Evaluating Windows password recovery tools for employee self-service
(Last updated on May 13, 2020)
Nearly every organization, large or small has to deal with the problem of employees occasionally forgetting their passwords. Historically, a forgotten password has meant placing a phone call to the helpdesk. However, this tends to be a very poor use of helpdesk resources.
The statistics vary widely, but there is a direct cost associated with helpdesk calls. When the end user forgets their password, they remain unproductive until they can establish a new password. Similarly, the time that the helpdesk technician spends resetting a user’s password could probably be better spent helping someone else.
Over the past few years, organizations have been increasingly adopting self-service password reset tools as an alternative to having the helpdesk handle password reset requests. Using such a tool not only drives down costs, but it also provides the most expedient path for assigning the user a new password.
A variety of tools exist for enabling self-service password reset capabilities within an organization. These range from free, open source tools to fully supported commercial solutions.
Self-service password reset tool options
For organizations that are seeking a self-service password reset solution, there are several no-cost options available.
A popular choice is a free PHP application that is simply called Self Service Password. This tool is designed to work with LDAPv3 directories and Microsoft Active Directory. It also supports resetting Samba passwords. The tool allows users to configure the local password policy, and it supports various authentication methods such as email, SMS, and personal questions.
Yet another option is PWM, an open source self-service password reset solution. PWM is perhaps the most feature rich of all of the free products, and has over 400 configurable settings.
Even so, it is worth remembering that this is an open source project, which means would-be hackers have access to the source code and are likely to be actively searching for vulnerabilities.
Where they fall short
Organizations that are considering the adoption of a no-cost self-service password reset tool must take two very important considerations into account. The first of these considerations is the issue of supportability. As a general rule, most free tools are not supported. Operating unsupported software in a production environment violates long established IT best practices.
The second consideration is that of trustworthiness. Resetting a password is a sensitive operation. It is therefore extremely important that the self-service password reset software be trustworthy. An organization that chooses to use a free tool must be able to verify that the tool is not bundled with spyware, capable of silently stealing the user’s credentials. This is not to say that the free tools discussed in this paper contain spyware, but other free tools may.
Similarly, an administrator needs to be assured that the software does not contain any exploitable security vulnerabilities and that the software publisher will provide security patches for any vulnerabilities that are discovered.
The Azure AD Self-Service Password Reset
IT Pros do not necessarily have to turn to free, third-party or open source tools in order to get self-service password reset capabilities. Microsoft provides its own self-service password reset tool for premium Azure AD customers.
Like other self-service password reset tools, Microsoft’s Azure AD Self-Service Password Reset tool works by using an alternative authentication method to verify the end user’s identity. Once the user is validated, the interface guides the user through the password reset process.
Microsoft enables several different authentication methods that can be used within the self-service password reset process. However, there are some caveats to using some of these methods. The supported methods include mobile app notification, mobile app code, email, mobile phone, office phone, and security questions.
One of the caveats although Microsoft has added combined registration for Azure AD Self-Service Password Reset and Azure MFA, some of the factors are not supported across both components. This means that if users are enrolled with security questions or alternate email in self-service password reset these enrollments would not be carried over to the MFA platform that supports other use cases such as Office 365 login. Additionally, the phone call option is no longer supported for organizations that have received a complimentary Azure subscription or that are using a free trial.
For the most part, Microsoft’s self-service password reset solution works really well. However, its one major shortcoming is its dependency on Azure AD. Simply put, this self-service password reset solution is not available to organizations that solely use on premises Active Directory, or that use a cloud based directory service other than Azure AD.
Microsoft’s self-service password reset solution does however support hybrid environments that make use of Azure AD and on premises Active Directory. Self-service password resets are performed through Azure AD, and then a password writeback mechanism synchronizes the user’s new password to their on premises Active Directory account.
It is worth noting however, that users with on premises Active Directory accounts can only use self-service password reset capabilities if they have accounts in both the on premises Active Directory and in Azure AD. Additionally, the organization must use Azure AD Connect to tie their local Active Directory environment to Azure AD. Incidentally, Microsoft has discontinued support for its Azure Access Control Service, which means that older versions of Azure AD Connect no longer perform password writebacks. Organizations must therefore ensure that they are using the current version of Azure AD Connect if password writebacks are required.
Self-service features for better password security
The third option for self-service password recovery is to adopt a commercial solution. While this can be a very viable option, not all commercial self-service password reset tools are created equal. There are several things that IT professionals must consider before settling on a product.
One of the most important considerations is that of user verification. Regardless of which self- service password reset solution an organization uses, the product must be able to positively identify the user’s identity. Otherwise there is a risk that someone posing as an authorized user could fool the system and gain access to the user’s account.
One of the most common examples of this is knowledge-based authentication. Knowledge-based authentication refers to the practice of using a user’s personal information as a way of verifying their identity. A user might for example, be asked for their mother’s maiden name or the name of their first pet. However, there are at least a couple of problems associated with this approach.
The first problem is that it is relatively easy for an attacker to gain access to this information. All an attacker needs to do is connect with the user on social media, and they may be able to use the user’s posts and connections as a way of figuring out the answers to commonly asked knowledge- based authentication questions.
The other big problem with knowledge-based authentication is that it is not always easy for a user to answer a question correctly. For example, a user might have a difficult time answering the question regarding where they went to college if they went to multiple schools. Likewise, case sensitivity, spelling errors, and the use of hyphens or punctuation marks can also sometimes cause knowledge- based authentication to fail even if the user provides the correct answer.
The point is that although still widely used, knowledge-based authentication is far from perfect. Of course, the same could also be said for other methods of identifying a user. Passwords can be stolen, mobile devices can be lost, and biometrics can occasionally deny access to a legitimate user.
As such, a good self-service password reset tool should not rely on any one single method of user identification, but rather use a combination of methods. A user might for example enroll their mobile device, their fingerprint, and their Microsoft or Google account. This approach not only allows for true multifactor authentication, but it also allows a user to resort to using an alternative authentication method in the event that the user’s preferred method cannot be used.
Ease of adoption
Another important consideration is the product’s ease of adoption. From an IT perspective, the solution needs to fit in easily with whatever software the IT department already has in place. Nobody wants to upend the organization’s existing infrastructure just for the sake of adopting a new tool.
As important as ease of adoption may be to the IT department, it is far more important for the end user. Simply put, users often prioritize convenience over all else. If a self-service password reset solution is inconvenient or difficult to use, then users will not use it. They will simply call the helpdesk instead.
When it comes to ease of use, there are two different aspects that need to be considered. The first of these aspects is the initial enrollment process. No self-service password reset tool can work unless a user has been enrolled in the system.
With many products, the user enrollment process is intrusive and cumbersome. When a user logs onto the network for example, the enrollment process may force the user to complete the enrollment process before allowing them to perform whatever task it was that they were trying to do. At the very least, this will annoy the users. Often though, users will look for a way to circumvent the process so that they can move forward with the task at hand.
A good self-service password reset tool will help users to avoid overly burdensome enrollment processes by allowing the IT staff to use whatever information is already available (such as information stored in the Active Directory) to pre-enroll the user. The user may be required to provide some additional identity information, but should be able to do so in a convenient manner.
The other aspect to the product’s ease of use is that the actual process of resetting a password should be simple and intuitive. When resetting or changing passwords users should be shown, in real time, if they are meeting their organization’s password policy rules, if not these can add time and frustration. Another key consideration is how a user is presented with the tool, it is imperative to have a link on the Windows login screen among other points of entry. If a user has to go hunting for the password reset tool, or if using the tool is excessively complicated or burdensome, then the user will probably just call the helpdesk.
Even when self-service password reset functionality has been deployed in the optimal manner, it is still inevitable that users will occasionally call the helpdesk for assistance with their passwords. After all, this is what users have been conditioned to do.
When the helpdesk staff receives a call for password assistance, they can use the opportunity to educate the user about the self-service password reset tool. That way, the user will reset their own password, and will hopefully continue to do so in the future, thereby minimizing helpdesk calls.
It is also worth noting that corporate helpdesks are popular targets for hackers. Hackers commonly contact helpdesks and impersonate an end user. These hackers then request a password reset in an effort to gain access to a user’s account.
The helpdesk needs to have a way of distinguishing between the user who really is having difficulty resetting their own password, and a hacker who is trying to gain access to someone’s account. As such, a good self-service password reset tool should give the helpdesk staff the ability to assist users, but should also allow the user’s identity to be positively verified before providing such assistance.
The best option for organizations wishing to implement self-service password reset capabilities may be to adopt a commercial solution. Although free tools do exist, such tools may be lacking in key features or may be unsupported. Free tools may also sometimes introduce security risks.
While there is a cost associated with adopting a commercial solution, organizations that deal with a high volume of password reset requests will typically realize a relatively short-term return on their investment.
Find out more about what how you can apply the recommendations from the self service password reset tools comparison to your organization today!