/spear-phishing.
Leuthvilay, Lani, and Yan Grinshtein. “New Password Study by HYPR Finds 78% of People Had to Reset a Password They Forgot in Past 90 Days.” HYPR, 10 Dec. 2019, https://blog.hypr.com/hypr-password-study-findings.
Naraine, Ryan. “Apple Confirms IOS 15 Zero-Day Exploitation .” SecurityWeek.Com, 11 Oct. 2021, https://www.securityweek.com/apple-confirms-ios-15-zero-day-exploitation.
Nott, George. “The ATO Now Holds the Voiceprints of One in Seven Australians.” Computerworld, 15 Feb. 2018, https://www.computerworld.com/article/3474235/the-ato-now-holds-the-voiceprints-of-one-in-seven-australians.html.
Nuance Communications, Inc. “Nuance Secure Biometrics Datasheet .” Nuance.Com, 21 Nov. 2016, https://www.nuance.com/content/dam/nuance/en_au/collateral/enterprise/data-sheet/ds-nuance-secure-biometrics-datasheet-en-us.pdf.
O’Neill, Patrick Howell. “2021 Has Broken the Record for Zero-Day Hacking Attacks.” MIT Technology Review, 23 Sept. 2021, https://www.technologyreview.com/2021/09/23/1036140/2021-record-zero-day-hacks-reasons/.
Sharma, Rajeev. “Introduction to Mobile Biometric Authentication.” Security Boulevard, 27 Apr. 2021, https://securityboulevard.com/2021/04/introduction-to-mobile-biometric-authentication/.
Wertheim, Steven. “Why Passwords Fail.” The CPA Journal, vol. 89, no. 9, 2019, pp. 70–71. ProQuest.
World Bank and OECD. “GDP (Current US$) - Chile.” World Bank Group, 2020, https://data.worldbank.org/indicator/NY.GDP.MKTP.CD?locations=CL.
Yubico Inc. “YubiKey Bio Series– FIDO Edition.” Yubico.Com, 1 Oct. 2021, https://resources.yubico.com/53ZDUYE6/at/gm5shtjfxkvknbkzjkhffn/YubiKey_Bio.pdf.