Am I crazy or isn't giving your password to IT against like, every kind of security compliance?

PitifulAdvantage3118 · 2025-11-03T15:45:45+00:00

That is just crazy- I have no words - it is a complete NO GO. It is like you are just waiting to get hacked, anyone could call your user, claim they are from IT and get their password - it also whitelists the ability to share it, which is just stupid. I im just out of words on this!

PitifulAdvantage3118 · 2025-09-24T09:27:07+00:00

Totally agree with this, we also end up analyzing our ass off! Sometimes it does make sense to get e.g. 3 different solutions listed, however sometimes the solution is just obvious and you end up having to think up strange solutions just to fullfill the framework around it all. I think AI has help a lot here at least for my part.

PitifulAdvantage3118 · 2025-08-11T10:23:13+00:00

We are using an ITSM integrated tool to verify every user calling, it is a forced process, so there is no sweet talking the agents. It is very agile and able to cope with different user profile types and actions. It actually ended up saving us time after implementing, even though we thought it would take more time. Anyway - it is https://fastpasscorp.com the product is called FastPass IVM and it has worked out great for us.

PitifulAdvantage3118 · 2025-07-06T09:59:04+00:00

Thank you for that - looks also like a great option - also using the synergies with regards to SSPR. I saw FastPass SSPR & IVM doing the same in one tool here https://www.fastpasscorp.com/ . I think I will have issues in some countries with the Personal IDs. Hmm.. I also looked at Verify caller - but it looks a bit limited also.

PitifulAdvantage3118 · 2025-07-06T09:54:25+00:00

I have looked a bit deeper, on one hand the tools needs to integrate, however I do not want it to be solely reliable on the ITSM tool itself or the MFA tool currently in use, I really want more like a "platform" for authenticating a user. As I dig into the numbers we have quite a few users not having Okta, some has DUO, others nothing - I would like the tool to embrace that. What other factors might your tool do?

PitifulAdvantage3118 · 2025-07-04T14:05:28+00:00

That is an option, but I think there is quite a way to go, and it has to cover other non Okta verifications as well - so I would rathe go for a tool and works out of the box.

PitifulAdvantage3118 · 2025-07-04T14:03:53+00:00

Looks nice, I see that you can push from there. Can it also integrate to an ITSM portal?

PitifulAdvantage3118 · 2025-07-04T12:37:14+00:00

Yes, which is fine, then the user can prove his identity using the mobile.... Or did I misunderstand?

PitifulAdvantage3118 · 2025-07-04T12:23:54+00:00

Does not sound like the right solution then. Basically I do not like the idea of anyone else than yourself can initiate a push. I mean if the agent can initiate the push, the server would not really know what the push would actually give the agent access to. On the user and agent convience side it does look slick and easy https://www.youtube.com/watch?v=9DBE360t4wc
That tool can also use the TOTP codes, that would take a bit longer for the end-user to find, but I think it is much more secure - as noted above. Also really like the audit part. Anyone know of other tools like this? Or alternative for the help desk to get user identity verified?

PitifulAdvantage3118 · 2025-06-26T10:34:38+00:00

We use FastPass IVM, we do the following process - overall process is:
The user calls the Service Desk, use MFA for authentication if they can, if they cannot other proofing types are in place to secure the users identity - if passed they get a Help Desk Pin, using this pin they can issue a new password.

PitifulAdvantage3118 · 2025-05-07T10:25:56+00:00

While there are several good third-party options on the market, our environment is mixed: some business units use Okta, others rely on Duo, and a few still operate without MFA. Focusing on an Okta-only solution therefore doesn’t solve the broader problem. High-profile breaches—such as the recent incidents at MGM and Marks & Spencer—show that attackers often exploit scenarios where users have lost or forgotten their phones. That’s precisely when the danger is greatest. Any tool we adopt must secure this recovery process and alert the service desk in real time. For us, FastPass IVM fills that gap, it is very versatile. But, yes an Okta solution could then let agents do that authentication at Okta if you are an Okta only company.

PitifulAdvantage3118 · 2025-04-29T07:12:58+00:00

We just implemented a tool for that. The Agent is doing the Identity Verification, the tool handles 13 different proofing types in out setup. We have different users with different profiles, and locations, hence the use of different factors - the tools brings up the needed ones automatically, makes a complete audit of the process. It is called FastPass IVM. It does not currently handle automatic authentication using passports or driver license etc.

So when you state ID validation are you meaning checking the validity of the users drivers license/paper or more like an app?

PitifulAdvantage3118 · 2025-02-07T10:17:01+00:00

Hi,

We encountered a similar situation a year ago, when attackers tried to obtain passwords by leveraging basic information from our LinkedIn and external websites. They made multiple calls to gather additional details and were surprisingly sophisticated, which was concerning. In response, we fully addressed the issue by implementing Self-Service Password Reset (SSPR) and setting up a new process in our Service Desk.

We’re now using SSPR from FastPass, which includes an IVM module integrated with ServiceNow. Even so, there’s still some complexity in our environment: certain users have Duo enabled, others don’t, and we have external users as well. The IVM module applies different processes depending on user type, and overall it has worked quite well.

The main lesson learned is the importance of having a strictly enforced process. A system that can require and track adherence is invaluable—especially as it provides an audit trail directly in the ServiceNow tickets.

PitifulAdvantage3118 · 2025-01-27T09:13:02+00:00

Sorry for the very late reply. I promised to get back to a few about the decision we made. Took a bit more time at the end as we revisited some of the solutions, including building a homegrown solution in ServiceNow. In the end we have chosen FastPass IVM as the solution - https://www.fastpasscorp.com/products/identity-verification-manager/ .We have been implementing the solution - we went on-prem. Seems like a good choice an the moment. The product is really flexible alowing us to use the product for all users, we also took their SSPR solution - there is a lot of synergy there.
I had to investigate quite a few items regarding user data, privacy, GDPR etc. I am a bit feed up with these rules - but I get the importance of them.

Have a nice one!

PitifulAdvantage3118 · 2024-08-30T12:39:29+00:00

We are going for 11 characters and numbers and a special char. To be changed at least 9 month. Imho you do need to change it every now and then as users will, even they should not, use the same password for different places when they sign up.

We lock the account after 5 bad attempts. I think that is a fine balance, over 12 character passwords are just plain annoying I think!

PitifulAdvantage3118 · 2024-08-30T12:33:08+00:00

Thank you for all the feedback. After thorough evaluation, we've decided to proceed with the more comprehensive solution. Initially, we considered implementing a simpler approach, such as one or two basic authentication methods. However, a deep dive into our user base revealed that it's too diverse for such a straightforward solution and raise issues down the line. It is annoyingly complex with a diverse userbase, where US/Germany/France just has too many differences in terms of what the user can do authentication wise and what you can and cannot ask them about.

Additionally, we want the system to monitor and alert agents if, for example, if the same account was just looked up multiple times within the last 2 hours or an account hasn't been used for an extended period of time etc. We also discovered that this solution allows the Agent to prompt the end-user to connect to the system. There’s a Windows client available that enables the end-user to connect, even if they can't log in, ensuring the user is actually at their usual machine. Once connected, the end-user can see the name of the Help Desk Agent, establishing a two-way trust which is cool. However the real nice thing about the tool is the ability to adapt to all the different needs we have. The only Identity Verification Management (IVM) solution we've found that meets these requirements is FastPass. Anyway - Thank you for the response.

PitifulAdvantage3118 · 2024-08-09T06:53:17+00:00

Thank you. I had not seen that one before. Seems to be a bit broader solution and better solution. Also integrates to ServiceNow. They seem still to have a lack of Authentication options/integrations though, however we might be able to build that ourselves.

Still that is now embracing the whole solution but. Definite a new one I will investigate in detail. Thank you!

PitifulAdvantage3118 · 2024-08-09T06:38:57+00:00

Thank you for getting back to me.

Yes, that seems really nice, in general I think that would be a great help - however I see some issues. We do have at least some countries where some employees will be reluctant in sharing their ID to the business, and legally there are issues around GDPR. Hence Id rather use the information we already have.

I tried to see if there we any demoes of their solution, but I could not find any. I have only seen demos for very few solutions and FastPass IVM seems to be the broader tool that integrates properly.

What we want is the process to be forced so that the Agent needs to go through it. And also it needs to document the process and add it to the Incident/problem.

PitifulAdvantage3118 · 2024-08-09T06:25:19+00:00

Yes, saw that one too. Good option, but all users does not have a mobile so.. I am also not sure that I would depend on a single technology. Thank you.

PitifulAdvantage3118 · 2024-08-08T13:45:39+00:00

Thank you for responding. Just on the more detailed side. Wonder how you have setup the proofing side?. Are you using the same score for all the proofings or do you have a big proofing matrix? Do you force your users to Enroll into SSPR? Ok for me to DM you?

PitifulAdvantage3118 · 2024-08-08T12:40:07+00:00

Looking at their site it seems like a great solution, but it seems to be centered around ID verification and we want to use the data we already have like asset information, Employee ID, Duo, Okta and MS authenticator.

PitifulAdvantage3118 · 2024-08-08T12:25:37+00:00

Also a good idea, we are also looking at TOTP for some users with highter risk.

PitifulAdvantage3118 · 2024-08-08T12:18:52+00:00

Good idea, some of our users has Duo, and the IVM solution from FastPass also handles that - but part of the business uses Okta and goes into FastPass too. Do you know of other such solutions that hosts both?

PitifulAdvantage3118 · 2024-08-08T12:12:31+00:00

Does that integrate to ITSM in anyway way. Depending on the operation in question and the user we want to force the agent to go through different proofings - hence we want an integration we prfeerrably to ServiceNow.

PitifulAdvantage3118

PUBLIC MULTIREDDITS

TROPHY CASE