Never Use Challenge Questions For Password Resets


The following is my answer to the dozens of IT leaders who have asked “what’s the best challenge question to ask before performing a password reset?”

OK this is soooooo close to home for me, and I spent months until I finally found a way to do this, hope it helps you out!  Thanks everyone for asking a question that we should all be asking as IT leaders! It’s actually frightening that more people haven’t worried about how bad our systems are for verifying identities when people call in to the help desk or IT support. Having worked at multiple internet companies where state-sponsored social engineering calls were a regular occurrence, I had to have an airtight procedure that still didn't hinder productivity.

The procedure that finally solved it once and for all as an IT director. 

1. Every caller had to verify their identity via a push notification to their device containing a unique, randomized code (we used duo for 2 factor). The technician pushed a passphrase to their device, if the person on the other end said that passphrase, then that was the verification and the password reset or whatever other help could proceed.

2. If for any, any, any reason that didn't work, the technician had to speak to that person's manager, again verifying the identity by pushing a passphrase to the manager's device on file. Once that occurred, the manager could approve their direct report's password reset. This was enforced from intern to CEO level, if you have any exceptions to your policy, you're guaranteed to have vulnerabilities.

Luckily we did the following at companies where IT had a stellar reputation in the business, so when a manager of a global team was woken up at 4 am, they gave us the benefit of the doubt. The few times this got escalated up to me by an executive I had a heart to heart explaining why we needed to keep the company safe, after which I can guarantee their whole team was informed to make sure they have their password managers and 2 factor devices set up at all times. The one caveat: we also had offered everyone in the company a password manager and training, so we didn't leave them high and dry.

What not to use as challenge questions: 

- Start date: For most high profile employees, the start date is often in the news and even for lower visibility employees it's accessible publicly as many post on linkedin when they join a new company. Plus it's almost always Monday which narrows it down to 52 days a year, and to top it off many employees don't remember their start date anyway. Don't feel bad, this was our policy at one company for ages until we tried to hack our own system and realized that we were over 50% successful at social engineering it LOL. Careful with assumptions!

- Hiring manager: again, googleable, easy to social engineer.

- SSN, etc., just not good practice to give that info to a bunch of folks and with constantly changing privacy laws can be a big deal.

Hope this helps! Whatever you choose, please test it and regularly have people try to social engineer and beat your systems. If you get any push back from an exec, just record someone calling and getting access to their accounts, that usually gets the point across! We are the front lines of security, props to those who asked for an awesome question!

If anyone wants more tips, hit me up, happy to talk security or as always how to improve your reputation with the business!

Return to QSTAC Resources