Start a new topic

End-User Authentication

The Service Desk is potentially one of the biggest security holes in IT. There are several ways to hack a Service Desk:
1. Spoofing a user on the phone

2. Spoofing a user on email
3. Spoofing a user on the portal

We should be validating that end-users are who they say they are (authentication) no matter which communication channel they use.

Some suggestions:

1. Spoofing on the phone: have an authentication module on FreshService which requires that a user authenticates using Google Authenticator, or an text message.

2. Spoofing on email: force users to only use their work-related email addresses, this should be linked to the customer directory service

3. Spoofing on the portal: users can only log an incident if they are logged on with their domain credentials (which requires multiple domain SSO integration).



1 person likes this idea

Hi Louis


Thanks for pointers on spoofing and the suggestions. It is quite detailed. With Freshservice, you can largely keep in check/authenticate the users prior to them raising tickets. Please find below my responses below - 


1. Spoofing on email: force users to only use their work-related email addresses, this should be linked to the customer directory service

-- Using Freshservice, you can have automation in place to delete or directly move tickets into the spam bucket if the tickets are raised using any other email except their work email address. 

2. Spoofing on the portal: users can only log an incident if they are logged on with their domain credentials (which requires multiple domain SSO integration).

-- Freshservice can integrate with your AD to authenticate who can login to your Freshservice instance, thus creating an additional layer of authentication over your instance.


3. Spoofing on the phone: have an authentication module on FreshService which requires that a user authenticates using Google Authenticator, or an text message.

-- With regards to call-in, currently we do not integrate directly with a phone channel. However, you can have a UID (unique ID) concept that can be saved in the user information. Whenever the user calls in, the agent/technician and authenticate against that UID from the user inforamation. This can be dynamically synced from your AD as well. 


Hope the response helps. Please do let us know if you have any questions. Please do send in your additional questions at eval@freshservice.com with your direct number so that we can have a quick call and get your queries answered. 



Thanks

Sudipta

Login or Signup to post a comment