Bridge The Recovery Gap: Addressing the Security Risks in MFA Password Resets

by
Nametag Team
Nametag console showing a successful verification result

Increase security and reduce support costs

Protect your help desk against social engineering and impersonators while saving up to $84 per password reset.

Companies are embracing two-factor authentication (2FA) to enhance security - a login method that requires users to supplement their passwords with a second trust factor like one-time passcodes (OTP) sent by apps or texts, or a more sophisticated trust factor like voice or visual verification.

But as 2FA adoption increases, it is also making it easier for people to get locked out of their accounts, causing unnecessary stress on employees and creating a cybersecurity nightmare.

Many companies have been slow or in some cases unable to assist legitimate account holders in regaining access. Maintaining Active Directory (AD) authentication is another headache in itself, and has grown increasingly complex to manage in remote and cloud environments. The leading employee AD solutions (i.e. Okta and Microsoft) offer guidance to help their customers manage the surge in lockouts and account resets resulting from 2FA mandates. However, too often these issues end up falling back on IT and helpdesk staff to resolve.

Attackers Bypass 2FA by Calling the Helpdesk to Impersonate End-Users

Passwords are complicated enough to manage and remember. But 2FA also has its limitations - phones are easily lost, stolen, or upgraded before a user has updated the associated accounts. Both of these examples require support to reset access for the account owner.

For larger organizations, the volume of these tickets increases exponentially, and so too does the risk of account takeovers without a secure verification solution. Gartner found that as much as 50% of helpdesk tickets today are tied to user lockouts, and the 2022 World Economic Forum report on passwordless authentication estimates that employees spend an average of 11 hours each year resetting passwords.

Security questions are by far the most common form of verification for account recovery, yet they remain a known vulnerability susceptible to social engineering. Add in the fact that deepfake video and audio is now used by cyber-criminals to carry out vishing attacks to deceive call agents over the phone (Hacker News - 69% of companies experience vishing attacks in 2021), and it becomes clear that existing helpdesk verification technology is no longer enough.

With both user lockouts and vishing attacks on the rise, IT helpdesk teams are inundated and overwhelmed with conflicting priorities: meeting performance metrics to resolve tickets, while under pressure to prevent cyber-criminals from gaining unauthorized network access. The costs of these lockouts cascade across the company, spanning cybersecurity, staffing/tooling for the helpdesk agents, and valuable productivity hours that are lost while employees struggle to regain access.

You're Only As Secure As Your Account Recovery Process

Employee Active Directory (AD) solutions like Okta and Microsoft offer guidance to help their customers manage the surge in lockouts and account resets resulting from 2FA. However, even their documentation recommends security questions, voice calls or SMS texts, overlooking the security risks involved. Okta, Microsoft, Twilio, Zendesk, and several other notable breaches have been tied back to ineffective 2FA methods and vishing attacks. This is not surprising, as 95% of all data breaches are caused by an employee mistake or human error, and helpdesk agents are often ill-equipped to detect and prevent impersonators from taking over accounts.

Secure, Automated Account Resets with Nametag

Nametag provides ID verification solutions purpose-built for high risk transactions like account recovery. Nametag’s technology uses the advanced security capabilities of modern smartphones to detect and prevent cyber-criminals from gaining unauthorized access to employee accounts, with native functionality that protects organizations from deepfakes, vishing, and social engineering attacks.

Nametag verifies a user's biometrics against a government-issued ID - in seconds - to provide the highest level of security and confidence, without adding friction for employees. Once a user has enrolled with Nametag, they can be prompted for reverification with just a selfie. Reverification is already required in some industries to authorize high-value transactions like changing key account information, provisioning access to sensitive applications, during the hiring process, and more. This reverification technology is critical for preventing repeated attacks, reducing the likelihood of breaches by as much as 80%.

Nametag offers both out-of-the-box solutions and API’s to integrate with existing active directory technology like Okta and Microsoft. With Nametag CoPilot, your company can be up and running in hours with a zero-code SaaS solution.

Nametag customers recognize more than $500,000 in savings for every 1,000 employees, reducing employee downtime and helpdesk tickets by 20%-50%. Our global customer base spans financial services, insurance, information technology, social media, and other high-risk industries.

  1. https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-manage-password-reset 
  2. https://krebsonsecurity.com/2022/03/a-closer-look-at-the-lapsus-data-extortion-group/
  3. https://cybernews.com/news/twilio-breach-vishing/
Secure your helpdesk against social engineering and impersonators.
Decline
Accept All Cookies