MFA password management: An interview with Specops Software’s Darren Siegel

Protecting your business data by securing user authentication and blocking weak passwords is essential in today’s increasingly insecure world. Enterprises that have Active Directory environments need tools that can help ensure that your sensitive business data is fully within your control. Specops Software, founded in 2001 and headquartered in Stockholm, Sweden, with additional offices in the United States, UK, Canada, and Germany, has products to meet your needs in these challenging areas. The following is the text of a recent interview I had with Darren Siegel, a cybersecurity expert at Specops.

MITCH: I’m talking today with Darren Siegel, a cybersecurity expert at Specops Software. He works as a lead IT engineer, helping organizations solve complex challenges within IT security. Darren has more than 15 years’ experience within Active Directory, IT security, servers, storage, virtualization, cloud, and identity and access management. Darren, thanks for agreeing to let me interview for this article here on TechGenix.

DARREN: Thanks, Mitch. Happy to chat with an industry expert like yourself.

MITCH: Let’s start by talking about some of the incredible challenges IT has faced during this ongoing pandemic as far as many businesses and organizations are concerned. I’m referring particularly to things like implementing remote work solutions quickly but securely, dealing with the increasing wave of ransomware attacks, and so on. What are your general thoughts about all this?

DARREN: Absolutely, it’s been a real headache for IT departments juggling their everyday work with the unique challenges that have cropped up this year. Between moving entire workforces to securely work from home, hearing about some absolutely massive ransomware breaches, onboarding new employees completely remotely — we certainly have our hands full.

Now more than ever, password security and compliance are vital to the health of an organization. Luckily, software is adapting to these challenges as rapidly as they emerge, so we’re also seeing a ton of innovation in the cybersecurity space right now. Not to mention, with the business community following news about cyberattacks, we also see an increased interest and knowledge around security protocols.

The key to success right now is to not let security slip through the cracks.

Now more than ever, password security and compliance are vital to the health of an organization. Luckily, software is adapting to these challenges as rapidly as they emerge, so we’re also seeing a ton of innovation in the cybersecurity space right now. Not to mention, with the business community following news about cyberattacks, we also see an increased interest and knowledge around security protocols.

MITCH: I’ve heard from many enterprises that their IT service desks are finding things especially challenging these days because of the shift to remote work. Why is it more difficult to support employees working from home instead of those who work at the office?

DARREN: Like I previously mentioned, adjusting to new networks, VPNs, and even Internet speeds can all become burdens on your service desks. Personally, onboarding remote employees has also been interesting—we’ve even been shipping hardware back and forth!

The largest shift is really the volume. With employees all in one place, it’s simpler to enforce adoption of new protocols or have a coworker ask their desk mate how to do something technical rather than call IT. Implementing clear instructions and enforcing compliance under the hood is really what’s going to reduce the number of asks your IT department gets on a regular basis.

Remote work, whether it’s a hybrid model or fully WFH, is here to stay. The adaptations we’ve made in the past year or so will likely pull us through. The difficulties don’t have to stick around, though.

When we’re looking at smarter solutions, what really comes to mind is the ability for IT professionals to access work materials from anywhere.

MITCH: Can automated self-service solutions help organizations reduce the number of incidents their IT helpdesk workers need to deal with?

DARREN: Oh, absolutely. Any IT department worth its salt should be investing in a ticketing system, broad end-user updates, upfront documentation on things like “how to install the latest version of xyz” at this possible stage of the game.

Fully vetted and secure solutions don’t negate an IT department. They allow them to work more effectively on the larger projects (like cyberattack defense) and less on the repeat asks of “how do I reset my password.” It ultimately saves a company money and the entire team a lot of frustration.

MITCH: Responding to password reset requests from remote workers is common, especially with employees using VPNs and dealing with problems caused by locally cached credentials on their computers. Can you explain why helpdesk often struggles with these issues in remote work scenarios?

DARREN: Remote workers might not always be connected to a VPN, and when they need to connect, most VPNs require entry of the user’s password to complete the connection. If a user finds themselves off VPN and unable to use their AD password to get back in, it can be far from a straightforward process to reset their password and get a cached copy of the password on their laptop synchronized via a call to the helpdesk. If they’ve locked their workstation and can’t even log back into Windows on their laptop, it’s even worse. Sometimes this can be solved with a carefully orchestrated set of steps and remote management tools; if not, you may find yourself in a bind where the user needs to come back into the office or ship their equipment out in order to get everything aligned properly.

Really, all this to say — looking for a self-service password reset solution that can also update the local cached credentials is important.

MITCH: Many organizations still implement periodic password expiration policies because they think it provides added security even though the National Institute of Standards and Technology (NIST) updated their guidelines several years ago to recommend as best practice that passwords not be allowed to expire periodically as this practice provides a false sense of security. Do you think that eliminating such policies could help IT departments reduce the number of service desk calls they would need to handle?

DARREN: Interesting. Well, we know from Gartner that password reset calls make up about 40% of all calls to the service desk. We also know from Forrester that each of these calls can cost up to $70, so it’s certainly of interest to organizations to reduce these calls. Since the pandemic especially, we’ve certainly seen organizations embrace setting passwords to never expire — however, that is only even possible to consider if you’re confident that you’ll know if that account or password becomes compromised. NIST itself only recommends removing expiry if compromised password monitoring is in place.

All that being said, we find a lot of organizations don’t have confidence in this recommendation, and that comes from the fact that the average amount of time between breach and discovery of that breach is almost 300 days (per IBM). So instead, we see organizations configuring the setting to 90 (if trying to comply with standards like PCI) or 180 days as it is believed to hedge against indefinite access if the password is compromised.

Here at Specops, we encourage a more nuanced approach than the NIST guidelines. Instead of arbitrarily expiring passwords every 90 or so days, Specops Password Policy’s length-based password aging feature allows you to reward security-conscious users and stronger password selections with a longer password expiration period.

We believe that with clear and upfront instructions at password-change, there doesn’t need to be a barrage of service desk tickets every 90 days.

MITCH: I understand that Specops offers a product called uReset that can help reduce the burden helpdesks experience dealing with expired passwords and requests to reset passwords, including in situations involving remote workers. Tell us a bit about this product, what it can do and what benefits it can provide for IT service desks.

DARREN: Specops uReset is an intelligent solution for these issues; it’s something that just makes total sense for an AD infrastructure, especially when you are implementing password expiry.

The solution enables users to securely reset their Active Directory passwords from anywhere, using any device. It’s a simple solution because we’re giving dynamic feedback at password reset to guide the user into a secure option without the frustration of repeated failed attempts.

With features like flexible multifactor authentication, pre-enrollment, and geo-blocking, this password reset solution has an extremely high level of security. Our hybrid cloud architecture also means that we are never storing your passwords on an external server; the only place the password is stored is in the customer’s Active Directory.

One of the features our customers love most about uReset is that it updates locally cached credentials — which isn’t necessarily common in the market. Updated cached credentials mean less of a headache for your end-user and less of a burden on your IT department.

Another big bonus of using Specops uReset is that it offers self-service AD account unlocking, another big driver of service desk calls. Forgot your password and locked out of your account because you tried to log in too many times? No problem, just click a link on the locked account screen and complete the MFA requirements your IT department has set, and uReset will unlock your account for you, eliminating that call to the service desk.

MITCH: Your uReset tool is definitely an asset that can enhance security for Active Directory environments. What about when other forms of identity providers are also involved?

DARREN: uReset enhances login security by extending multifactor authentication to self-service password reset. There are 15-plus identity services available to ensure that you can select the best options for your users.

However, since not all identity services are equally secure, we allow administrators to assign each identity service a trust value based on their perceived level of security. You can also pick and choose which identity providers you’d like available as options for your end-users.

And if your users are already enrolled in a service like Duo, Okta, or Ping, you can pre-enroll them with that identity service as an MFA option in uReset.

MITCH: How would a remote worker use the uReset tool to reset their password if it expires or needs to be updated?

DARREN: It’s a super-sleek solution from any end-user’s point of view. With uReset implemented in your environment, the user can initiate the password reset process directly from the Windows login screen anytime.

Specops uReset passwords

MITCH: Does the helpdesk have a user interface they can use with this tool if they need to perform some action manually? For example, to unlock a user account or set a temporary password for a user.

DARREN: Yes, absolutely. The goal with a solution like uReset is to minimize calls to the service desk, but no solution is going to take your call volume down to zero. For the remaining calls, you can utilize an additional product called Specops Secure Service Desk to enforce user verification at the service desk before performing password resets or account unlocks. We leverage the same authentication engine as uReset here so you can achieve the same degree of trust with the end-user prior to setting their password or granting any other potentially sensitive requests.

Here’s an example of what it looks like for IT admins:

Specops Admin view SSD

Especially with employee spoofing attacks like what happened with the recent EA Games attack, enforcing user verification at the service desk should be a top priority for IT departments.

MITCH: How about enrollment? How do administrators enroll employee user accounts into using uReset for password resets? What are the options available for doing this?

DARREN: Administrators have a few options. They can automatically enroll users to the system without requiring users to do anything if they have an identity provider that has identifier information in Active Directory (for example: Mobile Code, Duo Security, Symantec VIP, Okta Verify, PingID, and more). Even traditional factors like secret questions can be pre-enrolled using questions like “What is your employee ID?” rather than “What is your favorite movie?” or other subjective answers that the user is likely to forget.

Administrators can also guide users to the enrollment process via notifications. Enrollment notifications can include emails, a balloon tip pop-up, or even an optional unclosable full-screen browser when the user logs in to Windows.

The tool also offers various reports to help you keep track of your enrollment progress. Service desk agents can also see individual users’ enrollment status in Secure Service Desk and guide the user to the self-enrollment page with them while the agent has them on the phone.

MITCH: What does uReset offer IT service desks in terms of auditing and reporting so they can track usage and any problems that occur?

DARREN: The reporting feature in uReset allows administrators to track your enrollment progress and provides several reports on enrollments, events, and identity service utilization. The reports provide great insight not only into whether users are taking advantage of the solution but how they are using it, so you can feed that data back and use it to drive further adoption.

Specops Reporting uReset passwords

MITCH: Aren’t self-service tools like this often susceptible to user name harvesting from malicious actors? Does uReset include any functionality that can prevent this from happening?

DARREN: uReset is a cloud solution, so concerns about how malicious actors might probe for a weak spot are entirely valid. We’ve added a number of security checks that happen prior to username entry, including Captcha and geo-blocking capabilities.

Additionally, our hybrid cloud architecture means there is no external/cloud database required to store password-related information. Everything about your end-users, from usernames to enrollment data to the passwords themselves, is stored only in the customer’s internal Active Directory.

MITCH: Specops uReset tool sounds just like what IT service desks need. Anything else you’d like to say about it, or about anything in general for this article?

DARREN: It can really make remote work a whole lot simpler for an IT department! Nothing more to add except that in this crazy world, the last thing we want to worry about as IT professionals are “I can’t remember my last three passwords” helpdesk tickets or concerns about the validity of end-user identity. Luckily, there are solutions like Specops uReset and Secure Service Desk that can help with the burden of end-users’ asks while maintaining an even higher standard of security.

MITCH: Darren, thanks very much for giving us some of your valuable time!

DARREN: I appreciate it, Mitch! Thanks for asking some excellent questions.

Try Specops uReset for free

And just a final note to those of you reading this article that you can try out Specops uReset and other password security products from Specops with their free trials anytime.

Featured image: Shutterstock

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top