This website uses cookies to ensure you get the best experience on our website. Learn more
SSPR registration guide
The benefits of using a self-service password reset (SSPR) solution can be quantified by the number of reduced password-related calls to the IT service desk. For many organizations, this means significant cost savings. Gartner Research estimates that each password reset call can cost anywhere between $15-$70. Beyond cost reduction, other benefits include improved operational efficiency, and security.
The IT service desk is measured on time and volume – how many tickets are resolved, and how quickly. Unfortunately, this often means that security is overlooked. Many organizations rarely consider the service desk within their IT security budgets, and are even lacking security policies for verifying callers during a password reset.
With the majority of employees working remotely, IT support does not have the luxury of verifying users in person. Instead, they may use security questions, which are inherently vulnerable to social engineering attacks. In short, service desk agents who handle high-risk use cases, such as password resets, can unintentionally give an attacker access to a user’s account.
A SSPR solution can solve the security issue at the service desk. The key to realizing the benefits is how quickly the project is implemented, which often comes down to getting users enrolled into the system.
When selecting and implementing a SSPR solution consider, the following three essentials:
- Flexible authentication options
- Adjustable enrollment settings
- Multiple access channels
Flexible authentication options
To support user enrollment, the solution will need to support multiple authentication options out-of-the-box. Users will enroll with the authentication service(s) so they can verify their identity before resetting their password. The authentication options should balance security with usability. Users should be able to enroll to the system, without calling the service desk.
If an organization is currently using commercial authentication methods, they should look for a solution that extends those investments to the SSPR use-case. Any user who is already enrolled with an authentication service, will be automatically enrolled in the SSPR solution. If an organization is not using a commercial authentication service, they should evaluate what data is currently stored in users’ Active Directory profiles. This allows them to gauge if other authentication options can be utilized to automatically enroll users to the system. For example, if a mobile number or corporate email is stored, users can be enrolled into the system automatically with one-time verification codes sent to their mobile device.
Adjustable enrollment settings
If automatic enrollment is not available, you will need enrollment notifications to encourage users to register with the service. Enrollment notifications should be available via email and SMS. As a last resort, forced enrollment options can ensure that users receive the message.
Once the enrollment timeframe is defined, the enrollment approach can be accelerated as needed: Starting with enrollment notifications for X weeks, followed by forced enrollment for users who have yet to enroll (via an un-closable browser) on their machine.
Multiple access channels
Enrollment is half of the puzzle. If users cannot access, or complete the action when needed, calls to the IT service desk will persist. A solution that supports multiple access points such as the Windows login screen, desktop menu shortcuts, mobile application, and Web access, can ensure higher levels of usage. However, it is critical to also consider the uses cases that need to be addressed.
In the new remote landscape, users need to access the solution, and complete a password reset, outside of VPN. Many organizations that currently use a SSPR solution are noticing an increase in service desk calls due to account lockouts related to expired passwords and locally cached credentials. This occurs when the new password and the locally cached password become out of sync when a domain controller cannot be reached.
Guaranteed enrollment and usage
Specops uReset, our SSPR solution can ensure 100% enrollment and usage. The solution supports all of the above essentials, and more.
For more information on how Specops uReset supports self-service enrollment, see: https://specopssoft.com/blog/sspr-registration-challenges/
(Last updated on September 30, 2024)
Related Articles
-
SSPR registration challenges & solutions
As most organizations today are settling into providing remote work solutions to employees, common service desk tasks can become even more challenging for help desk professionals. This can include password resets, forgotten passwords, locked accounts, and other issues related to account passwords. Outside of service desk professionals assisting remote users with account password issues, self-service…
Read More -
Is your SSO login protected enough?
Today, many organizations use more systems than ever, spanning on-premises and cloud environments. As a result, employees are tasked with remembering more and more passwords as the number of systems and services continues to grow. Single Sign-On (SSO) is a technology many organizations are leveraging to help ease the pain of using multiple systems. How…
Read More -
SSO vs Enterprise Password Manager: Which is better for reducing your password risk?
Organizations looking to reduce the burden of passwords on their users often consider Single Sign On (SSO) vendors or deploying an enterprise password manager. Each has their advantages, so which one is best for an organization to choose? Single-sign on solutions and enterprise password managers are not necessarily mutually exclusive but how do they compare?…
Read More