Password Reset Process – Service Desk and Self-Service

Passwords are the fundamental protection for the user, to control what his ‘user-id’ performs in the IT-systems! Modern password policies help protect the passwords against outsiders' attempts to get hold of the password.

No chain is however stronger than the weakest link, and in password protection the password reset process is vulnerable! We have unfortunately often heard from service desk employees that they trust users calling in and requesting a new password. No authentication takes place!

 This is not acceptable from a management and not even a user point of view.  The answer is solid authentication. This is true for as well self-service as for manned operations. From our dialogue with customers and interest groups we see the following authentication methods being used for users who have forgotten their password:

  1. Call the user back on his phone. The number to be found in the employee file or IT systems. (An intruder might sit at the user’s desk)
  2. Send the user a PIN –code via SMS to his mobile phone (requires  that all users have mobile phones and we have the numbers registered)
  3. Have a trusted colleague call and ask to get a new password for his colleague (requires availability of the trusted person, and a “third person” is involved)
  4. Return call to the user’s manager (requires availability of the manager and involves a third person)
  5. Let the user answer some personal or individual information. (Company information like employee number is known to other employees, private information like “favorite movie” needs to be registered in advance)
  6. Personal appearances (takes normally a long time!)

 As can be seen from the above, all different authentication choices have inherent challenges or weaknesses. An additional major management challenge is how to monitor that the service desk actually does exactly as the authentication process describes!! If you limit the privileged rights to the service desk, so password reset only can occur through FastPass (and not through privileged Windows accounts), then all password resets can be monitored!

Self service

IDC Analyst view

Business case



Password reset process

Our clients