Self-Service Password Reset Best Practices
6 steps for the implementation of self service password reset tools to achieve 90% user adoption
6 Steps to Success: Password Self-Service
Get Full Guide for FREE
6 Steps to Password Self-Service Success
The implementation of self service password reset solutions might look like a simple task, but many organizations have been unsuccessful in implementing them. Here, we give you an overview of 6 steps that can help you successfully implement self-service tools and avoid the pitfalls experienced by those unsuccessful companies.
For many of the unsuccessful implementations, the attitude has been: “We just need to give the user a button and they will serve themselves!” However, the results are clear - This is not enough!
A successful password self service solution requires a good software solution, and perhaps more importantly, a good process.
To help guide you, we have defined password reset process best practices.
Why implement self-service password reset?
A self service password reset solution brings 3 specific and clear benefits:
Reduces the workload for the service desk
Improves the service to end-users
Improves security and reduces the risk of data breaches.
The key performance indicator (KPI) for any self service password reset software should be the adoption percentage. Here, we define the adoption rate as the percent of users performing password reset self service compared to the total number of password resets carried out, including manual password resets done by the service desk.
According to the Service Desk Institute, a normal self service password reset tool will likely achieve only 20–40% adoption.
However, with a qualified password reset self service solution that incorporates self service password reset best practices, you can achieve an adoption rate of around 85–95%.
The difference between a top adoption rate of 40% and 95% shows the added value of applying a qualified password-reset self-service solution!
FastPass Enterprise Solutions
Efficient password self-service, secure identity verification and fast password synchronization
6 steps for ensuring successful self-service password projects
Each step in the password reset process best practices requires consideration and planning. Large organizations with many different groups of employees, possibly even in different countries, must plan for different steps to take according to the culture in the different groups.
We can’t overemphasize the importance of adapting the solution and the process to the different user groups in large companies. If it is too complex for some users, they’ll just end up calling the service desk; if it is too simple, you might not be able to do a secure authentication for some users. Also, you might need to use specific phrases for users in some countries and completely different phrases for other cultures. This means that the password self-service reset solution must be configurable to all the different groups at the same time!
Good internal communication ahead of the release of a new solution is, of course, important, and should focus on the benefits for the user and for the organization.
An important motivational element is the reach of the solution. If a user has multiple corporate passwords, like for the active directory and SAP, and the new password portal only covers 1 or 2 of them, then the user will likely lose confidence in the solution. Then, they might not be able to remember if there is a solution or not when a situation arises. Consequently, they may take the safe option and just call the service desk to let them resolve it.
It’s always a challenge to get users to enroll. There are two main approaches you can apply here: e-mails or via a PC-client. If you use the e-mail approach, it must automatically reach all users with recurring reminders; otherwise, if you depend on someone from the IT-department to send reminders to un-enrolled users, you will surely fail! Your self service solution must automatically send invitations to all new users and reminders to un-enrolled users. If you want to force users to join in, you need a PC-client tool, which will react when an un-enrolled end-user logs-in to Windows. The PC-client can then force the user to enroll in the password self service before the PC is released for normal use!
We suggest a combination of soft and hard measures.
Note, when dealing with users on remote networks, it is important to keep robots away, for example, by introducing a captcha check.
The standard user authentication in password self-service has, for many years, been to use personal challenge questions. Although these are good and secure and are personalized to the individual user, some users still forget the answers and call the service desk.
To reach above 90% success, you must give users additional choices for authentication. Let users decide at authentication time how to authenticate their passwords, e.g. by the use of challenge questions, SMS code, a PIN sent to private e-mails, smartcards, DUO, Microsoft or Google authenticator or other types of TOTP authentication. This will help your organization pass the 90% mark. The secret is Free Choice for the users!
Even when you require 2-factor authentication or MFA, you can still offer users multiple MFA choices to make it as convenient as possible for them.
For password issues, users will need immediate access from the device they are using, typically a Windows PC. Any hope that you have that a user experiencing problems will try on a colleague’s system or use some other device to do self service is only a dream—the user will always call the service desk first. But it’s important to understand the situations that users might face:
- Domain PC locked before Windows log-in screen
- Remote PC locked before Windows log-in screen
- External users unable to log-in to your network from their own PC
- Users on tablets experiencing problems
- Users on smartphones experiencing problems
These situations are all different from a user perspective as well as from a technical perspective.
User confidence in the solution requires that you can help them in all situations.
No matter how well we design processes and tools, there will always be some users who need to call the service desk and ask for a password. It is, therefore, essential that the service desk encourages and help users to get back into using the self service solution. If they just give the user a password, the end-user will call again next time they forget their password!
Instead, give the service desk professional tools so they can force users securely back into the self service environment.
Studies have proven that weak passwords or password processes are responsible for most data breaches.
Employee identity verification as part of the password reset process must be a secure workflow:
- Have a management decided process
- The process must be a balance of risks and costs for different user groups
- Authentication can include manager approval
- Prevent circumventions by staff
- Proofing process must use dynamic and contextual data and intelligence in addition to static data and tokens
Self-service of passwords continues to be an important part of password security and productivity. In many situations, 2-factor authentication is required for self-service. But what do you do, if the user has lost his token or forgotten the answers to his personal question/answer process? We even see some organizations in which employees don’t have any tokens, so the only one-factor authentication is questions/answers. Some users, however, forget their answers and thus can’t do self-service. So, we need a new authentication method that can introduce additional security, without requiring a physical token.
FastPass V4 introduces Identity Verification by Manager or “Manager Approval”! This function can be extended to use by trusted colleagues for verification purposes.
What’s most important for the successful implementation of a solution?
During implementation, a project sponsor with a focus on the results is vital. During the subsequent operation, an operational manager with KPIs for the on-going success can keep the adoption above 90%.
Solutions for self-service password reset
What is a self-service password reset solution?
The expectation is for a webpage where the end-user can get assistance. The problem with this though is that users will not be able to access the webpage if they have forgotten their Windows Active Directory password. Then, the user will be locked out from their own PC and will not be able to get access to any webpage! You might call it a Catch-22 problem: “How can I do self service for a forgotten password when I don’t have a password to get into my PC?”
This means that the user must have access to the self service password reset solution pre-Windows log-in from their PC. This may be fine when it is available from the user’s smartphone via a webpage, but in practice, this is not enough. Most users use traditional PCs, and so the tool must be right in front of the user when they are sitting at their PC and need immediate assistance, or they’ll call the service desk.
Available solutions for self service password reset
You might think you can look for assistance from Gartner magic quadrant, but this field is not covered by Gartner. However, Microsoft offers solutions from their identity packages, like Fim and Mim 2016, where you’ll get more than just the password self-service reset solution. Also, ManageEngine and Quest have solutions dedicated to this solution as does FastPassCorp.
In many situations, the solution will likely cover a hybrid environment, where users have passwords for Active directory azure and need assistance for Office 365 password as well.
As part of the solution consideration, you should consider if a cloud solution or an on-premise solution is the right choice for you. For managed service providers (MSPs), it is vital that the password self service reset solution is multi-tenant to keep operating costs down for the service.
Stay on top of the latest updates in Corporate Password Security & Identity Verification
Subscribe to our Newsletter!