Flexible Security For Your Peace of Mind

What is self-service password reset?

Password resets and account lockouts are a burden on IT departments everywhere. By some estimates, 40% of all helpdesk calls are password related. A self-service password reset solution enables users to reset forgotten passwords, and manage account lockouts, without calling the helpdesk.

For IT departments, the benefits of a self-service password reset solution are obvious – less time and money spent on resetting passwords. For users, it’s about convenience. A self-service password reset solution means more availability (24/7), and better accessibility (no matter the device and location). For the business, this translates to a high return on investment, especially when considering employee downtime and productivity loss.

As the central credential store for over 90% of organizations worldwide, Active Directory is a popular candidate for a self-service password reset implementation. This is especially true for organizations with password complexity and expiration requirements as users are more likely to forget a newly created password. As organizations balance security with usability, self-service password reset is a solution to the larger password problem.

Identity verification is essential

Security is key when evaluating a self-service password reset tool. When a user can’t remember their password, they must establish their identity with another secure factor. Knowledge-based authentication (KBA) is the most common form of identity verification during self-service password reset.

KBA is an authentication system in which users are required to answer a “secret” question to confirm their identity. For example:

  • What was the name of your first pet?
  • Where did you attend high school?
  • What is the name of your favorite sports team?

It goes without saying that answers to such questions are susceptible to social engineering. Social engineering is a form of hacking – a hacker tricks the system into thinking they are an authorized user by using information that is readily available. With more and more of our personal information making its way online, the validity of KBA is called into question.

The other problem with KBA is that users forget the answers to their security questions just as they forget their passwords. Since security questions are usually answered once during enrollment, it can go years before the user is expected to provide the answers. This results in users contacting the helpdesk since they cannot identify themselves through the self-service system.

Identity verification with multiple factors can reduce the risk of social engineering and forgotten security questions during self-service password reset. For more on how additional authentication factors can strengthen security, see our best practices for identity verification.

Social engineering is a common tactic against service desks.

Self-service password reset technology

There are a number of solutions that can help end users help themselves. These solutions rely on the same basic features including an administration console, an end-user website for users, and a client application that adds logon assistance to the Windows logon screen. For additional security and flexibility, consider the following evaluation questions:

  • Does the solution use more than just security questions to verify users? Multi-factor authentication helps users access the self-service password reset system without using security questions.
  • Where and how is data stored? Choose a solution that does not use an external database to store user data, enrollment data, or passwords.
  • Does the solution report on system usage and password resets? Reporting capabilities can help track system usage, and event activities such as the number of password resets and account unlocks. This data allows you to measure your return on investment.
  • Is the solution user-friendly? Users prioritize convenience over security. A common barrier in the self-service password reset process is the inability to set a new password that fulfills the complexity requirements. Look for a solution that displays the password complexity rules to help users satisfy the policy on the first try.

For more advanced features, and how our password reset solution measures, see our datasheet for a comparison of self-service password reset tools.

Top tips to secure the helpdesk

The helpdesk staff plays an important part in the success of your self-service password reset solution. They need to know what is going to change, why the organization is making the change, and what they need to do differently. When users contact the helpdesk, a consistent approach that guides users to self-service is the only way to stop old-habits.

The launch of the password reset program is also a good time to re-educate your helpdesk on the latest security measures for protecting accounts and passwords. Afterall, password resets make a great target for cybercriminals skilled in social engineering. Without the right controls in place, an attacker can request a password reset while impersonating a legitimate user. Social engineering is extremely common, and can be quite successful when using security questions. Look for a solution that allows the helpdesk to verify users with high-trust methods during password resets. See our help desk security best practices to get started.

Self-service adoption

You have purchased a self-service password reset system, now comes the hard part. You will be asking users to change – convincing them to use the system, instead of calling the helpdesk. It’s not enough to simply ask users to use the system. System adoption is most effective with the right solution in place.

Enrollment is the process of collecting end user information to verify their identity when they forget their password. Without an enrollment, users can’t use the self-service password reset solution. An effective solution includes features that encourage the enrollment process. Enrollment reminders via email and SMS are effective in guiding users through the process. For more impact, notifications should be configured to appear when the user logs into their account.

To make self-service adoption easier, you can remove the task from end users altogether. This can be done with authentication methods that have identifier information stored in Active Directory, such as mobile number (mobile verification code), or even high-trust authentication investments such as Symantec VIP, and Duo Security. An administrator would pre-enroll all of the users into the self-service system based on the information stored in Active Directory. Want more tips? Check out our top tips for self-service password reset adoption.

To ensure a return on investment, users have to actually use the system.


Want to strike the right balance between security and usability? Specops uReset eases the pain of forgotten passwords and account lockouts. The solution goes beyond knowledge-based authentication, revolutionizing self-service with a flexible authentication engine that includes high-trust authentication methods and auto-enrollment options. With Specops uReset, users always have a secure way to reset their password – from any location, device, or browser!

× Close

Interested in learning more about Specops uReset?

Try Specops uReset No, thank you.