Compliant and secure Password Management

If at least 35% of companies don’t authenticate users with a password reset call – what is then at risk?


With the European Union’s decision of the General Data Protection Regulation (GDPR) Act compliance has gone to the top of IT priority. If companies have a breach of data or don’t report data breaches within 72 hours they can be fined up to 4% of annual revenue! According to GDPR companies have to identify critical data and map out who have access.

IDC has in February 2017 released a Technology Spotlight on GDPR and password compliance processes. It documents specifically how many demands GDPR puts on protection and authentication of the personal data. Several articles and paragraphs defines how lack of authentication can lead to data breaches. A data breach must be reported within 72 hours to the authorities and is a violation of GDPR.

IDC refers to a research showing that 63% of all known data breaches are caused by password problems.

According to a Service Desk Institute survey 35% of organizations don’t have a clear authentication process for their password service. The remaining 65% have a process but not necessarily a strong process.


 IDC argues strongly that present state of user authentication in service desks doesn’t live up to the demands for a secure process. IDC refers to requirements issued by official organizations asking for a 2-person process. A person with privileges and a person knowing the end-user asking for the password.

Alternatively, a password self-service solution with clear authentication process will be compliant (if it is WEB-application secure!). No matter how good the self-service implementation is, some users will however sometimes call the service desk anyway.

It is very very difficult to monitor and make a manual process compliant, so as part of the right password process, the manual service desk password process must be done in an IT solution. As a consequence of this, then the service desk doesn’t need to have privileged rights to reset passwords directly in Active Directory, hereby significantly reducing the risk for fraud committed by individual service desk employees!

Go to Action IDC technology to get your own copy of the IDC Technology Spotlight.



    Business case

    Password management

    IDC Analyst view



    Our clients