Getting started with self-service password reset
Active Directory password resets and account lockouts are a burden on IT departments everywhere. By some estimates, 40% of all helpdesk calls are password related. A self-service password reset solution enables employees to reset their forgotten Windows passwords, and manage account lockouts, without calling the helpdesk.
For IT departments, there are many benefits with using a self-service password reset solution beyond self-service. Whether it’s email or on-screen password notification reminders to encourage users to change passwords before they expire, or the ability to update the locally cached credentials for remote workers, it ultimately means spending less resources on password-related issues.
For users, it’s about convenience. A self-service password reset solution means availability and access, no matter the time, location, or device.
Social engineering is a common tactic against service desks.
Employee identity verification beyond security questions
Security is key when evaluating a self-service password reset tool. When a user can’t remember their password, they need another method to prove their identity. Security questions are the most common form of identity verification during self-service password reset. Common examples of security questions include:
What was the name of your first pet? Where did you attend high school? What is the name of your favorite sports team? It goes without saying that answers to such questions are susceptible to social engineering. Social engineering is a form of hacking – a hacker tricks the system into thinking they are an authorized user by using information that is readily available. With more and more of our personal information making its way online, this method of authentication is called into question.
Identity verification with multiple factors can reduce the risk of social engineering attacks. For more on how additional authentication factors can strengthen security, see our best practices for identity verification.
Self-service password reset tool comparison
There are a number of solutions that can help end users help themselves. These solutions rely on the same basic features including an administration console, an end-user website for users, and a client application that adds logon assistance to the Windows logon screen. For additional security and flexibility, consider the following evaluation questions:
Does the solution use more than just security questions to verify users? Multi-factor authentication helps users access the self-service password reset system without using security questions. Where and how is data stored? Choose a solution that does not use an external database to store user data, enrollment data, or passwords.
Does the solution report on system usage and password resets? Reporting capabilities can help track system usage, and event activities such as the number of password resets and account unlocks. This data allows you to measure your return on investment. Is the solution user-friendly? Users prioritize convenience over security. A common barrier in the self-service password reset process is the inability to set a new password that fulfills the complexity requirements. Look for a solution that displays the password complexity rules to help users satisfy the policy on the first try.
For more advanced features, and how our password reset solution measures, see our comparison of self-service password reset tools for Windows.
Password reset best practices for the helpdesk
The helpdesk staff plays an important part in the success of your self-service password reset solution. They need to know what is going to change, why the organization is making the change, and what they need to do differently. When users contact the helpdesk, a consistent approach that guides users to self-service is the only way to stop old-habits.
The launch of the password reset program is also a good time to re-educate your helpdesk on the latest security measures for protecting accounts and passwords. Afterall, password resets make a great target for cybercriminals skilled in social engineering. Without the right controls in place, an attacker can request a password reset while impersonating a legitimate user. Social engineering is extremely common, and can be quite successful when using security questions. Look for a solution that allows the helpdesk to verify users with high-trust methods during password resets. See our help desk security best practices to get started.
Employees and self-service password reset adoption
You have purchased a self-service password reset system, now comes the hard part. You will be asking employees to change – convincing them to use the system, instead of calling the helpdesk. It’s not enough to simply ask users to use the system. System adoption is most effective with the right solution in place.
Enrollment is the process of collecting end user information to verify their identity when they forget their password. Without an enrollment, users can’t use the self-service password reset solution. An effective solution includes features that encourage the enrollment process. Enrollment reminders via email and SMS are effective in guiding users through the process. For more impact, notifications should be configured to appear when the user logs into their account.
To make self-service adoption easier, you can remove the task from end users altogether. This can be done with authentication methods that have identifier information stored in Active Directory, such as mobile number (mobile verification code), or even high-trust authentication investments such as Symantec VIP, and Duo Security. An administrator would pre-enroll all of the users into the self-service system based on the information stored in Active Directory. Want more tips? Check out our top tips for employee self-service password reset adoption.
To ensure a return on investment, users have to actually use the system.
Try our password reset solution
Want to strike the right balance between security and usability? Specops eases the pain of forgotten passwords and account lockouts. The solution goes beyond knowledge-based authentication, revolutionizing self-service with a flexible authentication engine that includes high-trust authentication methods and auto-enrollment options. With our password reset solution, users always have a secure way to reset their password – from any location, device, or browser!