Self-service Account Recovery
30% of help tickets are account recovery.
- When users can help themselves, it improves their experience and reduces your workload.
- Groove.id's unique account recovery process is more secure than traditional methods, easier for users, and less work for you to manage.
Here's how it works
Ask for help from a colleague.
Users use this option when:
- they’ve lost access to a device.
- their request looks unusual or fraudulent.
- they need to recover their account for some other reason.
This keeps account reset request away from the helpdesk, which saves time and reduces insider threat.
Help desk staff have the aggregate power of all the accounts they are able to reset, so the peer-to-peer model eliminates the need to give staff excessive authority.
Record a short video.
The user records a video of themselves saying some random words we give you.
Random words prevent an attacker from re-using the video.
Share the link.
We’ll give the user a special link, which they can share with a colleague.
If you choose you can require users to pre-designate trusted colleagues.
Colleague verifies identity.
Your colleague visits the link, signs in, and watches the video the user recorded.
Humans are good at identifying people. It’s wired into our brains.
What if nobody is around?
As a backup to the backup, the video can be forwarded to the help desk and compared to a reference video.
Colleague confirms the random words.
In order to prevent forgery, the colleague mush choose which words were actually said in the video.
This tells us that they actually watched the video, and that the video it wasn’t stolen from another source.
Sign in complete.
Once the video has been verified, the user is signed in automatically.
Why is this better?
Easy for the good guys
Humans are great at recognizing people. Our brains are hard-wired to do it.
Hard for attackers
An attacker can't spoof a video from someone else, because of the random words.
Users don't have to wait for the help desk, they can have peers, managers, or anyone else they designate help them.
It doesn't rely on text messages, secondary emails, mother's maiden name, or any similar mechanism.
Text messages are trivial to intercept, and the protection on secondary accounts is often weaker than primary accounts.
Why make the account recovery path less secure than the primary login path? Strangely, many vendors do exactly this.
Reduces Insider Risk
IT staff have the aggregate power of all the accounts whose credentials they can reset. Think your help desk staff can't see the company's financial information? Think again–if they can reset the CFO's password, they can see the financial information.