AAAI-05

For customers not using SSO, do you have documented password/passphrase reset procedures that are currently implemented in the system and/or customer support?

Explanation

This question is asking whether your organization has documented procedures for resetting passwords or passphrases for users who are not using Single Sign-On (SSO). What it means: When users forget their passwords, there needs to be a secure, consistent process to verify their identity and issue new credentials. This question specifically targets scenarios where users authenticate directly to your system (not through SSO), as these users rely on your password reset mechanisms rather than their identity provider's. Why it's asked in security assessments: Password reset procedures are a common attack vector for unauthorized access. Without proper verification steps, attackers might social engineer their way into accounts by impersonating legitimate users. Assessors want to ensure you have formal, documented procedures that are actually implemented in your system or support processes to prevent unauthorized access while still helping legitimate users regain access. How to best answer it: 1. Describe your documented password reset procedures 2. Explain how these procedures are implemented in your system (self-service) and/or support processes (help desk assisted) 3. Highlight security controls in the process (identity verification methods, temporary password policies, etc.) 4. Mention if procedures are regularly reviewed and updated 5. If applicable, note any differences between customer-facing and internal user reset procedures

Example Responses

Example Response 1

Yes, we maintain comprehensive password reset procedures for non-SSO users Our system implements a self-service password reset functionality that requires users to verify their identity through a combination of security questions and a one-time verification code sent to their registered email address Temporary passwords expire after 24 hours and require immediate change upon first login For situations requiring customer support intervention, our documented procedures require support staff to verify at least two pieces of identifying information (such as account details and contact information) before initiating a password reset All password reset activities are logged for audit purposes, and our procedures are reviewed annually as part of our security program.

Example Response 2

Yes, our organization has documented password reset procedures for non-SSO users that are currently implemented both through our system and customer support channels For self-service resets, users must verify their identity using a multi-factor approach: they must provide their username, answer a pre-registered security question, and then receive a verification code via SMS to their registered phone number Our customer support team follows a documented verification protocol requiring confirmation of the user's full name, date of birth, and the last four digits of their registered phone number before processing manual resets All reset requests generate a temporary password valid for 4 hours and trigger an email notification to the user's registered email address These procedures are documented in our Information Security Policy and reviewed quarterly.

Example Response 3

No, we currently do not have formally documented password reset procedures for non-SSO users While our customer support team does handle password reset requests on a case-by-case basis, we lack standardized verification protocols and documentation for this process We recognize this as a security gap in our current operations and are in the process of developing formal procedures that will include proper identity verification steps, secure temporary password delivery methods, and comprehensive documentation We expect to have these procedures finalized and implemented within the next 60 days, after which they will be incorporated into our regular security review cycle.

Context

Tab: Product
Category: Authentication, Authorization, and Account Management