E-mail Template: What is End-User and Tech Verification?
What is End-User and Tech Verification?
End-User and Tech Verification are identity verification techniques that confirm the identity of the respective person. Identity verification, in the context of cybersecurity and access control, refers to the process of confirming and validating the identity of individuals who are trying to access a system, application, or network. The goal is to ensure that only authorized users gain access to specific resources, while unauthorized or malicious actors are prevented from doing so.
Why does an {MSP} make use of Identity Verification?
{put MSP Name here} has adopted a Zero Trust Policy (ZTP). A ZTP is an approach to cybersecurity that assumes no entity, whether inside or outside the organization, can be trusted by default. This security model requires strict verification of anyone trying to access resources in the network, regardless of their location or the device they are using. There are several reasons why we have adopted a zero-trust policy:
- Changing Perimeter: Traditional security models rely on a secure perimeter, assuming that once someone is inside the network, they can be trusted. However, with the rise of remote work, cloud computing, and mobile devices, the concept of a secure perimeter has become less relevant. Zero trust acknowledges that threats can come from both inside and outside the network.
- Advanced Threats: Traditional security measures are not always effective against advanced persistent threats and sophisticated cyber-attacks such as AI-induced Voice Phishing Attacks. A ZTP approach helps to mitigate the risk of these threats by continuously verifying and authenticating users.
- Data Security: As organizations increasingly store sensitive data in the cloud and allow remote access to their networks, protecting data becomes paramount. ZTP ensures that only authorized users have access to specific data and resources, reducing the risk of data breaches.
- Mobile Workforce: With more employees working remotely or using mobile devices to access corporate resources, the traditional model of trusting devices based on their location becomes impractical. Zero trust considers every access attempt as potentially untrusted, regardless of the user's location.
- Privileged Access: Zero trust is particularly important for managing privileged access. Even employees with higher levels of access must continuously authenticate and prove their identity, reducing the risk of misuse of privileged credentials.
- Insider Threats: While the majority of employees are trustworthy, insider threats can still pose a significant risk. Zero trust helps organizations minimize the potential damage from insider threats by enforcing the principle of least privilege and continuous monitoring.
- Compliance Requirements: In many industries, there are regulatory requirements that mandate a high level of security and data protection. Adopting a ZTP can help organizations meet these compliance standards and demonstrate a commitment to securing sensitive information.
By adopting a ZTP, {MSP} aims to enhance our client’s overall security posture, adapt to the evolving threat landscape, and protect critical assets from both internal and external threats.
What are typical ways to Authenticate an Identity?
The goal of identity verification is to ensure that the person claiming a particular identity is, indeed, who they say they are. Verification, to be effective, relies on Multi-Factor Authentication (MFA). He is a list of factors that we rely on:
- Something You Know: This involves knowledge-based factors such as passwords, PINs, or security questions. Often these are not available at the time of authentication because of forgotten information. They can often be compromised because they are often shared or based upon easily generated information (birth dates, addresses or less.)
- Something You Have: This includes possession-based factors such as security tokens, smart cards, or mobile devices. In the case of a mobile device, this usually means the phone number and possession of the device as forms of authentication because you can reference them via a phone call, SMS or an application notification push.
- Something You Are: This involves biometric factors like fingerprints, facial recognition, or retina scans. With access to your mobile devices your biometric information authenticated and stored on the device is proof of something that is unique to the end user.
So how does End-User Verification make use of the Authentication Factors listed above?
End-User Verification is a 30-second process and because of our ZTP, it is required on every service desk call from our clients.
SMS send – EUV pushes a 6-digit code or a single-click link to a mobile device (Something you Have). Since the end-user has supplied the phone number (Something you Know) of the mobile device that relies on a PIN, Password (Something you know) or a biometric (Something you Are) to access the device, you have three levels of authentication in place.
Email send – as above, EUV pushes the 6-digit code or single-click link to a known email address. The email box would be authenticated by the physical access to the mobile or desktop device AND to the email client.
Client Portal or Client App – in the event that you don’t have access SMS or email or it is more convenient to do so, the user can access either the Client Portal with a password (Something You Know) or the Client App with a biometric login (Something you Are). Once the End-User has accessed the Portal or App, the technician can push a code or a confirmation request for the End-User to complete the Verification.
What is the purpose of Tech Verification?
Often threat actors will pose as a technician from a service desk in an attempt to gain access to your network, servers, or other network applications. They often sound credible because they may have obtained some pertinent or meaningful information that can be used to fool you into believing that you are speaking with a technician from the {MSP} service desk.
With ZTP, all End-Users should verify any solicited or unsolicited call purporting to be from {MSP} or our service desk.
Tech Verification is a simple, 30 second process. The End-User sends #verify using SMS on their mobile (Something you have) number to our published Verification phone number (Something you know). In response to this, you will be provided with aa unique 6-digit code that only you and a valid service technician from our service desk will know. When the technician provides this code to you, and you are satisfied that it is correct, you send #confirm on SMS back to the Verification phone number.
Here are some tips to help you prevent phishing attacks:
Don’t trust caller ID: Caller ID can be easily spoofed, so just because a call appears to be from your {MSP} or other Service Provider doesn’t mean it’s legitimate. Always be suspicious of unsolicited calls asking for personal, network, applications or computer information.
Verify the caller: If someone calls claiming to be from your {MSP} provider or another organization, initiate the Tech Verification procedure or hang up and call them back using a phone number you know to be genuine. Don’t use the number they give you, as it may be fake.
Don’t give out personal information: Never give out personal or corporate information, such as passwords, PINs, or credit card numbers, to someone who calls you, until you have confirmed that they belong to a trusted organization.