In a nutshell, “Onboarding” is simply managerial jargon that was first used in the 70’s. “Onboarding” refers to the process of getting a new hire up to speed on organisational processes, policies, positional resources, and culture. The aim of successful onboarding is to help new employees quickly become effective within the organisation.
There’s a lot to be said on the full scope of Onboarding – and there are whole books on the subject out there if you’re into that sort of thing – but let’s stick to HelloID’s expertise on the IT-side of this process. HelloID specialise in optimising the business and IT processes that ensure users’ access to network resources, such as applications and file shares.
When a new employee starts a job that requires access to a computer or email, they’ll need an account – likely in Active Directory or Google G Suite. Some organisations set all of that up manually, which is very time consuming. But when you work with HelloID, the process is automated, and everything is created in a snap. Either way, once the new user accounts and passwords have been set up, it’s time for the riskiest part of any onboarding plan – the hand-off.
The transfer of new user credentials is one of the largest vulnerabilities that exists in any organisation’s security. Even organisations with the most sophisticated security and password policies are susceptible to this often-overlooked risk, despite Gartner reporting that information security spending will exceed $124 billion this year.
Many organisations use an easily deciphered default password formula when creating new accounts. For example, the first two letters of your first name, your birth year, and your last name may generate “St198Smith”. If someone can recognise this formula, they can guess the password for a new account before the intended user even gets to login for the very first time. If some social engineering or a cursory Google and Facebook search can give you all the relevant details for an easily cracked password formula, can you really call it secure?
Some organisations even use the same default password for every single account generated for a new use, such as, “Passw0rd123”. With that practice, it doesn’t matter if a malicious individual can crack your password formula or dig up some generic info. If everyone has the exact same password for their initial login, everyone in your organisation knows what Bob’s password is before he gets a chance to show up at work and make a new one.
For all the good an 18-character passphrase and 30-day expiry does, the initial account creation stage is still, in most cases, the most vulnerable moment for any user account. In order to mitigate this risk, Tools4ever developed SSRPM’s Account Claiming module to protect the onboarding process without massive IT overhauls.
With Account Claiming, new accounts are created in a disable state and are associated with a unique “Claim ID.” This Claim ID can be something the employee already knows or can find in their onboarding documentation, such as their employee number.
You can now feel safe delivering that unique Claim ID to the new user via an intermediary or email when the time comes – the Account Claiming module and its web portal provide sufficient security so that knowing the Claim ID alone is not enough to access the new account. If it is a value that the new user knows, you don’t even have to transfer the Claim ID itself! Rather, you can further conceal the credentials by providing the knowledge of where to find the value at the appropriate moment. For example, “input your Employee number, which is found inside your Welcome Folder on the left side.”
Then the new user simply enters the Claim ID into the Account Claiming portal, accessed through the web or the Windows logon screen, and they are then challenged to further identify themselves. The new user then provides specific, but non-sensitive, information by answering challenging questions that your organisation has configured for them. The Account Claiming module verifies whether the information matches. If the user is verified, then their account is now activated, and they can supply a new password of their own choosing. They now have everything they need to log in and begin their work on Day One, and your organisation has patched a massive security hole!
We hope you enjoyed this in-depth look at User Account Onboarding, and what it can do for you. Keep an eye on our blog for the next blog post in the “What Is?” series.
As always, if you have any questions, please do get in touch with us through the “Contact” page on our website. We’ll get back to you as soon as possible.