Self-Service Password Reset Best Practices

Good internal communication ahead of the release of a new solution is, of course, important, and should focus on the benefits for the user and for the organization.

An important motivational element is the reach of the solution. If a user has multiple corporate passwords, like for the active directory and SAP, and the new password portal only covers 1 or 2 of them, then the user will likely lose confidence in the solution. Then, they might not be able to remember if there is a solution or not when a situation arises. Consequently, they may take the safe option and just call the service desk to let them resolve it.

It’s always a challenge to get users to enroll. There are two main approaches you can apply here: e-mails or via a PC-client. If you use the e-mail approach, it must automatically reach all users with recurring reminders; otherwise, if you depend on someone from the IT-department to send reminders to un-enrolled users, you will surely fail! Your self service solution must automatically send invitations to all new users and reminders to un-enrolled users. If you want to force users to join in, you need a PC-client tool, which will react when an un-enrolled end-user logs-in to Windows. The PC-client can then force the user to enroll in the password self service before the PC is released for normal use!

We suggest a combination of soft and hard measures.

Note, when dealing with users on remote networks, it is important to keep robots away, for example, by introducing a captcha check.

The standard user authentication in password self-service has, for many years, been to use personal challenge questions. Although these are good and secure and are personalized to the individual user, some users still forget the answers and call the service desk.

To reach above 90% success, you must give users additional choices for authentication. Let users decide at authentication time how to authenticate their passwords, e.g. by the use of challenge questions, SMS code, a PIN sent to private e-mails, smartcards, DUO, Microsoft or Google authenticator or other types of TOTP authentication. This will help your organization pass the 90% mark. The secret is Free Choice for the users!

Even when you require 2-factor authentication or MFA, you can still offer users multiple MFA choices to make it as convenient as possible for them.

For password issues, users will need immediate access from the device they are using, typically a Windows PC. Any hope that you have that a user experiencing problems will try on a colleague’s system or use some other device to do self service is only a dream—the user will always call the service desk first. But it’s important to understand the situations that users might face:

• Domain PC locked before Windows log-in screen
• Remote PC locked before Windows log-in screen
• External users unable to log-in to your network from their own PC
• Users on tablets experiencing problems
• Users on smartphones experiencing problems

These situations are all different from a user perspective as well as from a technical perspective.

User confidence in the solution requires that you can help them in all situations.

No matter how well we design processes and tools, there will always be some users who need to call the service desk and ask for a password. It is, therefore, essential that the service desk encourages and help users to get back into using the self service solution. If they just give the user a password, the end-user will call again next time they forget their password!

Instead, give the service desk professional tools so they can force users securely back into the self service environment.

Studies have proven that weak passwords or password processes are responsible for most data breaches.

Employee identity verification as part of the password reset process must be a secure workflow:

• Have a management decided process
• The process must be a balance of risks and costs for different user groups
• Authentication can include manager approval
• Prevent circumventions by staff
• Proofing process must use dynamic and contextual data and intelligence in addition to static data and tokens
• Monitoring