Password Self Service Tool Cuts Costs and Increase Security
Reach 85% password self-service success with focus on users
Make the manual authentication process secure and compliant with a dedicated workflow
FastPassCorp – listed on Nasdaq/Copenhagen – has the solutions
FastPass is used by large service providers and large organizations for all types of enterprise passwords
Be successful with password self-service
FastPass password self-service helps you get more than 85% of end-users’ password problems solved by end-users themselves. The combination of FastPass functionality and our best practices guide will make you successful with password self-service. You can get the service from the cloud or install on-premise.
A few highlights to understand how you can achieve 85% end-user success:
- All corporate passwords are included: Windows, SAP, Oracle, IBM, LDAP a.o.
- All users are easily enrolled
- Access from anywhere, including PCs and smart devices
- Users can choose between many different authentication methods
Secure and compliant manual password processes
Even with 85% self-service you’ll have 15% of calls to your service desk. This is a very vulnerable process, where it’s easy to get a password for a legitimate user’ account.
FastPass Facilitated Password Reset helps you protect the users and the service desk assistants against attacks for passwords. Manual authentication must be a secure and compliant process. With Facilitated Password Reset module you can reduce the risk dramatically and remove the risk from the service desk team.
A few highlights:
- Authentication processes match the users’ risk profile
- Service desk assistants will no longer have privileged passwords
- Multiple authentication tests in the workflow
- Contextual and dynamic data are included
Cloud or in-house operation
FastPass is available as a service from FastPass Cloud with a minimum of technical implementation time. If you prefer an on-site installation FastPass is available as a traditional SW-package too. The solution is identical in the two environments
Service providers (MSP) can operate their own private cloud for their customers. FastPass is selected by many of the world-wide service providers to offer individual password services to their different large customers.
Increase Staff & Help Desk productivity and avoid costly data breaches!
The IDC white paper on Passwords and GDPR states that fines of up to 4% for data breaches under the new law.
The most recent Data Breach Incident Report (DBIR) by Verizon states that 63% of confirmed data breaches involved weak, default, or stolen passwords.
Many password reset approaches involve a second person, typically a help desk staffer. What stops such a person from exposing a user’s password to an unauthorized person (accidentally or otherwise)?
FastPass ensures that this second person (help desk staffer) can never expose a user’s password, even though they facilitate the reset.
IDC Technology spotlight: Password Management and GDPR Compliance: Lowering Risk Through State-of-the-Art Assisted Password Reset
The IT department of London Metropolitan University supports more than 12,000 students and 2000 staff members in the UK.
The FastPass implementation was very quick and it has become the main tool for password management within our community.
We now use the help desk pin for providing passwords to new accounts with a secret, system generated password.
We have seen an 80% reduction in assisted password resets.Oliver Holmes
Self-service password reset?
Use our contact form or fill out the form to the right to try a free demo!
See how easy it is for Jim to reset his password!
What is self service password reset manager?
- Using password as single or 2-factor authentication?
- Defining password policies
- Creating user-awareness
- End-user self-service of passwords
- Secure facilitated process at the service desk
Large and respected companies have recently announced data breaches. This because of IT-crime in different forms. Boards and executives put the spotlight on IT-management asking: “Can this happen to us?” and “How do you prevent, that it happens to us?!!” According to Gartner IT-security expenditure rose by 16% in 2016. When IT-security gets in focus, so do passwords as the most basic component of IT-security.
We believe this is the reason for the increasing interest for enterprise self service password reset management. In our meetings with senior IT management we find an interest to get a simple overview and understanding of risks and mitigations related to password challenges. We decided to make a short and hopefully easily read document on enterprise password management. It is intended for IT-people involved in decisions and processes related to the use of corporate passwords.
Our intention is to have a pragmatic and operational document. It is not a scientific or research based document for universities! Please forward any suggestions for improvements to us for future versions.
Purpose of passwords:
We have used passwords since ancient times. When a citizen in the dark night came back to the city gate he identified himself: “Hi this Joe the Miller”. Now the guards knew Joe the Miller, but should still ask: “Give us the password”. Joe would answer “The moon is blue tonight” and the guards would know that this is the true Joe the Miller and open the gate!
Passwords are used for the same in modern IT-systems: To establish trust to an identity.
We make living persons responsible for the actions made by their user-id in the IT-system. Hence, we must make sure that it only can be the right person who has access to his account. More generic we talk about the authentication process, where password is one option.
In the ideal world then that would be it! Unfortunately, as the use of passwords exploded to be used by practically everyone, many problems and risks became visible. Professional IT-departments then have to counteract these threats. The actions and decisions necessary to handle and protect passwords make up Password Management. As this primarily have been an issue for large organizations it is often referred to as Enterprise Password Management, to distinguish it from the personal issues with managing all our new passwords for WEB-services!
There are various problems inherent with passwords:
Users give them away
Even Edward Snowden at the NSA said that people were sharing passwords. Employees are supposed to be trained not to share passwords, but they do anyway. Nick Leeson from Barrings Bank in Singapore got access to colleagues’ accounts and passwords to confirm his transactions himself – no need for others to bother! Password expirations might help to reduce the problem in these situations.
Intruders “steal” them
Intruders might use different tools to steal a password from the user repository or in transmission. With Windows and AD based systems this is not easy at all, but other systems might be more forgiving! Beyond that, the #1 problem is users, despite security awareness training, still get tricked by email phishing into entering their passwords into hacker sites. Those are mocked up to look like something the user knows and trusts. It is claimed this is how the Democratic Party in US during election campaign in 2016 got hacked.
Users forget them
Today we all have lots of passwords to remember and as humans we will sometimes forget. If your password is complicated too and changes with short intervals, you will forget it! Our rule of thumb for an enterprise with standard password policy is, that there is approximately 1 password call per user per year. This means cost for the company. Calculating the full cost including user and IT-department analysts estimate to be between 15$ and 100$ per password call.
Third persons (service desks) handle them
When the user has an enterprise password problem they contact the service desk for help (unless a self-service solution is available). The service desk analyst then has tools to create new passwords. This is often a temporary password the user is forced to change immediately, and then the service desk doesn’t know the ‘real’ password. The problem is however, that the service desk analyst deliberately or by accident gives the password to a ‘wrong’ person, and the user has very little chance of ever knowing it happened.
As can be seen the problems of passwords are security and productivity. Both problems are important to counteract, but most will agree that security issues are urgent.
How can we solve the problems?
The question is what to do with the password problems. Instead of getting rid of passwords it might be easier and more realistic to look for mitigation strategies. For each of the password problems we have in this table listed the most effective mitigation strategies:
|Users give passwords away|
|Intruders steal passwords|
|Users forget passwords||Self service password reset solution SSPR|
|Third person involved||Compliant facilitated password process|
|General security||Implement multi-factor authentication|
The first step in any password management process should be the definition of security demands for different user groups relative to different applications / systems.
Some user groups may only have access to insensitive data and a simple authentication is fine. Other groups may have access to applications where you can transfer millions of dollars, and you will require very strong authentication to give access. When users are at company premises it might be OK to use single factor authentication; but when the same users access from external net you require 2-factor authentication.
The ability to control authentication for different groups in different situations must reflect the features of sign-on for the different systems and applications. Many new authentication methods come forward now including Google and Microsoft Authenticators and some are based on the FIDO model described by the FIDO consortium.
Within the financial limits and security requirements the decisions can be made to balance cost and risks when authentication choices are made for users and applications. Passwords will most likely continue to be part of the authentication process. In particular as one factor in a multi-factor authentication or a single factor where only insensitive data can be reached.
Education and continuous awareness program to employees.
- What are the risks for you and your company if we don’t follow the security guidelines?
- What are the company guidelines?
- How can I follow the guidelines?
How do we help the users protect their passwords? Password Policies define the corporate requirements for complexity and expiration. Some of the parameters are:
- Length: minimum and maximum
- Complexity of characters
- History (different from earlier versions of the password)
- Forbidden words, can be based on dictionaries of negative passwords
IT-infrastructure professionals are responsible for the technical protection of passwords. This covers storage of passwords in user repositories like Active Directories, where encryption and hashing is used making reversal of passwords practically impossible (This mean for example that “Give me my password back” is impossible because no-one can get the real password!)
Encryption of the password in transmission is important.
Additionally, we have many different technologies available to prevent that users are attacked by malware or phishing schemes with the purpose to “steal” the user’s password.
The primary process related to passwords is the password reset process for forgotten or locked passwords. The standard manual process is risky and takes time = costs money! The password reset best practices must include self-service of passwords!
Gartner calls the process in the service desk: ‘The Facilitated Password Reset Process’. Many service desks have no management defined process for this service, and many others have a weak process. This obviously means high risks for impersonations from persons who want access from other users’ accounts through a stolen password. Furthermore, monitoring of a manual process is difficult. It also requires that the service desk analysts have privileged passwords further adding to the risk.
IT-based solutions are available:
Self service password reset (SSPR)
Users can in a secure way reset and unlock passwords through self-service solutions. SSPR gives end-users faster resolution than waiting for the service desk and is available 24*7. As a result, the service desk will see a reduction in the total number of calls, helping to boost productivity. This is part of password reset best practices.
It is important to be aware of the adoption rate for the solution. Some implementations end-up with as little as 10-40% of users using self-service and the remaining users call the service desk. Even in the best SSPR implementations you must expect that some users will need the service desk.
Ways to improve adoption or success rate relates to:
- the enrolment process
- accessibility from all types of devices and places (including a locked workstation!)
- a high degree of flexibility in the authentication process.
Facilitated Password Reset (FPR)
Facilitated means that the process involves human assistance. Then risks and deviations follow unless the service desk analysts are supported or even controlled by an IT-solution. To make the facilitated service desk process compliant and secure the analysts must follow management decided steps before a new password is issued. The service desk analysts will be taken through an authorized end-user authentication and then enabling the user to make a new password. The process is commensurate for each user group to balance risk and cost. Most will agree that this is needed to have a password reset best practices.
The big challenge is user authentication. In a completely manual process the service desk might use a call back to users’ phones. If there is a SSPR system then the user wouldn’t have to call the service desk if he can receive a SMS-code on his phone! Users calling the service desk have multiple authentication problems, or they would have done self-service. Authentication should then, in addition to standard methods as asking questions, have dynamic data related to unique and fresh knowledge about the user. Dynamic and contextual data will be extremely difficult for attackers to obtain.
Furthermore, for very ‘important’ user groups it must be possible to demand personal vouching from other users. This is often referred to as the manager approval model. Basic principles for an FPR solution are:
- Management decided work-flow
- Configurable per user-group
- Multiple authentication options
- Information used for authentication must include dynamic and contextual data
- Manager approval of users must be an option
- Remove privileged passwords from the service desk analysts
North America T: + 45 4810 0410
Europe T: + 45 4810 0410
FastPassCorp A/S, USA
FastPassCorp A/S, Lyngby Hovedgade 98, Kgs. Lyngby, DK 2800 Denmark
© FastPassCorp A/S. All Rights Reserved.
Self service password reset?