Learn With Me: Specops – User Verification with Secure Service Desk

Adam Bertram

Read more posts by this author.

Welcome back to ATA’s Learn with Me series on securely managing Active Directory (AD) passwords with Specops! If you missed the previous posts, be sure to catch up here. Today, and for our final post in this series, we’re going to cover Specops’ Secure Service Desk tool which helps securely identify users at the service desk.


Whether a user needs to reset their password, unlock their computer, or ask a service desk agent to perform some other kind of action, agents must know who they’re talking to. Rather than taking the person’s word for it on the other end of the phone, a service desk agent must verify a caller’s identity. Enter Specops Secure Service Desk.

Secure Service Desk is a tool specifically built to quickly and securely identify an individual to get to what’s important; helping users be more productive.

If you’d like a bit deeper dive into Secure Service Desk, be sure to check out this post’s accompanying review video!

How Secure Service Desk Embraces Multi-Factor Authentication

Authenticating user requests to change passwords is a critical step in any password reset workflow. An organization cannot simply take the requestor’s word for it, attempt to recognize the requestor’s voice if it were a phone call or even the requestor’s face on a video call. AI-generated deep fakes are almost now indistinguishable from real life.

There are many different ways to authenticate a user requesting access to reset a password. One of the most secure ways to identify a user is via multi-factor authentication (MFA). MFA securely identifies users based on three major attributes.

  • Know – Something a user knows such as a password or PIN.
  • Have – Something physical like a mobile device with an authentication app or key fob.
  • Are – Something a user is like a fingerprint or eye iris scan.

Organizations that guide users to register each (or a combination) of these attributes beforehand using a tool like Secure Service Desk can provide a secure password reset experience using user identification should the need arise.

Secure Service Desk provides MFA services not only for end-users for also for Secure Service Desk administrators.

Architecture and Password Reset Workflow

Secure Service Desk is one component in the ecosystem of Specops Authentication products with the sole goal of providing a secure way to identify and authenticate users. You can see below a basic architecture of where Secure Service Desk fits into the Specops umbrella of products.

When a user needs to reset their password (or perform any other task that needs authentication), they each follow a common pattern using Secure Service Desk.

  1. Initiate a password reset or computer unlock request to the service desk.
  2. The service desk initiates a user identification task using that user’s registered identity service like SMS code, secret questions, the Google Authenticator app, or even a Facebook login!
  3. The user provides the required identity information.
  4. The service desk agent assists the user with their request.
https://specopssoft.com/support/secure-service-desk/overview.htm
https://specopssoft.com/support/secure-service-desk/overview.htm

What you may not see is how Secure Service Desk integrates with your environment. Rather than building their own protocol or storage mechanism, Specops chose to keep it simple and leverage your on-prem AD instead.

One thing I like about all Specops products is the simplicity. They tend to each serve specific use cases and stick to that. You won’t find unnecessary features that seem like they were bolted on. Instead, you just get the functionality you need and nothing more.

How Secure Service Desk Authenticates Users

Let’s say Joe User needs to change his Active Directory password and his organization has implemented Specops Secure Service Desk. Joe calls up the service desk and requests his password reset ASAP.

The service desk agent brings up Secure Service Desk desk using a handy interface like below and begins the verification process.

You’ll see that Joe has nine different ways to authenticate himself!

  • Text message (SMS code)
  • Corporate email
  • Personal email
  • Duo
  • PingID
  • Google Authenticator
  • Manager Identification
  • Secret Questions
  • Windows Identity
How Secure Service Desk Authenticates Users
How Secure Service Desk Authenticates Users

Secure Service Desk uses an identity service weighting system that, based on your organization’s preferences, forces the service desk agent to verify Joe based on one or more identification methods. You can see below that each identity services have a preferred “weight” based on the number of stars assigned to each.

identity services have a preferred "weight" based on the number of stars assigned to each.
identity services have a preferred “weight” based on the number of stars assigned to each.

For example, if Joe can authenticate with his fingerprint, that ID method is considered secure and is the only method he needs to authenticate. If he doesn’t have that method set up, he can have a code sent to his email and answer some secret questions, for example, that combined each add up to the required three stars.

Specops has a Specops Fingerprint mobile app that can authenticate users based on either iOS Touch ID or Face ID or by using the Fingerprint API scan feature integrated in Android v6+ devices.

Joe’s organization has defined a policy for Joe which means the service desk agent authenticating him must adhere to specific identity services.

Specops Secure Service Desk Policies

No product would be complete without a great administration experience for all of you IT and InfoSec pros out there! Secure Service Desk provides an intuitive way to assign required settings to Secure Service Desk admins.

Secure Service Desk policies only apply to Secure Service Desk agents. User-based policies are defined in other areas of the Specops Authentication ecosystem.

You can assign a handful of policies to Secure Service Desk admins. For example, depending on how strict your organization’s policies are, you could force Secure Service Desk admins to verify the identity of users before they can assist.

You’ll see below a policy option to disallow Secure Service Desk agents to reset a user password strictly if that user can authenticate themselves first. Some organizations may not prefer this option perhaps a user was not able to enroll properly in identity services, for example.

Forced user identification for Secure Service Desk agents
Forced user identification for Secure Service Desk agents

As an additional layer of security, you can also prevent Secure Service Desk agents from explicitly setting passwords for users. Rather than allowing Secure Service Desk agents to reset passwords directly, you can define a policy to force random passwords delivered to end-users.

By preventing Secure Service Desk agent-controlled passwords, you add an additional layer of security knowing that only the end-user knows the password at any point in time (not even the Secure Service Desk agent).

Forcing auto-generated passwords
Forcing auto-generated passwords

Reporting

What kind of solution would be complete without thorough auditing and reporting features? All activity performed within Secure Service Desk is recorded and easily navigable. You’ll see every event you can think of inside of the reporting feature.

Using Specops Authentication reporting, activities performed within Secure Service Desk are combined with activities from other Specops products. You’ll see below a great example of an identity verification process that I stepped through when reviewing Secure Service Desk.

The reporting feature also allows you to navigate user enrollments, Secure Service Desk agent password resets and computer unlocks.

Secure Service Desk auditing
Secure Service Desk auditing

If the grid view above doesn’t suit you, Secure Service Desk also provides a graphical dashboard that summarizes all user identification activities in one view.

Secure Service Desk reporting dashboard
Secure Service Desk reporting dashboard

Conclusion

Overall, like all Specops products, Secure Service Desk works as advertised. It seems to have solved a huge problem when it comes to password resets; user authentication. I can tell that Specops put a lot of time and attention to building identity services within the product.

Secure Service Desk provides just about every MFA option you can think of so I think you’d be hard-pressed to find an unsupported identity provider. It’s great that a product, out of the box, provides so many options.

Throughout my testing, I could find no real qualms with the product. User enrollment was fairly easy, administration was straightforward and the identity providers I set up worked as expected. The only problem I had initially was lack of documentation. It took some trial and error to get everything working but once I got familiar with the product, administration was straightforward.

I’d have no problems recommending Specops Secure Service Desk to an organization needing a more secure way to authenticate user password resets and unlocking computers.

Subscribe to Stay in Touch

Never miss out on your favorite ATA posts and our latest announcements!

Looks like you're offline!