In simple words, self-service password reset (SSPR) is a technology that personalizes the action of resetting passwords. With SSPR, if users locks themselves out of their account, or forgets their account password, they have the ability to set a new password themselves. This benefits the user and the organization, which can remove this time-consuming responsibility from its help deck technicians' tasks list, saving time and money.
To reset their password, an alternative method of authentication is needed so that the users can authenticate themselves to the server, even in the case of an account lockout due to multiple failed log-in attempts. Examples of alternate authentication methods include SMS code, email code, or link.
Gartner estimates that the average cost of a single password-reset done by the help desk is about $70, and that 20% to 50% of all help desk calls are for password resets. These costs are unnecessary since the task of password reset can be delegated to the users themselves.
Relevance and need
Somewhat proportional to technological advancements, the increase in identity thefts and breaches of corporate data has burned a hold in organizational pockets as the cost of service desk operations continues to grow.
IT divisions tend to shift to the latest processes and technologies while also seeking to minimize costs. The problem that arises from this shift of technology is that for many number of organizations, the adoption of SSPR by users and employees has been limited.
This limited adoption is due to many users having an established routine of processes related to passwords, and being unwilling to change. Introducing a change to the routine is often perceived as being complicated and inconvenient by some users.
There are a couple of factors that determine the needs for and ways to implement SSPR. Any organization might adopt SSPR to reduce help desk costs. From a logistical perspective, the implementation of SSPR depends on its user base and organizational dynamics. For example, some tech-savvy users might enjoy interactions with the help desk to resolve their issues. Other users might find this to be a tedious task. A need analysis that evaluates the dynamics between the user base and the help desk will help determine the benefit-to-cost ratio for implementing SSPR. If the organization decides to implement SSPR, the next step is developing an implementation framework based on the internal organizational dynamics, which usually differs from organization to organization.
How SSPR operates
The process to reset a password is neither complex nor difficult. Essentially, it can be broken into three steps:
1. Verification:
To verify themselves to the IT systems, the users will need to enter their username in the self-service reset portal.
2. Authentication:
Next, users are required to provide evidence that they own the account. The evidence can be provided via one or more authentication methods like SMS, answering security questions, or a mobile-authenticator application. The authentication method can be fashioned to have a multi-layered structure to ensure stronger security and greater safety.
3. Password Reset:
A new password can be entered and set if the authentication process was a success. The dialog-box or the tab to enter a new password will display.
As soon as the password is reset, two things take place. First, the owner of the account is notified of the password change by a security alert sent to via SMS, email, or other method. Security alerts are crucial as the owner or the end-user will be notified if something has gone wrong. Second, on the system's end, the new password will be synchronized across all systems that are linked with it. Automating the password synchronization process significantly reduces the involvement of users in IT engagements for password-related issues, the single largest time demand on the IT help desk.
Benefits and features
There are four major benefits of SSPR, and these are the driving factors increasing the demand for SSPR:
Security enhancement
Globally, around 30,000 websites are hacked daily. The attacks on organizational cybersecurity infrastructure are not always successful, and when attackers cannot break through, they turn their attention towards websites. The weaknesses of websites are different from a cybersecurity infrastructure, which may include vulnerabilities in software, access control, and third-party tools and integrations.
From the same industry resource, a deeper statistical analysis of a specific region, the United Kingdom, indicates that hacks on SMBs number around 65,000 each day with around 4,500 being successful. The average cost of a data breach in the UK is a whopping $3.8 million, which is slightly less than the global cost of $3.92 million.
Therefore, self-service password solutions that can also be compatible with security solutions, like MFA and security questions for identity authentication, are more beneficial than ordinary password solutions. When a second form of identity authentication is requested due to MFA, the verification of the person as the true owner is often carried out by a mobile authentication method like a SMS code or a phone call.
SSPR also ensures that situations like account lockouts and passwords being forgotten are addressed only after sufficient verification and authentication. The main benefactor for this policy is the IT service desk as it helps reduce cybercrime, like identity theft and brute-force attacks.
Cost-efficiency
According to findings in the study conducted by HYPR:
- 78% of respondents said they required a password reset in a personal account within the last 90 days
- 57% of respondents said they required a password reset in a work-related account within the last 90 days
The negative effects from forgetting and resetting passwords are not limited to the IT department. Forgetting a password typically has a major impact on an employee's productivity and overall organizational efficiency. Moreover, the time and money invested in resolving these issues can be expensive; funds are better spent invested in implementing SSPR to avoid these costs in the future and enhance network security.
Ever-flowing productivity
Someone, somewhere said that "it's all about speed," which can't hold more water to it. The point of SSPR is to keep productivity flowing by automating the task of password reset. Without SSPR, the total IT help desk workload increases drastically. It is just not worth having a separate investment of time and money for tasks that can be automated. Furthermore, SSPR is available at any time in comparison to calling the help desk which might only be available for a specific time during the day, and only on specified days, like Monday through Friday. SSPR can eliminate the employee-shift issues as SSPR is available to users around the clock.
Password reset synchronization
Password synchronization helps manage passwords when multiple servers are involved. Synchronization leads to a smaller number of total passwords per user across all servers, and the probability of forgetting passwords is reduced.
Two ways password synchronization processes can take place:
- Automatic synchronization: Passwords changes on AD are automatically synced to all user directories connected to the AD, for instance, Microsoft Azure AD.
- Manual synchronization: Manual synchronization involves users choosing passwords to reset or change by themselves.
Investment in password synchronization will save resources, including time and money as IT help desk will receive fewer calls.
In the end, it's the users that will be dealing with the preferred solution. Although all organizations strive towards making the experience of users easy and convenient, it does not mean that the job of implementing and introducing SSPR is easy. It is pivotal to keep in mind that the introduction of a SSPR system for an organization can be hindered by variables like user education and feasibility, but the payoffs of a successful implementation can be huge:
- Reduction in IT budget
- Reduction in investment of additional resources
- Rise in productivity
- Freedom from an increasing number of help desk calls
SSPR is to be considered as a welcomed addition to your IT division. Setting it up is not complicated and it can be customized to match your needs; moreover, technology enabling synchronization with identities can reduce the complexity even further, and streamline the process of resetting passwords.