An application I maintain offers a standard password reset script. My employer wants to add a tool for our support reps to set the password manually to something they pick themselves, and give the password to the customer over the phone.
Security in my application is expected to be top notch, so this sets all sorts of warning bells in my head.
Aside from the obvious no-no of allowing support staff to know customer passwords, What other security implications should I be aware of in this scenario? In the case of fraud, would this increase our legal liability?
My take on this is that you have to offer customers the ability to reset their password. Customers will forget their passwords and need them reset. Meeting the customer in person and confirming their identity is presumed to be out of the question, so it might as well be done over the phone after a human has verified the customer’s identity (in some way that’s deemed sufficient). Any written form of communication such as email is almost guaranteed to be archived somewhere, so having the password in that form is a bad idea. A phone conversation might be recorded too, but at least it’s not searchable. YMMV.
That being said, the thing that you give out over the phone should most certainly be a temporary password that needs to be changed the first time the customer logs in with it (and preferably is only good for a short amount of time). Otherwise your staff will know the customer’s password!
I can’t speak to legal liability.