• Understand how hackers attack the service desk

  • See research into present risks for password resets

  • NEW: Vision and solution to the problem in the manual password reset

Does your service desk give passwords away?

When users forget passwords, they call the service desk to get a new password to get back to their work. It happens every day many times in most service desks. But how does your service desk prevent that passwords are passed on to a wrong individual? Do you have a password reset manager assisting the service desk?

According to a Service Desk Institute research, 35% of organizations do not have management decided process – each analyst must make his own. Does this make us secure?

In the remaining 65%, the majority uses questions for data easily available like employee number, manager’s name, department number and other information readily available for criminals.

Almost a third of organizations expect password related issues to take up more than 25% of their calls.

Close to 20% of IT service desks don’t authenticate end-users when conducting password resets.

22% of survey respondents stated that their IT service desk doesn’t have formal mechanisms in place to ensure the identity
of service requesters

Current password self-service solutions rely heavily on traditional forms of authentication, particularly security questions, with only 7% of implemented solutions offering more innovative authentication methods.

 47% of respondents state that all service desk staff have privileged access for Active Directory password resetting, versus
38% where this is limited to a select group, and 12% where no one on the service desk has the ability

83% of respondents think that, despite controls being in place, it’s still possible for a criminal to gain a password to a legitimate end-user’s account (via the IT service desk)

See a short introduction video on
Password management Best Practices



How passwords are broken?

The assisted process in the service desk

The easiest way to get a password for a legitimate user is simply to call a service desk and ask. You might have to charm or threaten to get the password, but lots of penetration tests have proven, that this is the easy way in!

Why a privileged user from the service desk or user administration department will give a password to a “wrong” user:

  • No authentication process is defined by management.
  • A weak authentication process is easy to bypass.
  • The privileged user is busy (it’s Monday morning) and hopes for the best.
  • The user on the phone charms or threatens the privileged user.
  • The privileged user is corrupt / criminal.

It happens! IDC cites other research from 2016 stating that 63% of data breaches are caused by some sort of password issue. IDC suggests using self-service of passwords as the way to become compliant in the password process. No matter how good the self-service solution is, some users will need assistance. When there is an assisted process, it must be secure and compliant. This is a huge challenge.

IDC proposes a model where:

  • At least two persons are involved (a supporter and a voucher).
  • The supporter’s privileges to do password resets on their own are removed.
  • Users are allowed to get a key from the 2-person process enrolling them in self-service, so they make the new password themselves.

As this is a much more expensive process that is standard today, for many companies it will be necessary to move more than 80% of the calls to self-service, which means that the cost of the manual process becomes manageable.

Facilitated password reset principles

Gartner calls the process for Facilitated Password Reset. “The reality is that no matter how foolproof a Self-Service Password Reset (SSPR) solution is, the need for service-desk-assisted password resets will likely always be there.” “A facilitated reset allows a delegate (such as an administrator or service desk operator) to perform a password reset or account unlock on behalf of another user. That said, there are often security holes in the facilitated reset process.”

How can we make the facilitated password process secure?

  • We must have a common process decided by management
  • We must have different workflows to balance risk and costs for different user groups
  • We must prevent circumventions by the service desk analyst, this means no privileged passwords!
  • We must include many different information types for the manual authentication – in particular, dynamic and contextual data in addition to static data and tokens
  • For individuals with very high-security settings, we must include multi-factor authentication
  • Monitoring and alerts must be part of the solution

The only true way to enforce the secure workflow is in a flexible It-system designed for the authentication task. Take a closer look at FastPass Facilitated Password Reset module (FPR), which really is a password reset best practices implemented.

Facilitated password reset for the future

It seems obvious that an IT-based solution for facilitated password reset is needed. The primary concern must be ITsecurity, but management has more requirements.

Management must be able to define the process the service desk analysts perform when assisting users. In general terms, the solution must be compliant and circumventions to the process from the service desk analysts must be prevented.

Large organizations still have many calls for the service desk even if password self-service off-loads around 80%. Costs related to the process for the service desk and for the users must not be higher than what is needed for security. Different user groups have different security profiles and should be treated differently.

The authentication or proofing of users must be based on dynamic and contextual information in an intelligent way. Static information will in many cases be OK, but can’t stand alone as it in some case are too easy to get at.

In summary, the FPR process must be:

  • Compliant
  • Specific per user-group
  • Proofing must be dynamic and contextual

A very strong proofing is when a person presents herself to the service desk analyst with an identity card including a photo. In the real world of service-desks they are centralized and users are scattered around the world. For this reason, we describe solutions which support a phone-based authentication or proofing where the personal meeting isn’t realistic.

Want more information about FastPass products, pricing or anything else?

We are here to help you!


”We strive continuously to improve our service. It is important to us to deliver modern and simple solutions helping customers to a more efficient operation. The cooperation with FastPass is yet another step in this direction”.

Mads Jacobsen
 Associate vice president

... seen an 80% reduction in assisted password resets. We’re very satisfied with the product. It has significantly freed us up from frustrating and unrewarding password resets

Oliver Holmes

Deputy Director, Technology and Operations

... The numbers have grown to the point that it would be impossible to operate in today’s busy environment without a password management service



FastPass handled 2,531 password calls, or more than 80% of the total password calls from all the users.

Per Kristensen

Project manager


...we have met our Customers’ Service and Cost Improvement challenges by reducing our call abandon rates by over 55% and our average wait times by over 60%, despite our overall budget being reduced.

Pete Townley

Lead Service Delivery


… about 90% use FastPass to reset their passwords. So we’ve seen a substantial reduction in calls to the help desk.

Winston Hughed

Vice President IT


We are very pleased with the product.  Fast pass has simplified password management and eliminated many password related calls


Chuck Mick

ERP Manager

Nyrstar has chosen FastPass to automate and improve the processes related to users’ forgotten passwords. This has improved user satisfaction and reduced the workload in the IT HelpDesk.

The number of forgotten passwords per involved user per year has dropped from 1,6 to 0,3. This is an improvement of 83%!

Hans Lauwers



... The numbers have grown to the point that it would be impossible to operate in today’s busy environment without a password management service

Haydn Tarr

IT Technical Lead & Coordinator


Our employees use it to synchronize their Windows password with their IBM i password when they need to be changed every 90 days due to compliance. We find this is a quiet, behind-the-scenes way for our employees to change and remember their passwords.”

Larry Marxen

Director of Information Systems


North America T: + 818 697 2308

Europe T: + 45 4810 0410


FastPassCorp A/S,  USA

FastPassCorp A/S, Gladsaxevej 376,; 2860, Søborg, Gladsaxe, Denmark

© FastPassCorp A/S. All Rights Reserved.

Logo of fastpasscorp, the self-service password management provider