Resetting passwords in the enterprise without the help desk

From personal banking and online purchasing to social media accounts, you need passwords for a plethora of online activities. Almost all of these services have a self-service password-reset functionality so that if you forget your password, you can retrieve it almost instantly.

This option is also available for enterprises, but many companies are reluctant to implement the service, even though help desk and systems administrators spend a great deal of time resetting account passwords.

How much time?

Forrester Research estimates that the average cost of a single password reset done by help desk is about $70, while Gartner estimates that 20% to 50% of all help desk calls are for password resets.

If you can relieve IT from these calls, not only can you be more productive in other areas, but you can also reduce costs.

IT departments often face the challenge of changing corporate cultures and moving to a more efficient and less costly way for users to get back online, without waiting on hold. But users themselves have been limiting the adoption of self-service password resets. In many companies, most nontechnical users have a set routine, and change -- even if it's quick and easy -- is often difficult.

Some users don't like calling the help desk or filling out an online ticket, while more tech-savvy users may have an easier time adjusting. Therefore, understanding your user base and how it works is critical to successfully implementing a self-service system.

Several products provide password-reset functionality for the corporate market. These products are made up of three primary components: the enrollment process, the authentication method used and the mechanism to reset the password itself. Software vendors also add functions such as account lockout reset, but these features tend to complicate the process instead of simplifying it for users and the IT staff.

The method used for authentication is the most important for you to look at, understand and implement. The most common is fallback authentication, where users must answer several personal questions correctly before their passwords are reset. One drawback of this method is that it introduces another security threat to an organization's domain network. Although this problem has been studied in the online world, with the focus on sites like Facebook, there hasn't been a lot of research done inside enterprises. It would be naive to assume that fallback vulnerabilities wouldn't also affect corporate environments.

Alternative high-security authentication methods include assisted methods, tokens and public key infrastructure (PKI).

The assisted method relies on someone who knows the user -- such as a manager or co-worker -- to also enter his or her credentials for a password reset. This is more secure and reliable than personal questions, but it may be an inconvenient for workers outside the corporate network.

While tokens and PKI are the most secure methods, they require the back-end infrastructure to support them and tend to be higher maintenance, in terms of both administration and budget.

As one IT mantra says, it's all about the user. But the reality is that just because the users' lives are easier, it doesn't mean our jobs are easier. It may take some time -- and some extra user education -- to introduce a self-service password-reset system in your company. However, the payoffs include a lower IT budget, a more productive staff, and users who will feel a new sense of empowerment by being freed from the dreaded help desk calls.

ABOUT THE AUTHOR
Mike Nelson has been in IT for over 20 years, with exposure to a very diverse field of technologies. He has devoted over half a decade to virtualization and server-based computing. Nelson is currently a senior analyst at a Fortune 100 company in the U.S. Midwest.