Flexible Security For Your Peace of Mind

SSPR registration guide

(Last updated on December 2, 2020)

The benefits of using a self-service password reset (SSPR) solution can be quantified by the number of reduced password-related calls to the IT service desk. For many organizations, this means significant cost savings. Gartner Research estimates that each password reset call can cost anywhere between $15-$70. Beyond cost reduction, other benefits include improved operational efficiency, and security. 

The IT service desk is measured on time and volume – how many tickets are resolved, and how quickly. Unfortunately, this often means that security is overlooked. Many organizations rarely consider the service desk within their IT security budgets, and are even lacking security policies for verifying callers during a password reset.

With the majority of employees working remotely, IT support does not have the luxury of verifying users in person. Instead, they may use security questions, which are inherently vulnerable to social engineering attacks. In short, service desk agents who handle high-risk use cases, such as password resets, can unintentionally give an attacker access to a user’s account.

A SSPR solution can solve the security issue at the service desk. The key to realizing the benefits is how quickly the project is implemented, which often comes down to getting users enrolled into the system.

When selecting and implementing a SSPR solution consider, the following three essentials:

  1. Flexible authentication options
  2. Adjustable enrollment settings
  3. Multiple access channels

Flexible authentication options

To support user enrollment, the solution will need to support multiple authentication options out-of-the-box. Users will enroll with the authentication service(s) so they can verify their identity before resetting their password. The authentication options should balance security with usability. Users should be able to enroll to the system, without calling the service desk.

If an organization is currently using commercial authentication methods, they should look for a solution that extends those investments to the SSPR use-case. Any user who is already enrolled with an authentication service, will be automatically enrolled in the SSPR solution.  If an organization is not using a commercial authentication service, they should evaluate what data is currently stored in users’ Active Directory profiles. This allows them to gauge if other authentication options can be utilized to automatically enroll users to the system. For example, if a mobile number or corporate email is stored, users can be enrolled into the system automatically with one-time verification codes sent to their mobile device.   

Adjustable enrollment settings

If automatic enrollment is not available, you will need enrollment notifications to encourage users to register with the service. Enrollment notifications should be available via email and SMS. As a last resort, forced enrollment options can ensure that users receive the message.

Once the enrollment timeframe is defined, the enrollment approach can be accelerated as needed: Starting with enrollment notifications for X weeks, followed by forced enrollment for users who have yet to enroll (via an un-closable browser) on their machine.

Multiple access channels

Enrollment is half of the puzzle. If users cannot access, or complete the action when needed, calls to the IT service desk will persist.  A solution that supports multiple access points such as the Windows login screen, desktop menu shortcuts, mobile application, and Web access, can ensure higher levels of usage. However, it is critical to also consider the uses cases that need to be addressed.

In the new remote landscape, users need to access the solution, and complete a password reset, outside of VPN.  Many organizations that currently use a SSPR solution are noticing an increase in service desk calls due to account lockouts related to expired passwords and locally cached credentials. This occurs when the new password and the locally cached password become out of sync when a domain controller cannot be reached. 

Guaranteed enrollment and usage

Specops uReset, our SSPR solution can ensure 100% enrollment and usage.  The solution supports all of the above essentials, and more.

For more information on how Specops uReset supports self-service enrollment, see: https://specopssoft.com/blog/sspr-registration-challenges/

Request a demo of Specops uReset, or start a free trial!

Back to Blog