Password reset best practices for self-service
(Last updated on May 13, 2020)
Security is an essential part of almost everything we do with technology today. We unlock devices, sign in to websites, and routinely find ourselves verifying our identity, whether we’re online for work, or personal time.
In a business setting, routine requests for password resets place a burden on the IT help desk. It’s estimated that such requests account for 20% to 50% of all help desk calls, at an estimated cost of $70 for a single password reset. In a large organization, this amounts to a real, measurable cost in terms of time and productivity, for both end users and help desk employees.
For this reason, self-service options for resolving password issues make a lot of sense. Simply implementing self-service, however, does not allow the IT help desk to wash its hands of these issues. In fact, if the self-service approach(es) your organization takes to resolving password issues is not user friendly or secure, you are introducing risk in the form of:
- Downtime: employees are unable to access applications and data while they wait for assistance.
- Poor ROI: relying on the help desk is a poor utilization of valuable resources. At the same time, a self-service approach that is cumbersome and requires a lengthy enrollment process will go under-utilized.
- Security: challenge questions and password hints are a poor form of authentication in a world where people tend to over-share information. Even a traditional help desk scenario, where an employee calls or emails to ask for assistance, often lacks a way to authenticate the identity of the person making the request.
What does secure self-service look like?
Like many elements of security, self-service password resets require balance. Set the bar too high, and you’ll waste your investment and increase risk as people attempt to circumvent or ignore the controls. Set the bar too low, and you will fail to adequately protect your environment.
With that in mind, self-service tools should enable the following password reset best practices:
- Easy on-boarding or pre-enrollment options to ensure users adopt the solution.
- Integration with existing tools like Microsoft Active Directory, group policies, multi-factor authentication (MFA) and other identity solutions.
- The ability to authenticate everyone, everywhere, even remote workers who might be unable to access secure networks while their device is locked. In the case of remote workers, the solution should also update their locally cached credentials.
How to secure self-service password resets
By developing tools that empower users to reset passwords, Specops can help organizations manage their help desk costs while also providing a level of authentication that surpasses many of the common approaches to these issues.
Our password reset tool allows users to choose from more than 15 identity authentication providers (including existing investments such as Duo Security, Okta Verify, and Symantec VIP) when verifying their identity prior to a password reset. Administrators can even pre-enroll users with the identity providers using details that already exist in Active Directory. Removing this task from users reduces friction and increases the likelihood they will use the solution instead of requesting assistance from the helpdesk. The solution is especially useful for preventing lockouts for remote users as it updates the local cached credentials during a password change/reset.
Learn more about our self service password reset best practices, and request a free trial to get started today!